AppStream Fleet Has Default Internet Access Disabled
Overview
This check verifies that Amazon AppStream 2.0 fleets have default internet access disabled. When enabled, this setting provides streaming instances with direct public internet connectivity, which creates security risks and operational limitations.
Risk
With default internet access enabled on AppStream fleets:
- Exposure to attacks: Streaming instances become publicly accessible targets for remote exploitation and malware infection
- Data exfiltration: Uncontrolled outbound traffic enables potential unauthorized data transfer
- Scalability limits: Direct internet access enforces approximately 100-instance limits, restricting high-demand deployments
- Reduced network control: You lose the ability to inspect, filter, or log egress traffic
Remediation Steps
Prerequisites
- AWS account access with AppStream 2.0 permissions
- The fleet must be in a STOPPED state to change this setting
- If using private subnets (recommended), ensure a NAT gateway or proxy is configured for outbound internet access
AWS Console Method
- Sign in to the AWS Management Console
- Navigate to Amazon AppStream 2.0 > Fleets
- Select the fleet you want to modify
- If the fleet is running, stop it first:
- Click Actions > Stop
- Wait for the status to change to Stopped
- Click Actions > Edit
- In the Network settings section, uncheck Default Internet Access
- Click Save changes
- Restart the fleet by clicking Actions > Start
Important: After disabling default internet access, your fleet instances will need an alternative path to the internet (typically through a NAT gateway in a private subnet) for software updates and user access to web resources.
AWS CLI (optional)
Disable default internet access for a fleet:
aws appstream update-fleet \
--name <your-fleet-name> \
--no-enable-default-internet-access \
--region us-east-1
Note: The fleet must be in a STOPPED state to update this setting. Stop the fleet first if needed:
# Stop the fleet
aws appstream stop-fleet \
--name <your-fleet-name> \
--region us-east-1
# Wait for the fleet to stop, then update
aws appstream update-fleet \
--name <your-fleet-name> \
--no-enable-default-internet-access \
--region us-east-1
# Restart the fleet
aws appstream start-fleet \
--name <your-fleet-name> \
--region us-east-1
CloudFormation (optional)
Create or update an AppStream fleet with default internet access disabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: AppStream 2.0 Fleet with default internet access disabled
Parameters:
FleetName:
Type: String
Description: Name of the AppStream fleet
ImageName:
Type: String
Description: Name of the AppStream image to use
InstanceType:
Type: String
Default: stream.standard.medium
Description: Instance type for fleet instances
SubnetIds:
Type: List<AWS::EC2::Subnet::Id>
Description: Subnet IDs for the fleet (use private subnets)
SecurityGroupIds:
Type: List<AWS::EC2::SecurityGroup::Id>
Description: Security group IDs for the fleet
Resources:
AppStreamFleet:
Type: AWS::AppStream::Fleet
Properties:
Name: !Ref FleetName
ImageName: !Ref ImageName
InstanceType: !Ref InstanceType
EnableDefaultInternetAccess: false
ComputeCapacity:
DesiredInstances: 1
VpcConfig:
SubnetIds: !Ref SubnetIds
SecurityGroupIds: !Ref SecurityGroupIds
Tags:
- Key: Environment
Value: Production
Deploy the template:
aws cloudformation deploy \
--template-file appstream-fleet.yaml \
--stack-name appstream-fleet-stack \
--parameter-overrides \
FleetName=my-secure-fleet \
ImageName=my-appstream-image \
SubnetIds=subnet-abc123,subnet-def456 \
SecurityGroupIds=sg-12345678 \
--region us-east-1
Terraform (optional)
Create an AppStream fleet with default internet access disabled:
resource "aws_appstream_fleet" "secure_fleet" {
name = "my-secure-fleet"
image_name = "my-appstream-image"
instance_type = "stream.standard.medium"
enable_default_internet_access = false
compute_capacity {
desired_instances = 1
}
vpc_config {
subnet_ids = ["subnet-abc123", "subnet-def456"]
security_group_ids = ["sg-12345678"]
}
tags = {
Environment = "Production"
}
}
For existing fleets, update the enable_default_internet_access attribute to false and apply the changes.
Verification
After disabling default internet access, verify the change:
- Go to Amazon AppStream 2.0 > Fleets in the AWS Console
- Select your fleet and view its details
- In the Network settings section, confirm Default Internet Access shows as Disabled
CLI verification commands
Check the fleet configuration:
aws appstream describe-fleets \
--names <your-fleet-name> \
--region us-east-1
Look for "EnableDefaultInternetAccess": false in the output:
{
"Fleets": [
{
"Name": "my-secure-fleet",
"EnableDefaultInternetAccess": false,
"State": "RUNNING",
...
}
]
}
To check all fleets in a region:
aws appstream describe-fleets --region us-east-1 \
--query "Fleets[?EnableDefaultInternetAccess==\`true\`].Name" \
--output table
This returns any fleets that still have default internet access enabled.
Additional Resources
- Amazon AppStream 2.0 Administration Guide
- AppStream 2.0 Networking and Access
- VPC Configuration for AppStream 2.0
- AWS CloudFormation AppStream Fleet Resource
Notes
- Fleet state requirement: The fleet must be stopped before you can change the default internet access setting
- Alternative internet access: When default internet access is disabled, place your fleet in a private subnet with a NAT gateway to provide controlled outbound internet access
- Security best practices: Use security groups and network ACLs to restrict traffic. Consider using AWS PrivateLink for AWS service connectivity
- Egress filtering: Route outbound traffic through a proxy server or AWS Network Firewall for inspection and logging
- Session continuity: Stopping a fleet will terminate any active streaming sessions. Plan maintenance windows accordingly