CloudTrail advanced selectors support

[ajkerrigan]

Describe the feature

There are a few places where we look at CloudTrail event selectors:

• aws.s3.filters.data-events
• aws.account.check-cloudtrail
• aws.cloudtrail.event-selectors

It looks like the last of those is flexible enough to consider advanced selectors, but the first two only look at basic selector properties (that is, the EventSelectors key rather than AdvancedEventSelectors).

It's not clear to me how much we should try to support the full range of advanced event selectors in all places versus recommending the aws.cloudtrail.event-selectors filter to cover that case.

Extra information or context

No response

[anna-shcherbak]

I do not know if it's a good idea, but what if we reuse the aws.cloudtrail.event-selectors in other places? I haven't found any similar examples in the code, so maybe it's not the best way to do this. For example in aws.account.check-cloudtrail, the part with the include-management-events check can be rewritten from this: https://github.com/cloud-custodian/cloud-custodian/blob/07c86ff215d9bc7a06687e9a3528ec659b0e5b80/c7n/resources/account.py#L289-L297 the following way:

        if self.data.get('include-management-events'):
            matched = []
            for t in list(trails):
                data = {
                    'key': "AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && "
                           "Equals[?contains(@, 'Management')==`true`]] && "
                           "!(FieldSelectors[?Field=='readOnly'])] || "
                           "EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']",
                    'value_type': 'size',
                    'op': 'gt',
                    'value': 0
                }
                if len(EventSelectors(data, self.manager).process(trails)) > 0:
                    matched.append(t)
            trails = matched