Level Up Your Future with the Google Cloud Security Engineer Test 2025 – Secure the Cloud, Secure Your Dreams!

To audit new resources created by a compromised service account, checking the Admin Activity logs is the most effective method. Admin Activity logs in Google Cloud capture the administrative actions taken on resources within your Google Cloud project. This includes operations such as the creation, modification, or deletion of resources, which means if a compromised service account is being used to create new resources, those actions will be recorded in the Admin Activity logs.

These logs provide detailed information about who performed the action, the timestamp of the activity, and the type of resource involved. By reviewing these logs, you can trace back the actions taken by the compromised service account and identify any unauthorized or unexpected resource creations.

In contrast, reviewing the Resource Manager primarily provides a view of existing resources and their configurations rather than historical actions taken on them. Cloud DLP logs focus on data loss prevention activities and may not provide direct insights into resource creation by service accounts. Consulting Cloud Function logs would only reveal activities specific to Cloud Functions and not a broader range of resources created by a service account. Therefore, Admin Activity logs are the most comprehensive and suitable choice for auditing resource creation by a compromised service account.