🚀 Executive Summary

TL;DR: A developer faced a surprise $360 AWS Cognito bill due to “Advanced Security” (Compromised credential checking) being enabled, which is priced per event rather than per Monthly Active User. Solutions include immediately disabling the feature, implementing AWS Budgets and Cost Anomaly Detection for ongoing monitoring, or strategically migrating to cost-predictable alternatives like Supabase Auth.

🎯 Key Takeaways

AWS Cognito’s “Advanced Security” features, particularly “Compromised credential checking,” are priced per event (sign-ups, sign-ins, password changes), not per Monthly Active User (MAU), leading to rapid cost accumulation from high event volumes or bot attacks.
To stop immediate cost bleeding, disable “Advanced Security” in the Cognito User Pool settings by navigating to “App integration” and setting the level to “Off.”
For long-term cost control, implement AWS Budgets for specific services like Cognito and enable AWS Cost Anomaly Detection to receive automated alerts on unexpected spending spikes.
Consider migrating to alternative authentication services like Supabase Auth, Auth0, or Clerk for new projects or when Cognito’s pricing model is misaligned, as they often offer more predictable, user-based pricing and generous free tiers.
Always review the pricing pages for any AWS feature labeled “Advanced,” “Premium,” “Enhanced,” or “Enterprise” before enabling them, assuming nothing is free.

Paid $360 for Cognito in December — switching to Supabase Auth now

A surprise $360 AWS Cognito bill for “Advanced Security” is a common shock for developers. Learn the root cause and discover three practical solutions, from an immediate fix to a strategic migration to services like Supabase Auth.

That Time Cognito Sent Us a $360 Bill for a Side Project

I still remember the Slack message from one of my junior engineers, Alex. It was just a screenshot of the AWS Cost Explorer with a frantic “what is this?!”. The graph for Cognito, usually a flat line near zero for our staging environment, had a massive spike. We were looking at a few hundred dollars for a service that was supposed to cost us pennies. It turned out Alex, trying to be proactive, had flipped a switch in the Cognito User Pool settings called “Advanced Security”. He thought, “more security is good, right?” And he wasn’t wrong, but he—and frankly, I—had missed the fine print. Seeing that Reddit thread about the user getting a $360 bill felt like looking in a mirror. It’s a classic “welcome to the cloud” moment.

The Root of the Problem: Not All Security is Free

So, what’s actually happening here? AWS Cognito is a fantastic service, but its pricing for the “Advanced Security” features can be a landmine if you’re not prepared. The Reddit user, and my engineer Alex, ran into the cost of Compromised credential checking.

Most people assume Cognito pricing is based on Monthly Active Users (MAUs). For the standard features, it is. But Advanced Security is priced differently. It’s priced per event. This includes events like:

Sign-ups
Sign-ins
Password changes

If you have a popular app or, more commonly, a service getting hit by bots trying to brute-force logins or run credential stuffing attacks, each of those failed attempts can trigger a “compromised credential check”. The cost adds up incredibly fast, and you end up paying AWS to fend off an attack that you might not have even known was happening. The bill is the first sign of trouble.

Darian’s Pro Tip: Before you enable any feature in AWS that has the word “Advanced,” “Premium,” “Enhanced,” or “Enterprise” in its name, open a new tab and find its pricing page. Read every single line, especially the examples. Assume nothing is free.

Solution 1: The Quick Fix (Stop the Bleeding)

The first thing to do when you’re bleeding money is to apply a tourniquet. In this case, it means disabling the feature that’s costing you. This is a tactical retreat, not a long-term strategy, but it’s essential.

How to Disable It:

Navigate to your Cognito User Pool in the AWS Console.
In the left-hand navigation, go to App integration.
Scroll down to the Advanced security section.
Click “Edit” and set the level to Off. You can also choose “Audit-only,” which will log potential risks without actively blocking users or incurring the highest costs, but “Off” is the only way to get the cost to zero.

This is a hacky, immediate fix. You’re reducing your security posture, but you’re also stopping a multi-hundred-dollar charge on what might be a simple CRUD app. For our `staging-auth-pool`, this was a no-brainer. We switched it off within minutes of finding the problem.

