cloudtrail mode policies against aws.key-pair cannot resolve resources by ID

[ajkerrigan]

Describe the bug

As of custodian 0.9.12.0, CloudTrail mode policies fail to match EC2 key pair resources.

The issue seems to be that when fetching aws.key-pair resources by ID, it filters using key pair name but defines "key-" as an ID prefix.

So with a policy event block like this, event IDs are discarded since they don't have the expected prefix:

    events:
      - source: ec2.amazonaws.com
        event: CreateKeyPair
        ids: "requestParameters.keyName"

And with an event block like this, we pull key pair IDs out of CloudTrail but feed them into a key pair name filter:

      events:
        - source: ec2.amazonaws.com
          event: CreateKeyPair
          ids: "responseElements.keyPairIds"

Two ways I can think to fix this are either remove the id_prefix, or switch the filter_name to KeyPairIds. I think switching the filter_name is a "better" fix, but am not sure if it'll break something I'm not considering.

What did you expect to happen?

I expect a policy that runs in response to a CreateKeyPair event to match the created key.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

Please copy/paste the following info along with any bug reports:

Custodian:   0.9.15
Python:      3.9.7 (default, Sep 30 2021, 13:53:37) 
             [GCC 10.3.0]
Platform:    posix.uname_result(sysname='Linux', nodename='mosa', release='5.14.10-051410-generic', version='#202110071109-Ubuntu SMP Thu Oct 7 14:18:05 UTC 2021', machine='x86_64')
Using venv:  True
Docker: False
Installed: 

PyJWT==1.7.1
PyYAML==6.0
adal==1.2.7
appdirs==1.4.4
applicationinsights==0.11.10
apscheduler==3.8.1
argcomplete==2.0.0
attrs==21.4.0
azure-cli-core==2.19.1
azure-cli-telemetry==1.0.6
azure-common==1.1.27
azure-core==1.21.1
azure-cosmos==3.2.0
azure-cosmosdb-nspkg==2.0.2
azure-cosmosdb-table==1.0.6
azure-functions==1.8.0
azure-graphrbac==0.61.1
azure-keyvault==4.1.0
azure-keyvault-certificates==4.3.0
azure-keyvault-keys==4.4.0
azure-keyvault-secrets==4.3.0
azure-mgmt-apimanagement==1.0.0
azure-mgmt-applicationinsights==1.0.0
azure-mgmt-authorization==1.0.0
azure-mgmt-batch==15.0.0
azure-mgmt-cdn==10.0.0
azure-mgmt-cognitiveservices==11.0.0
azure-mgmt-compute==19.0.0
azure-mgmt-containerinstance==7.0.0
azure-mgmt-containerregistry==8.0.0b1
azure-mgmt-containerservice==15.1.0
azure-mgmt-core==1.3.0
azure-mgmt-cosmosdb==6.4.0
azure-mgmt-costmanagement==1.0.0
azure-mgmt-databricks==1.0.0b1
azure-mgmt-datafactory==1.1.0
azure-mgmt-datalake-nspkg==3.0.1
azure-mgmt-datalake-store==1.0.0
azure-mgmt-dns==8.0.0b1
azure-mgmt-eventgrid==8.0.0
azure-mgmt-eventhub==8.0.0
azure-mgmt-hdinsight==7.0.0
azure-mgmt-iothub==1.0.0
azure-mgmt-keyvault==8.0.0
azure-mgmt-logic==9.0.0
azure-mgmt-managementgroups==1.0.0b1
azure-mgmt-monitor==2.0.0
azure-mgmt-network==17.1.0
azure-mgmt-nspkg==3.0.2
azure-mgmt-policyinsights==1.0.0
azure-mgmt-rdbms==8.1.0
azure-mgmt-redis==12.0.0
azure-mgmt-resource==16.1.0
azure-mgmt-resourcegraph==7.0.0
azure-mgmt-search==8.0.0
azure-mgmt-sql==1.0.0
azure-mgmt-storage==17.1.0
azure-mgmt-subscription==1.0.0
azure-mgmt-web==2.0.0
azure-nspkg==3.0.2
azure-storage-blob==12.9.0
azure-storage-common==2.1.0
azure-storage-file==2.1.0
azure-storage-queue==12.1.6
bcrypt==3.2.0
boto3==1.20.37
botocore==1.23.37
cachetools==4.2.4
certifi==2021.10.8
cffi==1.15.0
chardet==4.0.0
charset-normalizer==2.0.10
click==8.0.3
colorama==0.4.4
cryptography==36.0.1
decorator==5.1.1
distlib==0.3.4
dogpile.cache==1.1.4
google-api-core==2.4.0
google-api-python-client==2.35.0
google-auth==2.3.3
google-auth-httplib2==0.1.0
google-cloud-appengine-logging==1.1.0
google-cloud-audit-log==0.2.0
google-cloud-core==2.2.1
google-cloud-logging==2.7.0
google-cloud-monitoring==2.8.0
google-cloud-storage==1.44.0
google-crc32c==1.3.0
google-resumable-media==2.1.0
googleapis-common-protos==1.54.0
grpc-google-iam-v1==0.12.3
grpcio==1.43.0
httplib2==0.20.2
humanfriendly==9.1
idna==3.3
iso8601==1.0.2
isodate==0.6.1
jmespath==0.10.0
jsonpatch==1.32
jsonpickle==1.3
jsonpointer==2.2
jsonschema==4.4.0
keystoneauth1==4.4.0
knack==0.8.0rc2
kubernetes==10.0.1
mock==4.0.3
msal==1.16.0
msal-extensions==0.3.1
msrest==0.6.21
msrestazure==0.6.4
munch==2.5.0
netaddr==0.7.20
netifaces==0.11.0
oauthlib==3.1.1
openstacksdk==0.52.0
os-service-types==1.7.0
packaging==21.3
paramiko==2.7.2
pbr==5.8.0
pkginfo==1.8.2
portalocker==2.3.2
proto-plus==1.19.8
protobuf==3.19.3
psutil==5.9.0
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.21
pygments==2.11.2
pynacl==1.4.0
pyopenssl==20.0.1
pyparsing==3.0.6
pyrsistent==0.18.1
python-dateutil==2.8.2
pytz==2021.3
pytz-deprecation-shim==0.1.0.post0
pyyaml==6.0
ratelimiter==1.2.0.post0
requests==2.27.1
requests-oauthlib==1.3.0
requestsexceptions==1.4.0
retrying==1.3.3
rsa==4.8
s3transfer==0.5.0
setuptools==57.4.0
six==1.16.0
stevedore==3.5.0
tabulate==0.8.9
typing-extensions==3.10.0.2
tzdata==2021.5
tzlocal==4.1
uritemplate==4.1.1
urllib3==1.26.8
websocket-client==1.2.3

Policy

policies:
  - name: new-key-pair
    resource: aws.key-pair
    mode:
      type: cloudtrail
      role: my-role
      events:
        - source: ec2.amazonaws.com
          event: CreateKeyPair
          ids: "requestParameters.keyName"

Relevant log/traceback output

This started with a question from @cramseyio [in Gitter](https://gitter.im/cloud-custodian/cloud-custodian?at=61fabb5f708e9c3dd75c0bca). Thank you!

Extra information or context

No response