fix(attack-paths): correct aws-security-groups-open-internet-facing query

[andoniaf]

Context

The Attack Path query "Identify internet-facing resources with open security groups" was returning no results while "Identify internet-exposed EC2 instances" correctly identified EC2 instances with open security groups.

Description

The query was broken due to:

1. Wrong WHERE clause placement: WHERE open.scheme = 'internet-facing' was placed after an OPTIONAL MATCH for DNS records, making it ineffective
2. Wrong property check: scheme = 'internet-facing' is for Load Balancers, not EC2 instances (which use exposed_internet = true)
3. Explicit relationship types: Used specific relationship types that didn't match Cartography's schema

Fixed by simplifying the query to use implicit relationships like other working queries in the same file.

Steps to review

1. Compare with the working aws-ec2-instances-internet-exposed query pattern
2. Verify the fix matches the Cartography Neo4j schema for EC2SecurityGroup relationships
3. Test with an EC2 instance that has exposed_internet = true and a security group allowing 0.0.0.0/0

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No

UI

• N/A (API-only change)

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler-api:36e1082
Last scan: 2026-01-27 08:39:58 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	11
Total	11

10 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.15%. Comparing base (3d6aa6c) to head (a021284).
⚠️ Report is 10 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9892      +/-   ##
==========================================
+ Coverage   88.71%   92.15%   +3.44%     
==========================================
  Files          95      181      +86     
  Lines        3597    25183   +21586     
==========================================
+ Hits         3191    23208   +20017     
- Misses        406     1975    +1569     

Flag	Coverage Δ
api	92.15% <ø> (?)
prowler-py3.10-m365	?
prowler-py3.11-m365	?
prowler-py3.12-m365	?
prowler-py3.9-m365	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	92.15% <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[josema-xyz]

🥅

[prowler-bot]

💚 All backports created successfully

Status	Branch	Result
✅	v5.17

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details