AFT feature "CloudTrail data events" does not properly exclude Log Archive buckets

[nApucco]

AFT Version:

• 1.13.0 (verified in deployed environment)
• 1.13.2/latest (verified bug in code of main branch)

Bug Description
The advanced event selector "No Log Archive Buckets" of the organizational trail "aws-aft-CustomizationsCloudTrail" is configured in a way, that does not exclude data events from all AFT and Control Tower S3 buckets in the Log Archive account.

The selector uses an incorrect operator for this data event type and tries to match the S3 bucket ARN with RegEx which is not allowed.

To Reproduce

1. Go to the Log Archive account and open the "aws-aft-logs-..." bucket.
2. Navigate to the CloudTrail logs of the Log Archive account.
   (e.g. AWSLogs/<org-id>/<log-archive-account-id>/CloudTrail/eu-central-1/2024/11/28/)
3. Download and unzip any of the logs.
4. Search for "PutObject" and observe all the data events of CloudTrail writing objects into AFT or CT S3 buckets.

Expected behavior
The CloudTrail should not collect any data events from the 4 AFT and Control Tower S3 buckets in the Log Archive account.

Proposed fix/solution

The AWS documentation states, that advanced event selectors that filter S3 objects based on the resources.ARN should use StartsWith or NotStartsWith operators instead of Equals/NotEquals and use the bucket ARN with a trailing slash.
(https://docs.aws.amazon.com/awscloudtrail/latest/userguide/filtering-data-events.html#filtering-data-events-resourcearn)

Switching the operators from NotEquals to NotStartsWith and removing the * at the end of each log bucket ARN fixes the issue in the advanced event selector.

(Manually tested such a fix in my organization: CloudTrail no longer logs data events from AFT/CT S3 buckets in Log Archive, but keeps collecting data events from the rest of the organization.)