Storage of passwords in Cognito

Encryption at rest

Data within Amazon Cognito is encrypted at rest in accordance with industry standards.

https://docs.aws.amazon.com/cognito/latest/developerguide/data-protection.html

Encryption in transit

Clients must support the following:

• Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
• Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

https://docs.aws.amazon.com/cognito/latest/developerguide/data-protection.html

Compliance validation for Amazon Cognito

Third-party auditors assess the security and compliance of Amazon Cognito as part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others. https://docs.aws.amazon.com/cognito/latest/developerguide/compliance-validation.html