Profile Applicability:

  • Level 1

Description:

Amazon AppStream 2.0 is a fully managed application streaming service that allows organizations to deliver desktop applications to any computer or mobile device without having to manage infrastructure. When configuring AppStream fleets, you have the option to control the level of internet access granted to the fleet streaming instances.

By default, AppStream instances may be configured to have internet access. To ensure better security, especially for applications that should not have unrestricted access to the internet, it is recommended to disable default internet access for your AppStream fleet streaming instances. This helps ensure that instances are restricted to internal network resources and reduces the attack surface.

Rationale:

  • Security: Disabling default internet access for AppStream instances limits exposure to the internet, reducing the risk of external threats accessing internal resources.

  • Compliance: For certain compliance standards (e.g., SOC 2, PCI-DSS, HIPAA), restricting internet access for internal systems and applications may be a required security measure.

  • Control: Restricting internet access provides better control over network traffic, ensuring that all communications remain within the internal network or specified endpoints.

Impact:

Pros:

  • Reduced Exposure: By limiting internet access, you mitigate the risks associated with unnecessary external communications, such as malware, data leakage, or unauthorized access.

  • Better Control: Enhances the security posture by ensuring that AppStream instances cannot connect to the internet unless explicitly required.

  • Enhanced Security: Helps enforce network segmentation and restricts AppStream instances to only communicate with trusted resources or services within your internal network.

Cons:

  • Limited Functionality: Certain applications or services that require internet access (e.g., for updates, external resources) may face connectivity issues if internet access is disabled.

  • Operational Overhead: Configuring and managing network access may require more effort in ensuring necessary resources (like internal repositories or external access points) are available.

Default Value:

By default, Amazon AppStream instances are configured to allow internet access unless explicitly disabled during fleet configuration.

Pre-requisite:

  • AWS IAM Permissions:

    • appstream:DescribeFleets

    • appstream:UpdateFleet

  • AWS CLI installed and configured.

  • A pre-existing AppStream fleet configured or planned for modification.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon AppStream 2.0 under Services.

  3. In the AppStream Dashboard, go to Fleets and select the fleet whose internet access you want to verify.

  4. In the Fleet Details section, look for the Internet Access setting.

    • If Internet Access is enabled, the box will be checked. If it is disabled, the box will remain unchecked.

  5. If the box is checked, click Modify.

  6. In the Modify Fleet window, uncheck the Internet Access box to disable internet access for the streaming instances.

  7. Click Update Fleet to apply the changes.

Using AWS CLI:

  1. To check if internet access is enabled for an AppStream fleet, run:

    aws appstream describe-fleets --query 'Fleets[*].{FleetName:Name, InternetAccess:VpcConfig.VpcIntranet}'

  2. Review the output to verify whether internet access is enabled or disabled.

  3. To disable internet access for the fleet, run:\

    aws appstream update-fleet --name <fleet-name> --vpc-config VpcIntranet=false

  4. Verify the changes by running the describe-fleets command again.

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon AppStream 2.0.

  2. In the AppStream Dashboard, select Fleets and choose the fleet you want to modify.

  3. Click Modify on the selected fleet.

  4. Uncheck the Internet Access box under Network settings.

  5. Save the changes and ensure that the fleet streaming instances now have no internet access by default.

Using AWS CLI:

  1. To disable internet access for a fleet, run the following CLI command:

    aws appstream update-fleet --name <fleet-name> --vpc-config VpcIntranet=false

  2. Verify the changes:

    aws appstream describe-fleets --query 'Fleets[*].{FleetName:Name, InternetAccess:VpcConfig.VpcIntranet}'

Backout Plan:

Using AWS Console:

  1. If disabling internet access for the fleet causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon AppStream 2.0, select the fleet, and go to Network Settings.

  3. Re-enable Default Internet Access by checking the option.

  4. Save the changes and verify that internet access is now re-enabled for the fleet.

Using AWS CLI:

  1. To revert the internet access setting, run:

    aws appstream update-fleet --name <FLEET_NAME> --internet-access enabled --region <REGION>

  2. Verify that internet access has been re-enabled:

    aws appstream describe-fleets --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.