AppStream Fleet Session Idle Disconnect Timeout
Overview
This check verifies that Amazon AppStream 2.0 fleets have an idle disconnect timeout configured to 10 minutes (600 seconds) or less. When users stop interacting with their streaming session (no keyboard or mouse input), they should be automatically disconnected after a reasonable period to prevent security risks and reduce costs.
Risk
Long idle sessions create several security and operational concerns:
- Session hijacking: An unattended session could be accessed by an unauthorized person
- Shoulder surfing: Sensitive data displayed on screen remains visible when the user walks away
- Data exposure: Applications and documents stay open and accessible without user presence
- Unnecessary costs: Idle sessions consume fleet capacity and billing continues
- Reduced availability: Legitimate users may be blocked from accessing resources
Severity: Medium
Remediation Steps
Prerequisites
You need permission to modify AppStream 2.0 fleet settings. This typically requires the appstream:UpdateFleet IAM permission.
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appstream:DescribeFleets",
"appstream:UpdateFleet"
],
"Resource": "*"
}
]
}
AWS Console Method
- Sign in to the AWS Console
- Navigate to AppStream 2.0 (search for "AppStream" in the search bar)
- In the left menu, click Fleets
- Select the fleet you want to update
- Click the Edit button
- Find the Idle disconnect timeout setting
- Set the value to 10 minutes or less (e.g., 5 or 10 minutes)
- Click Save changes
Repeat for each fleet that failed the check.
AWS CLI (optional)
Use this command to set the idle disconnect timeout to 10 minutes (600 seconds):
aws appstream update-fleet \
--name <FLEET_NAME> \
--idle-disconnect-timeout-in-seconds 600 \
--region us-east-1
Replace <FLEET_NAME> with your actual fleet name.
Example with a specific fleet:
aws appstream update-fleet \
--name production-fleet \
--idle-disconnect-timeout-in-seconds 600 \
--region us-east-1
To list all fleets first:
aws appstream describe-fleets --region us-east-1
Valid timeout values:
0= Disabled (users are never disconnected for inactivity) - not recommended60to36000= Timeout in seconds (1 minute to 10 hours)
Values are rounded to the nearest minute. For example, 70 seconds rounds to 1 minute, and 90 seconds rounds to 2 minutes.
CloudFormation (optional)
Use the IdleDisconnectTimeoutInSeconds property on the AWS::AppStream::Fleet resource:
AWSTemplateFormatVersion: '2010-09-09'
Description: AppStream Fleet with secure idle timeout
Resources:
AppStreamFleet:
Type: AWS::AppStream::Fleet
Properties:
Name: my-secure-fleet
InstanceType: stream.standard.medium
ComputeCapacity:
DesiredInstances: 1
FleetType: ON_DEMAND
ImageName: Amazon-AppStream2-Sample-Image-03-11-2023
# Security: Disconnect idle users after 10 minutes
IdleDisconnectTimeoutInSeconds: 600
# Additional recommended settings
DisconnectTimeoutInSeconds: 300
MaxUserDurationInSeconds: 36000
Description: Production AppStream fleet with secure timeout settings
EnableDefaultInternetAccess: false
Tags:
- Key: Environment
Value: Production
Key properties:
IdleDisconnectTimeoutInSeconds: 600- Disconnects idle users after 10 minutesDisconnectTimeoutInSeconds- How long a disconnected session remains before termination
Terraform (optional)
Use the idle_disconnect_timeout_in_seconds argument on the aws_appstream_fleet resource:
resource "aws_appstream_fleet" "secure_fleet" {
name = "my-secure-fleet"
compute_capacity {
desired_instances = 1
}
instance_type = "stream.standard.large"
image_name = "Amazon-AppStream2-Sample-Image-03-11-2023"
fleet_type = "ON_DEMAND"
# Security: Disconnect idle users after 10 minutes (600 seconds)
idle_disconnect_timeout_in_seconds = 600
# Additional recommended settings
disconnect_timeout_in_seconds = 300
max_user_duration_in_seconds = 36000
description = "Production fleet with secure timeout"
display_name = "Secure Fleet"
enable_default_internet_access = false
vpc_config {
subnet_ids = ["subnet-xxxxxxxxx"]
}
tags = {
Environment = "Production"
}
}
To update an existing fleet, modify the idle_disconnect_timeout_in_seconds value and run:
terraform plan
terraform apply
Verification
After making changes, verify the fix:
- Return to AppStream 2.0 > Fleets in the AWS Console
- Select your fleet and review the Fleet details
- Confirm the Idle disconnect timeout shows 10 minutes or less
Verify with AWS CLI
aws appstream describe-fleets \
--names <FLEET_NAME> \
--region us-east-1 \
--query 'Fleets[0].IdleDisconnectTimeoutInSeconds'
The output should be 600 or less (but not 0).
To check all fleets at once:
aws appstream describe-fleets \
--region us-east-1 \
--query 'Fleets[*].[Name,IdleDisconnectTimeoutInSeconds]' \
--output table
Additional Resources
- Create an AppStream 2.0 Fleet and Stack
- AWS CLI appstream update-fleet Reference
- AppStream 2.0 Best Practices
Notes
-
What counts as activity: Only keyboard and mouse input count as user activity. File uploads/downloads, audio playback, and screen changes do NOT reset the idle timer.
-
User notification: Users receive a warning before being disconnected due to inactivity, giving them a chance to interact with the session.
-
Reconnection window: After idle disconnect, users can reconnect to their previous session if they do so before the
DisconnectTimeoutInSecondsperiod expires. -
Fleet must be stopped to update: Some fleet changes require stopping the fleet first. If you receive an error, stop the fleet, make changes, then restart it.
-
Value of 0 disables the feature: Setting the timeout to
0prevents users from ever being disconnected due to inactivity, which is not recommended for security.