[scarface74]

Cognito is just a standard authorization service that supports Oath 2.0, SAML 2.0, and OpenID Connect.

It is a drop in replacement for dozens of other authentication providers.

[mitjam]

Migrating away from Cognito is hard and involves end user participation as you can not export password hashes.

[scarface74]

It’s just the opposite of migrating users to Cognito.

If you are storing the passwords in Cognito and not using federated login, you should be able to insert a lambda trigger that captures the user’s password then authenticates the user with Cognito via code. Once the user is authenticated, store the password in your new store.

Yes that would be a slow process but it isn’t like you couldn’t move everything else off of AWS first and let that be a slow migration over time.