I am using the amazon-cognito-identity-js SDK for user authentication. The CookieStorage object only takes domain, path, expires, and secure configurations. Is it possible to configure the authentication response to set the tokens in an HttpOnly cookie?

You can set HttpOnly cookie via express js or any other server.

I created a wrapper, an "identity service" sor of for AWS Cognito, that returns HttpOnly Cookies, it is easily achieveable since cognito comes with jwt authentication out of the box.

Note that the project was originally created to support, nuxt/next js in case you want other structure just change the endpoints. https://github.com/cnikolov/aws-cognito-http

See Set a cookie to HttpOnly via Javascript. It is not possible for JavaScript to set httpOnly cookies, so amazon-cognito-identity-js can't do that either.

If you use the hosted sign-in/up pages, then Cognito will put httpOnly cookies on your client (server side). But those cookies don't contain JWT's.

Found this, from the discussion it looks like httpOnly cookies are not something AWS Cognito currently supports (which is really surprising)

https://github.com/aws-amplify/amplify-js/issues/3224

Note: the discussion is around AWS amplify but httpOnly cookies can only be set by the server for the client, so it shouldn't matter what client library is being used.

You might find my official AWS blog post helpful: Reduce risk by implementing HttpOnly cookie authentication in Amazon API Gateway

It's also using Amazon Cognito.