AppStream Fleet Maximum Session Duration

Overview

This check ensures that Amazon AppStream 2.0 fleets have a maximum user session duration of 10 hours (36,000 seconds) or less. AppStream 2.0 is a desktop streaming service that lets users access applications from any device. Limiting how long a session can remain active reduces security risks and helps control costs.

Risk

When sessions can stay active for extended periods (more than 10 hours), several security problems can occur:

• Session hijacking: A compromised session gives attackers a longer window to exploit access
• Data exfiltration: Extended access increases the chance of sensitive data being copied
• Stale credentials: Users may not re-authenticate, allowing potentially revoked access to persist
• Higher costs: Long-running sessions consume resources even when not actively used

Remediation Steps

Prerequisites

You need permission to modify AppStream 2.0 fleet settings in your AWS account. Specifically, you need the appstream:UpdateFleet permission.

AWS Console Method

1. Sign in to the AWS Console
2. Navigate to Amazon AppStream 2.0 (search for "AppStream" in the services search bar)
3. In the left navigation, click Fleets
4. Select the fleet that failed the check
5. Click Edit
6. Find the Maximum session duration setting
7. Set it to 10 hours or less (for example, 8 hours = 28,800 seconds)
8. Click Update

The change takes effect for new sessions. Existing sessions will continue until they reach their original limit.

AWS CLI (optional)

Use the update-fleet command to set the maximum session duration. The value is specified in seconds.

Example: Set maximum session to 8 hours (28,800 seconds)

aws appstream update-fleet \
  --name <your-fleet-name> \
  --max-user-duration-in-seconds 28800 \
  --region us-east-1

Example: Set maximum session to 10 hours (36,000 seconds) - the compliance limit

aws appstream update-fleet \
  --name <your-fleet-name> \
  --max-user-duration-in-seconds 36000 \
  --region us-east-1

Common values:

Duration	Seconds
1 hour	3,600
4 hours	14,400
8 hours	28,800
10 hours	36,000

Note: The fleet can be in RUNNING or STOPPED state when you update this setting. The valid range for this parameter is 600 to 432,000 seconds (10 minutes to 5 days), but for this security check to pass, it must be 36,000 seconds (10 hours) or less.

CloudFormation (optional)

Use the following CloudFormation template to create an AppStream fleet with a compliant maximum session duration.

AWSTemplateFormatVersion: '2010-09-09'
Description: AppStream 2.0 Fleet with secure maximum session duration

Parameters:
  FleetName:
    Type: String
    Description: Name for the AppStream fleet
    AllowedPattern: "^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,100}$"

  ImageName:
    Type: String
    Description: Name of the AppStream image to use

  InstanceType:
    Type: String
    Description: Instance type for the fleet
    Default: stream.standard.medium

  MaxUserDurationInSeconds:
    Type: Number
    Description: Maximum session duration in seconds (max 36000 for compliance)
    Default: 36000
    MinValue: 600
    MaxValue: 36000

Resources:
  AppStreamFleet:
    Type: AWS::AppStream::Fleet
    Properties:
      Name: !Ref FleetName
      ImageName: !Ref ImageName
      InstanceType: !Ref InstanceType
      FleetType: ON_DEMAND
      MaxUserDurationInSeconds: !Ref MaxUserDurationInSeconds
      DisconnectTimeoutInSeconds: 300
      ComputeCapacity:
        DesiredInstances: 1

Outputs:
  FleetArn:
    Description: ARN of the AppStream fleet
    Value: !GetAtt AppStreamFleet.Arn

Deploy the stack:

aws cloudformation create-stack \
  --stack-name secure-appstream-fleet \
  --template-body file://template.yaml \
  --parameters \
    ParameterKey=FleetName,ParameterValue=my-secure-fleet \
    ParameterKey=ImageName,ParameterValue=<your-image-name> \
  --region us-east-1

Update an existing stack:

If you have an existing CloudFormation-managed fleet, update the MaxUserDurationInSeconds property to 36000 or less and run:

aws cloudformation update-stack \
  --stack-name <your-stack-name> \
  --template-body file://template.yaml \
  --parameters \
    ParameterKey=MaxUserDurationInSeconds,ParameterValue=36000 \
  --region us-east-1

Terraform (optional)

Use the following Terraform configuration to create an AppStream fleet with a compliant maximum session duration.

# AppStream 2.0 Fleet with secure maximum session duration

variable "fleet_name" {
  description = "Name for the AppStream fleet"
  type        = string
}

variable "image_name" {
  description = "Name of the AppStream image to use"
  type        = string
}

variable "instance_type" {
  description = "Instance type for the fleet"
  type        = string
  default     = "stream.standard.medium"
}

variable "max_user_duration_seconds" {
  description = "Maximum session duration in seconds (max 36000 for compliance)"
  type        = number
  default     = 36000

  validation {
    condition     = var.max_user_duration_seconds >= 600 && var.max_user_duration_seconds <= 36000
    error_message = "max_user_duration_seconds must be between 600 and 36000 (10 hours max for security compliance)."
  }
}

resource "aws_appstream_fleet" "secure_fleet" {
  name          = var.fleet_name
  image_name    = var.image_name
  instance_type = var.instance_type
  fleet_type    = "ON_DEMAND"

  compute_capacity {
    desired_instances = 1
  }

  max_user_duration_in_seconds       = var.max_user_duration_seconds
  disconnect_timeout_in_seconds      = 300
  idle_disconnect_timeout_in_seconds = 900

  tags = {
    SecurityCompliance = "prowler-appstream-session-duration"
  }
}

output "fleet_arn" {
  description = "ARN of the AppStream fleet"
  value       = aws_appstream_fleet.secure_fleet.arn
}

Apply the configuration:

terraform init
terraform plan -var="fleet_name=my-secure-fleet" -var="image_name=<your-image-name>"
terraform apply -var="fleet_name=my-secure-fleet" -var="image_name=<your-image-name>"

Update an existing fleet:

Modify the max_user_duration_seconds variable value and run terraform apply.

Verification

After making changes, verify the fix:

1. Return to the Fleets page in the AppStream console
2. Select your fleet and check that Maximum session duration shows 10 hours or less
3. Re-run the Prowler check to confirm it now passes

CLI Verification

aws appstream describe-fleets \
  --names <your-fleet-name> \
  --region us-east-1 \
  --query 'Fleets[0].MaxUserDurationInSeconds'

The output should be 36000 or less.

To check all fleets:

aws appstream describe-fleets \
  --region us-east-1 \
  --query 'Fleets[*].[Name, MaxUserDurationInSeconds]' \
  --output table

Additional Resources

• AWS AppStream 2.0 Documentation
• AppStream Fleet Settings
• AWS CLI appstream update-fleet Reference
• Prowler Check Documentation

Notes

• Existing sessions are not affected - Changes apply only to new sessions. Users in active sessions will continue until their original limit is reached.
• Consider idle timeouts too - In addition to maximum session duration, consider enabling idle disconnect timeouts to end sessions when users are inactive.
• Balance security and usability - While shorter sessions are more secure, too-short sessions may frustrate users who need to work for extended periods. Consider your organization's workflow when choosing a value.
• Minimum value is 600 seconds (10 minutes) - AWS enforces a minimum session duration to ensure usability.