AppStream fleet maximum user session duration is less than 10 hours
appstream_fleet_maximum_session_duration
AppStream fleets enforce a maximum user session duration. This finding evaluates each fleet's configured limit against a threshold-default 10 hours (36000 seconds)-and identifies fleets whose session duration exceeds that limit.
Risk
Overlong sessions widen the window for session hijacking, lateral movement, and data exfiltration if endpoints or tokens are compromised. Reduced reauthentication weakens confidentiality and integrity, and extended access can increase costs and resource contention.
prowler aws --checks appstream_fleet_maximum_session_duration
Recommendation
Configure the maximum session duration to <= 10 hours (e.g., 600 minutes) or less based on data sensitivity. Prefer shorter limits, enforce reauthentication on renewal, apply least privilege, and enable idle timeouts. Monitor session activity as part of defense in depth.
Remediation
aws appstream update-fleet --name <example_resource_name> --max-user-duration-in-seconds 3600
- Open the AWS Console and go to Amazon AppStream 2.0
- Click Fleets and select <example_resource_name>
- Click Edit
- Set Maximum session duration to a value under 10 hours (e.g., 3600 seconds)
- Save changes
Source Code
Resource Type
Other