Your organization needs to meet audit compliance and hence need to log all the requests sent to 10 buckets that contain confidential information. These will also be periodically used to determine if any requests are being made from outside the organization’s IP address range. Your AWS application team had enabled S3 server access logging through AWS Console for all the buckets into a common logging bucket named s3-server-logging. But after few hours they noticed no logs were being written into the logging bucket. What could be the reason?

Answer options:

A.Bucket user-defined deny policy is not allowing Log Delivery group to write into S3 logging bucket.
B.Bucket public access is not enabled.
C.Write access is disabled for Log Delivery group.
D.Bucket name for server access logging should be “s3-server-access-logging” in order to write the request logs.

Answer: A
Server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits.
For details on logging for S3, refer to documentation here. 
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview
For option A, S3 buckets would often be restricted using bucket policy with Effect as Deny except for whitelisted IAM resources that would require access.
For detailed information on how to restrict the bucket, refer to documentation here. 
https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
To provide access to the log delivery group, you need to add the following statement to your bucket policy explicitly.
{
"Version": "2012-10-17",
"Statement": [ 
 { Delivery service", 
 "Sid": "Permit access log delivery by AWS ID for Log 
 "Effect": "Allow", 
 "Principal": { 
 "AWS": "arn:aws:iam::858827067514:root" 
}, 
 "Action": "s3:PutObject", 
 "Resource": "arn:aws:s3:::examplebucket/logs/*" 
} 
]
}
Also, make sure the arn “arn:aws:iam::858827067514:root” is whitelisted in the Deny statement of your bucket policy.
For option B, public access is not required to be enabled for writing logs into the S3 bucket. The only access required is PutObject for the Log Delivery group.
For option C, although the log delivery group permission is disabled by default, permission will be granted when the bucket is selected as the target for logging.
https://docs.aws.amazon.com/AmazonS3/latest/dev/enable-logging-console.html
Option D is a false statement.