AppStream fleets should have session disconnect timeout set to 5 minutes or less

An abandoned AppStream session is both a billing problem and a security problem. The instance keeps running, charges accrue, and any authenticated context (open applications, cached credentials, clipboard data) persists in memory. An attacker with physical access to the endpoint can reconnect to a live session without re-authenticating.

Setting disconnect timeout to 5 minutes or less limits this window. Users who lose connectivity briefly still get time to rejoin, but sessions don't stay open long enough to become a target.

Retrofit consideration

Reducing the disconnect timeout on an active fleet may cause users who experience brief network interruptions to lose their sessions. Coordinate with end users before lowering the value on production fleets.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_appstream_fleet.

resource "aws_appstream_fleet" "this" {
  compute_capacity {
    desired_instances = 1
  }
  disconnect_timeout_in_seconds      = 300
  fleet_type                         = "ON_DEMAND"
  idle_disconnect_timeout_in_seconds = 600
  image_name                         = "AppStream-AmazonLinux2-02-11-2025"
  instance_type                      = "stream.standard.small"
  max_user_duration_in_seconds       = 28800
  name                               = "pofix-abc123"
}

What this control checks

The control validates the aws_appstream_fleet resource. disconnect_timeout_in_seconds must be 300 or less. Any value above 300 fails. If the argument is omitted, AWS applies a service default that exceeds this threshold, which also fails. To pass, set disconnect_timeout_in_seconds explicitly to a value between 60 (the AWS minimum) and 300 inclusive.

Common pitfalls

Default value silently fails

Omitting disconnect_timeout_in_seconds from aws_appstream_fleet won't default to a safe value. AWS applies a service default that likely exceeds 300 seconds, and the control fails. Set the argument explicitly.

Confusing disconnect with idle timeout

AppStream also exposes idle_disconnect_timeout_in_seconds, which governs how long an idle but still-connected session runs before AppStream disconnects it. That is a separate argument from disconnect_timeout_in_seconds, which controls what happens after disconnection. Setting the wrong one looks correct in Terraform but won't satisfy this control.

Fleet updates may require stop/start

Some aws_appstream_fleet attribute changes force a fleet stop and restart. Changing disconnect_timeout_in_seconds on a running fleet can briefly interrupt all active sessions. Plan changes during a maintenance window.

Audit evidence

An auditor expects Config rule evaluation results or a compliance scan confirming all AppStream fleets have a disconnect timeout at or below 300 seconds. The AppStream 2.0 fleet details page in the AWS Console shows the "Disconnect timeout" value directly. AWS CLI output from aws appstream describe-fleets showing DisconnectTimeoutInSeconds for each fleet works as programmatic evidence.

For ongoing assurance, a recurring Config conformance pack or Cloud Custodian policy that flags non-compliant fleets shows continuous enforcement, not just a point-in-time snapshot.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: appstream_fleet_session_disconnect_timeout_300_seconds
Powerpipe Control: aws_compliance.control.appstream_fleet_session_disconnect_timeout_300_seconds
Prowler Check: appstream_fleet_session_disconnect_timeout

Last reviewed: 2026-03-09