- Domain 3 Overview: What "Designing for Security and Compliance" Actually Means
- How Much of the PCA Exam Domain 3 Represents
- IAM, Resource Hierarchy, and Org Policy
- Data Protection, Encryption, and Key Management
- Network Security Architecture Decisions
- Compliance Requirements Inside the PCA Case Studies
- Security Service Comparison Table
- How Domain 3 Questions Are Actually Written
- A Focused Study Timeline for Domain 3
- Who Hires for This Skill Set
- Frequently Asked Questions
- Domain 3 tests security architecture decisions, not memorized IAM role names or CLI syntax.
- All 4 standard case studies - Altostrat Media, Cymbal Retail, EHR Healthcare, and KnightMotives Automotive - embed compliance constraints you must map to...
- Case-study questions make up about 20-30% of the exam, and many draw directly from Domain 3 material.
- Org Policy, VPC Service Controls, and CMEK/KMS are recurring architecture-choice topics across scenario questions.
Domain 3 Overview: What "Designing for Security and Compliance" Actually Means
Domain 3 of the Professional Cloud Architect exam guide is where Google Cloud tests whether you can translate a business or regulatory requirement into a concrete architecture. It is not a checklist of IAM permissions or a memory test on encryption acronyms - it is a judgment domain. Given a scenario with sensitive data, a regulated industry, or a multi-team organization, can you design access boundaries, network isolation, and data protection that actually satisfy the stated requirement without over-engineering the solution?
If you have already worked through the broader PCA Exam Domains 2026: Complete Guide to All 6 Content Areas, you know Domain 3 sits alongside design (Domain 1), provisioning (Domain 2), and operational domains later in the guide. Security and compliance threads through all of them, but Domain 3 is where it's tested directly and deliberately.
How Much of the PCA Exam Domain 3 Represents
Google does not publish a fixed percentage breakdown per domain for the standard PCA exam, and this article won't invent one. What is documented is the exam's overall shape: 50-60 multiple-choice and multiple-select questions, delivered in a 2-hour window, with case studies (Altostrat Media, Cymbal Retail, EHR Healthcare, and KnightMotives Automotive) contributing roughly 20-30% of the total question count. Because every one of those four case studies includes some form of regulatory, data-residency, or access-control requirement, Domain 3 concepts surface both as standalone questions and as case-study questions layered on top of a specific fictional company's constraints.
This dual exposure is why candidates who treat security as "one domain among six" tend to underestimate it. For a full picture of how Domain 3 relates to exam difficulty overall, see How Hard Is the PCA Exam? Complete Difficulty Guide 2026.
Key Takeaway
Study Domain 3 twice: once as a standalone topic list, and again by re-reading each of the four case studies specifically hunting for security and compliance clauses.
IAM, Resource Hierarchy, and Org Policy
Identity and access management is the backbone of this domain, but the exam rarely asks "which role grants this permission." Instead it asks you to choose between IAM at the project level, folder level, or organization level, and to justify that choice against least-privilege and manageability goals.
Identity and Access Management
Candidates must understand how the resource hierarchy (organization, folder, project, resource) affects policy inheritance and where to apply constraints for the least administrative overhead.
- Predefined vs. custom roles and when each is architecturally justified
- Service account design, impersonation, and workload identity federation
- Org Policy constraints for restricting resource locations, external IP usage, and domain-restricted sharing
- Group-based access management versus per-user grants at scale
Org Policy specifically deserves attention because it appears in scenarios where a company (often one resembling EHR Healthcare or Cymbal Retail) needs to enforce a rule organization-wide rather than trust individual project owners to configure it correctly. Recognizing "this needs to be enforced centrally, not per-project" is a recurring signal in the correct answer.
Data Protection, Encryption, and Key Management
Encryption questions on the PCA exam are almost always about control and ownership of keys, not about whether encryption exists - Google Cloud encrypts data at rest by default. The architectural decision is whether default encryption is sufficient or whether the scenario demands customer-managed encryption keys (CMEK) or customer-supplied encryption keys (CSEK), and where Cloud KMS or an external key management system fits.
Data Protection Topics to Master
These recur across case studies with compliance language such as healthcare records or payment data.
- Default encryption vs. CMEK vs. CSEK trade-offs and operational overhead of each
- Cloud KMS key rotation, separation of duties, and key access auditing
- Sensitive Data Protection (formerly DLP) for discovering and de-identifying regulated data
- Data residency and sovereignty controls tied to regional resource placement
Network Security Architecture Decisions
Network security in Domain 3 overlaps with the provisioning concepts covered in PCA Domain 2: Managing and provisioning a cloud solution infrastructure - Complete Study Guide 2026, but here the emphasis shifts from "how do I build this" to "how do I isolate and defend it."
- VPC Service Controls for restricting API access to sensitive services within a perimeter
- Private Google Access, Private Service Connect, and when public IP exposure is genuinely unavoidable
- Firewall rules and hierarchical firewall policies for org-wide enforcement versus project-level flexibility
- Cloud Armor for edge protection against common web-layer threats in public-facing scenarios
- Shared VPC designs for multi-team organizations that need centralized network governance with delegated project ownership
Expect scenario questions that combine two or three of these - for example, a retail company (echoing Cymbal Retail) needing PCI-adjacent isolation for a payment-processing service while keeping the rest of its e-commerce stack loosely coupled.
