A company has deployed workloads in multiple AWS accounts that are all within a single organization in AWS Organizations.The company is using Amazon CloudWatch Logs to implement a new logging solution.The company runs a workload on Amazon EC2 instances that are in an account within the organization.The company has installed the CloudWatch agent on each workload instance and has configured the agent identically on each instance.The configuration specifies that application logs will be forwarded to CloudWatch Logs.The workload VPC has both public and private subnet tiers.The EC2 instances that are in the public subnets have the frontend-instance-role IAM role attached.The EC2 instances that are in the private subnets have the backend-instance-role IAM role attached.The workload uses VPC endpoints to communicate with various AWS services.Recently, log records from instances that use the frontend-instance-role role stopped appearing in CloudWatch Logs.CloudWatch Logs still receives log files from instances that use the backend-instance-role role.
Which reason explains why the EC2 instances that use the frontend-instance-role stopped sending logs to CloudWatch Logs?
An inline IAM policy that is attached to the frontend-instance-role IAM role has been modified. The logs:PutLogEvents allow action has been removed.
An SCP that includes a logs:PutLogEvents deny statement has been applied to the AWS account.
A CloudWatch monitoring VPC endpoint policy has been updated. A deny statement has been added.
A customer managed IAM policy that is attached to the frontend-instance-role and backend-instance-role IAM roles has been modified. The logs:PutLogEvents allow action has been removed.
I conclude that the answer is:
An inline IAM policy that is attached to the frontend-instance-role IAM role has been modified. The logs:PutLogEvents allow action has been removed.