Video: J1 Query to Expose (Un)approved AMIs


This is one in a series of short, simple J1 queries that will help you interrogate your AWS environments. The JupiterOne platform used to run these queries is free.

In this J1 Query, Akash shows you how to analyze your AWS environment for the usage of approved (and unapproved) AMIs. It is a common use case to make sure the image used for your Amazon host is company approved. There is also another scenario, which we’ll inspect in detail, which explores the possibility of using an AMI that is unknown to your business.

Here’s the query you can use to cut-and-paste into your J1 instance. Watch JuptierOne technical expert, Akash Ganapathi, walk through the example query and then display the results in real time. If you find this useful, give us some contact info at the bottom of this page and we’ll send you twice a month updates as we continue to explore various environments with JupiterOne.

Cut-and-Paste Query

FIND (aws_instance|docker_container|server) AS host 
     THAT USES Image with approved!=true and tag.Approved!=true as image 
     host._type, host.displayName, host.tag.AccountName, 
     image._type, image.displayName



Contribute your J1 Query to the Community

We will frequently be adding cut-and-paste J1 queries to our gallery. Join the community and every two weeks we’ll send you a list of new queries. You can contribute your own queries for inclusion and examination in an upcoming article. Use the form below to join us.


Posted By Akash Ganapathi

Akash Ganapathi comes from an enterprise security, data privacy, and data analysis background, working exclusively in the B2B software solutions space throughout his career. He is currently a Principal Security Solutions Architect at JupiterOne.

To hear more from Akash, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.


cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.