This is a multi-step process, where you use AWS CLI to change users passwords:
Step 1: For the desired user, get a session token:
aws cognito-idp admin-initiate-auth --user-pool-id user pool id --client-id app client id --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=username,PASSWORD=current-password
If error occurs like this "Unable to verify secret hash for client", then create another client without a secret and use that client ID.
Step 2: If only step 1 is successful, you will be responded with a challenge "NEW_PASSWORD_REQUIRED", other parameters and user’s session key. After this, run the second command to issue the challenge response:
aws cognito-idp admin-respond-to-auth-challenge --user-pool-id user pool id --client-id client id --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses NEW_PASSWORD=desired-password,USERNAME=users username --session “session key from previous command”
If you receive an error stating "Invalid attributes given, XXX is missing" pass the attributes which are missing using this format - userAttributes.$FIELD_NAME=$VALUE
A valid Authentication Result and appropriate Tokens will be produced.
You can also visit the AWS tutorial which is meant for beginners to learn AWS.