Solution 2: The Permanent Fix (Monitor, Alert, and Understand)

A senior engineer doesn’t just fix the problem; they fix the *process* that led to the problem. The real issue wasn’t that Alex enabled a feature; it was that we had no guardrails to alert us when costs went wild.

Set Up AWS Budgets and Cost Anomaly Detection:

This is non-negotiable for any serious cloud project. You need to know when you’re about to get a nasty surprise.

AWS Budgets: Create a budget for your account. You can set an overall budget (e.g., $500/month) but, more powerfully, you can set budgets for specific services. Create a “Cognito-Cost-Watch” budget for maybe $10/month. Set an alert threshold at 80%. The moment your Cognito bill hits $8, you and your team get an email.
AWS Cost Anomaly Detection: This is even better. It uses machine learning to understand your normal spending patterns. If it detects a sudden, unexpected spike in Cognito costs that deviates from the norm, it will alert you automatically, even if you’re still under your total budget.

This is the grown-up solution. It doesn’t prevent the cost spike, but it turns a 30-day billing surprise into a 24-hour incident you can react to immediately.

Solution 3: The ‘Nuclear’ Option (Migrate to Supabase or an Alternative)

This is what the Reddit user decided to do, and I completely understand the reasoning. Sometimes, the tool is just not the right fit for the job, especially when its pricing model is misaligned with your business model.

Migrating from Cognito to a service like Supabase Auth, Auth0, or Clerk is a major architectural decision. It’s not a quick fix. Supabase, for example, has a very generous free tier and predictable, user-based pricing on its paid tiers. You’re trading the deep integration with the AWS ecosystem for simplicity and cost predictability.

When to Consider This:

Your user base is large but your revenue per user is low.
You prioritize developer experience and speed over deep cloud vendor lock-in.
Your team doesn’t have the bandwidth or expertise to constantly monitor complex cloud billing.
You’re starting a new project and want predictable costs from day one.

We’ve actually done this for a few greenfield projects at TechResolve. We still use Cognito for services that are deeply embedded in AWS (e.g., using IAM roles for authenticated users), but for simple web apps, the simplicity of Supabase is hard to beat.

Comparing the Solutions

Here’s a quick breakdown to help you decide what’s right for you.

Solution	Effort	Cost Impact	Best For
1. Quick Fix	Low (5 minutes)	Immediate stop	Emergency situations where the bill is climbing NOW.
2. Permanent Fix	Medium (1-2 hours)	Prevents surprises	All production workloads. This is basic cloud financial hygiene.
3. Migration	High (Days/Weeks)	Long-term predictability	Startups, side-projects, or when Cognito’s model is a poor fit.

Ultimately, there’s no single right answer. The $360 bill is a painful but valuable lesson. Use it as an opportunity to implement proper cost monitoring (Solution 2). Then, have an honest conversation with your team about whether your current auth provider is the right long-term partner for your application (Solution 3). Just don’t let the fear of a surprise bill stop you from building.

Darian Vance

Lead Cloud Architect & DevOps Strategist

With over 12 years in system architecture and automation, Darian specializes in simplifying complex cloud infrastructures. An advocate for open-source solutions, he founded TechResolve to provide engineers with actionable, battle-tested troubleshooting guides and robust software alternatives.

🤖 Frequently Asked Questions

❓ Why did Cognito incur a $360 bill for “Advanced Security”?

The $360 bill was due to AWS Cognito’s “Advanced Security” feature, specifically “Compromised credential checking,” being enabled. This feature is priced per event (e.g., sign-ups, sign-ins, password changes) rather than per Monthly Active User (MAU), causing costs to escalate rapidly from bot attacks or high user activity.

❓ How does Supabase Auth compare to Cognito regarding cost predictability?

Supabase Auth generally offers more predictable, user-based pricing with generous free tiers, making it a strong alternative for projects prioritizing cost predictability. Cognito’s standard features are MAU-based, but its “Advanced Security” is event-based, which can lead to unpredictable and high costs.

❓ What’s a critical step to prevent unexpected AWS cloud costs?

A critical step is to implement AWS Budgets for specific services and enable AWS Cost Anomaly Detection. This provides early alerts on unexpected spending spikes, preventing a 30-day billing surprise from becoming a costly incident.

TechResolve – SaaS Troubleshooting & Software Alternatives

Leave a ReplyCancel reply