Description
Describe what happened:
We placed s3 bucket for cloudfront logs and forwarder lambda in "log-archive" account (https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/log-archive.html)
and cloudfront distribution in separate "network" account (https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html).
Unfortunately the log forwarder assumes that the lambda and the cloudfront distribution is in the same account when building cloudfront distribution arn.
Proposed solution:
Correct parsing.py to read account id from s3 object key in between / and then fallback to reading lambda arn.
That will allow us to set the account id with prefixes like cloudfront/123456779121/ or AWSLogs/123456779121/cloudfront/