AppStream fleets should have default internet access disabled

AppStream fleets with default internet access let streaming instances reach the public internet directly through the service's NAT. That exposes sessions to data exfiltration, command-and-control communication, and outbound traffic that bypasses your VPC security controls entirely.

Disabling default internet access forces traffic through your VPC, where security groups, NACLs, and VPC Flow Logs give you visibility and control over every connection. If internet access is needed, route it through a NAT gateway in your VPC so you can apply consistent egress filtering.

Retrofit consideration

Disabling default internet access on an existing fleet requires VPC connectivity with a NAT gateway or VPC endpoints for AppStream streaming. Existing users may lose connectivity if the VPC route table lacks a path to the internet or required AWS service endpoints.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_appstream_fleet.

resource "aws_appstream_fleet" "this" {
  compute_capacity {
    desired_instances = 1
  }
  disconnect_timeout_in_seconds      = 300
  fleet_type                         = "ON_DEMAND"
  idle_disconnect_timeout_in_seconds = 600
  image_name                         = "AppStream-AmazonLinux2-02-11-2025"
  instance_type                      = "stream.standard.small"
  max_user_duration_in_seconds       = 28800
  name                               = "pofix-abc123"

  enable_default_internet_access = false
}

What this control checks

This control validates the aws_appstream_fleet resource. enable_default_internet_access must be false on every fleet to pass. It fails when the argument is missing, true, or null. If the fleet uses VPC networking, ensure the required outbound connectivity is in place (NAT gateway and/or VPC endpoints) so streaming sessions continue to function after the change.

Common pitfalls

VPC connectivity required after disabling
AppStream streaming breaks if you set enable_default_internet_access = false without vpc_config pointing at subnets with outbound connectivity. A NAT gateway or the relevant VPC endpoints are required, depending on what your streaming sessions need to reach.
Fleet updates can disrupt active sessions
Changing vpc_config or enable_default_internet_access on an existing aws_appstream_fleet causes a service interruption while the update is applied. Plan for downtime and use create_before_destroy where applicable to minimize disruption.
Image builder internet access is separate
The aws_appstream_image_builder resource has its own enable_default_internet_access argument. Disabling it on the fleet does not affect image builders. Configure them independently.

Audit evidence

An auditor expects AWS Config rule evaluation results showing all AppStream fleets as compliant, or equivalent output from a cloud security posture management tool. The AppStream 2.0 console fleet details page shows the "Default Internet Access" field; screenshots of each fleet confirming the value is "Disabled" work as direct evidence.

Supporting artifacts include VPC architecture diagrams showing that AppStream fleet subnets route through NAT gateways or VPC endpoints rather than internet gateways. CloudTrail CreateFleet and UpdateFleet events confirm that EnableDefaultInternetAccess was false at creation or modification time.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: appstream_fleet_default_internet_access_disabled
Powerpipe Control: aws_compliance.control.appstream_fleet_default_internet_access_disabled
Prowler Check: appstream_fleet_default_internet_access_disabled

Last reviewed: 2026-03-09