Skip to main content

AppStream Fleet Session Disconnect Timeout

Overview

This check verifies that Amazon AppStream 2.0 fleets have a disconnect timeout of 5 minutes (300 seconds) or less. The disconnect timeout controls how long a streaming session stays active after a user disconnects, allowing them to reconnect to the same session within that window.

Risk

An overly long disconnect timeout creates security vulnerabilities:

  • Session hijacking: Attackers could reconnect to abandoned sessions using lost or stolen devices
  • Unauthorized data access: Sensitive information in the streaming session remains accessible longer than necessary
  • Unauthorized actions: Malicious actors could perform unintended actions in a hijacked session
  • Increased costs: Idle sessions consume resources and incur charges unnecessarily

Severity: Medium

Remediation Steps

Prerequisites

  • AWS account access with permission to modify AppStream 2.0 fleets
  • The fleet must be in a stopped state to modify timeout settings (or you can update a running fleet, which triggers a replacement)

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to Amazon AppStream 2.0
  3. In the left navigation pane, click Fleets
  4. Select the fleet you want to modify
  5. Click Edit
  6. Scroll to the Session settings section
  7. Set Disconnect timeout to 300 seconds (5 minutes) or less
  8. Click Update

Note: If the fleet is running, AWS will create a new fleet instance with the updated settings. Active sessions will not be interrupted, but new sessions will use the updated timeout.

AWS CLI (optional)

Update the disconnect timeout for an existing fleet:

aws appstream update-fleet \
    --name <your-fleet-name> \
    --disconnect-timeout-in-seconds 300 \
    --region us-east-1

Replace <your-fleet-name> with your actual fleet name.

Valid values: 60 to 36000 seconds. For this security check, use 300 or less.

To check the current timeout value:

aws appstream describe-fleets \
    --names <your-fleet-name> \
    --region us-east-1 \
    --query 'Fleets[0].DisconnectTimeoutInSeconds'
CloudFormation (optional)

Update your AppStream fleet CloudFormation template to include the DisconnectTimeoutInSeconds property:

AWSTemplateFormatVersion: '2010-09-09'
Description: AppStream 2.0 Fleet with secure disconnect timeout

Resources:
  AppStreamFleet:
    Type: AWS::AppStream::Fleet
    Properties:
      Name: my-secure-fleet
      InstanceType: stream.standard.medium
      FleetType: ON_DEMAND
      ComputeCapacity:
        DesiredInstances: 1
      DisconnectTimeoutInSeconds: 300
      IdleDisconnectTimeoutInSeconds: 600
      MaxUserDurationInSeconds: 28800
      ImageName: <your-image-name>
      Tags:
        - Key: Purpose
          Value: SecureStreaming

Deploy or update the stack:

aws cloudformation deploy \
    --template-file appstream-fleet.yaml \
    --stack-name appstream-fleet-stack \
    --region us-east-1

Key timeout parameters:

  • DisconnectTimeoutInSeconds: Time session stays active after disconnect (60-36000, use 300 or less)
  • IdleDisconnectTimeoutInSeconds: Time before idle session disconnects (60-3600)
  • MaxUserDurationInSeconds: Maximum session duration (600-432000)
Terraform (optional)

Configure the disconnect timeout in your Terraform AppStream fleet resource:

resource "aws_appstream_fleet" "secure_fleet" {
  name          = "my-secure-fleet"
  instance_type = "stream.standard.medium"
  fleet_type    = "ON_DEMAND"

  compute_capacity {
    desired_instances = 1
  }

  # Security-compliant timeout settings
  disconnect_timeout_in_seconds      = 300  # 5 minutes or less for security compliance
  idle_disconnect_timeout_in_seconds = 600  # 10 minutes
  max_user_duration_in_seconds       = 28800 # 8 hours

  image_name = "<your-image-name>"

  tags = {
    Purpose = "SecureStreaming"
  }
}

Apply the configuration:

terraform plan
terraform apply

Verification

After updating the fleet:

  1. Go to Amazon AppStream 2.0 > Fleets in the AWS Console
  2. Select your fleet and view its details
  3. Confirm Disconnect timeout is set to 300 seconds or less
CLI verification commands

Verify the disconnect timeout setting:

aws appstream describe-fleets \
    --names <your-fleet-name> \
    --region us-east-1 \
    --query 'Fleets[0].{Name:Name,DisconnectTimeout:DisconnectTimeoutInSeconds,State:State}'

Expected output:

{
    "Name": "my-secure-fleet",
    "DisconnectTimeout": 300,
    "State": "RUNNING"
}

To check all fleets in the region:

aws appstream describe-fleets \
    --region us-east-1 \
    --query 'Fleets[].{Name:Name,DisconnectTimeout:DisconnectTimeoutInSeconds}'

Additional Resources

Notes

  • Pair with idle timeout: For defense-in-depth, also configure a short IdleDisconnectTimeoutInSeconds to disconnect users who are inactive
  • Re-authentication: Consider requiring re-authentication on reconnection for sensitive applications
  • Fleet state: You can update a running fleet; AWS will apply changes to new streaming instances
  • User experience trade-off: Very short timeouts may frustrate users with brief network interruptions. Balance security with usability based on your use case
  • Monitor session events: Enable CloudWatch logging for AppStream to track session connect/disconnect events