AppStream fleets should have idle disconnect timeout set to 10 minutes or less

Idle AppStream sessions consume fleet capacity and keep instances allocated to users who may have walked away. Setting a 10-minute cap on idle time reduces the window during which an unattended session could be accessed by an unauthorized person at a shared workstation or kiosk. It also frees compute resources faster, lowering costs in always-on and on-demand fleets.

Without an idle timeout, or with an excessively long one, sessions can persist for hours after a user stops interacting. In environments where AppStream delivers access to sensitive applications or data, that's a real exposure, not a theoretical one.

Retrofit consideration

Changing the idle disconnect timeout on an existing fleet triggers an update that may briefly affect active sessions depending on the fleet type.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_appstream_fleet.

resource "aws_appstream_fleet" "this" {
  compute_capacity {
    desired_instances = 1
  }
  disconnect_timeout_in_seconds      = 300
  fleet_type                         = "ON_DEMAND"
  idle_disconnect_timeout_in_seconds = 600
  image_name                         = "AppStream-AmazonLinux2-02-11-2025"
  instance_type                      = "stream.standard.small"
  max_user_duration_in_seconds       = 28800
  name                               = "pofix-abc123"
}

What this control checks

The aws_appstream_fleet resource exposes idle_disconnect_timeout_in_seconds. Set it to any integer from 60 to 600 inclusive to pass. A value of 0 disables idle disconnect entirely and fails. Omitting the argument also fails: the AWS default is 0, which disables the timeout. Setting idle_disconnect_timeout_in_seconds = 600 passes; idle_disconnect_timeout_in_seconds = 900 fails.

Common pitfalls

Zero value disables timeout entirely
A value of 0 doesn't set a very long timeout, it disables idle disconnect entirely. Sessions persist indefinitely until manually terminated, which fails this control.
Confusing idle timeout with session disconnect timeout
AppStream fleets expose two distinct arguments: idle_disconnect_timeout_in_seconds (how long a session can sit idle before the user is disconnected) and disconnect_timeout_in_seconds (how long a disconnected session persists before termination). Configuring only disconnect_timeout_in_seconds doesn't satisfy this control.
Default value may exceed 600 seconds
Omit idle_disconnect_timeout_in_seconds from aws_appstream_fleet and you get 0 (disabled) by default, which silently fails this control. Always set it explicitly.

Audit evidence

An auditor expects Config rule evaluation results or a compliance tool scan showing all AppStream fleets with idle disconnect timeout at or below 600 seconds. The AppStream 2.0 fleet settings page in the AWS Console showing the "Idle disconnect timeout" value is acceptable supporting evidence, as is the output of aws appstream describe-fleets with IdleDisconnectTimeoutInSeconds confirmed at 600 or less for every fleet in scope.

CloudTrail UpdateFleet and CreateFleet events round this out by showing when the timeout was last set and by whom.

Framework-specific interpretation

AppStream fleets should have session disconnect timeout set to 5 minutes or less

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: appstream_fleet_idle_disconnect_timeout_600_seconds
Powerpipe Control: aws_compliance.control.appstream_fleet_idle_disconnect_timeout_600_seconds
Prowler Check: appstream_fleet_session_idle_disconnect_timeout

Last reviewed: 2026-03-08