Is there a way to see the password within the Lambda triggers that can be fired off by a sign-up or password change on AWS Cognito User Pool?
I want to get the password and compare it to lists of previously compromised passwords (the haveibeenpwned lists) to ensure password strength at a much higher level than what is possible by the arbitrary complexity rules that can be defeated by garbage like "Password!23"
The answer is that it currently is not possible to do as simply as I had hoped.
What you would have to do is to turn on the USER_PASSWORD_AUTH type authentication flow which means the password is sent in the HTTP POST request and setup your own reverse proxy to take the request, check the password details and then forward the request onto Cognito, accept the response and then send it back to the browser.
Or just turn on the "Advanced Security Features" option that they give you and tick the box for checking passwords against compromised lists... which is what I imagine AWS is trying to force you to do.