Which hash function does AWS Cognito use to store user's password? There is no information about that in the docs or even forum questions.

I submitted this question in the AWS Support center

This is the answer I've got:

I would like to mention that Amazon Cognito User Pools adopts Secure Remote Password (SRP) protocol for user authentication, Cognito doesn’t store user password but rather stores verifier that allows Cognito to verify user credentials without receiving the password. Cognito user pools store user data in Amazon Cloud Directory which encrypts data at rest and in transit by using 256-bit encryption keys. Please note that Amazon Cognito and Amazon Cloud Directory are in-scope for several compliance programs that verify fulfillment of compliance requirements.

Since Amazon Cognito is a managed service and the underlying implementation can change without notice. So, for that reason we can't provide specific implementation details, but rather, Amazon Cognito is in-scope for several compliance programs that verify certain controls have been met[1]. As we follow strict guidelines to ensure best practices and security so, due to the same reason, these details are not shared in our public documentation. Also, Cognito follows best practices and standards of the Official Internet Protocol Standards, and meets standard compliance requirements. Please check the public documentation for compliance validation of Amazon Cognito[2].

So as mentioned, Cognito doesn't store passwords, it stores verifiers and salt resulting from the Secure Remote Password (SRP) protocol and those verifiers are encrypted with AES 256 encryption. The password verifier is derived from a hash of the salt and password. I'm attaching a link as reference to SRP protocol [3] (refer section 3 of RFC2945).

Cognito is also compliant in accordance with other standards (PCI DSS, HIPPA, ISO & C5) and I can confirm sensitive Cognito data is stored in AES-256 encrypted format.