Compliance Requirements Inside the PCA Case Studies
The four standard case studies each carry a distinct compliance flavor, and Domain 3 questions frequently borrow context from them even outside the dedicated case-study section of the exam.
- EHR Healthcare - regulated health data, access auditing, and strict identity controls tied to sensitive patient information.
- Cymbal Retail - payment and customer data protection alongside a hybrid, multi-region footprint.
- Altostrat Media - content protection, licensing boundaries, and access segregation across teams and partners.
- KnightMotives Automotive - data generated from connected devices and manufacturing systems, with governance over who can access telemetry versus operational systems.
Key Takeaway
Before exam day, re-read each case study once specifically asking: "What is this company legally or contractually obligated to protect, and which Google Cloud control maps to that obligation?"
If case studies still feel abstract, the general strategy article PCA Study Guide 2026: How to Pass on Your First Attempt covers how to work through case-study material efficiently under the exam's 2-hour time limit.
Security Service Comparison Table
Many Domain 3 questions hinge on picking the right service for a stated need rather than knowing every configuration detail. This comparison reflects the kind of decision framing the exam rewards.
| Requirement in Scenario | Likely Correct Direction | Why |
|---|---|---|
| Enforce a rule across every project in the org | Organization Policy | Central enforcement, not dependent on per-project configuration |
| Restrict which APIs data can reach, even with valid credentials | VPC Service Controls | Perimeter-based control independent of IAM alone |
| Full control over encryption key lifecycle and rotation | Cloud KMS with CMEK | Balances control with managed operational overhead |
| Discover and mask sensitive fields in stored data | Sensitive Data Protection | Purpose-built for classification and de-identification |
| Centralize network administration across many teams | Shared VPC | Delegated project use with centralized network governance |
How Domain 3 Questions Are Actually Written
Domain 3 questions on the PCA exam are almost always scenario-based multiple-choice or multiple-select items, not recall questions. A typical stem describes a company, a data sensitivity requirement or regulatory constraint, and an existing architecture, then asks which change best satisfies the requirement. Multiple-select items usually ask for "two" or "three" actions, which is a deliberate signal that a single control is insufficient - the correct answer often combines an identity control with a network or data control.
Because this is a multiple-choice and multiple-select format delivered under a strict 2-hour clock with no open-book allowance, memorized command syntax is far less valuable than being able to reason about trade-offs quickly. For a breakdown of how this compares across all six domains, see PCA Exam Domains 2026: Complete Guide to All 6 Content Areas, and for realistic difficulty expectations, PCA Pass Rate 2026: What the Data Shows puts the exam's format into broader context.
A Focused Study Timeline for Domain 3
Generic study techniques like spaced repetition or timed drills only help if they're pointed at the right material at the right time. Here is one way to sequence Domain 3 preparation within a broader multi-week plan.
IAM and Org Governance
- Map the resource hierarchy and practice choosing where to apply IAM bindings versus Org Policy
- Review service account and workload identity federation patterns
Data Protection Deep Dive
- Compare CMEK, CSEK, and default encryption scenarios until the trade-offs feel automatic
- Study Sensitive Data Protection use cases for regulated data handling
Network Isolation Patterns
- Work through VPC Service Controls, Shared VPC, and Cloud Armor scenarios
- Practice combining network controls with IAM in multi-select style questions
Case Study Synthesis
- Re-read all four case studies specifically for compliance language
- Take timed practice sets on the PCA practice test platform to simulate the 2-hour exam pace
Who Hires for This Skill Set
Domain 3 competency is exactly what employers are testing for when they list "Google Cloud security architecture" as a requirement. Roles that lean heavily on this domain include cloud security architects, infrastructure engineers at regulated companies (healthcare, financial services, retail with payment data), and platform teams responsible for organization-wide governance. Browsing current listings on PCA Jobs makes the pattern clear - postings frequently call out IAM design, encryption key management, and network segmentation by name, all Domain 3 territory.
For candidates evaluating whether the certification translates into hiring interest and compensation, PCA Salary Guide 2026: Complete Earnings Analysis and Is the PCA Certification Worth It? Complete ROI Analysis 2026 are useful companions, and PCA Certification Cost 2026: Complete Pricing Breakdown covers the $200 standard exam fee (plus tax) and the $100 renewal path so there are no surprises during registration.
To see how Domain 3 fits alongside the other five content areas - including the design work in Domain 1 and the optimization focus of Domain 4 - review PCA Domain 1: Designing and planning a cloud solution architecture - Complete Study Guide 2026 and PCA Domain 4: Analyzing and optimizing technical and business processes - Complete Study Guide 2026. Practicing full-length, timed question sets on our PCA practice exam platform is one of the most reliable ways to confirm Domain 3 concepts hold up under real exam conditions rather than just in isolated review.
Frequently Asked Questions
Google does not publish an official per-domain percentage breakdown for the standard exam, so no domain's exact weight is confirmed. What is documented is that case studies - which frequently include security and compliance requirements - make up about 20-30% of the exam.
The exam tests architectural decision-making rather than step-by-step configuration, but Google recommends 3+ years of industry experience including 1+ year designing and managing solutions on Google Cloud, and practical exposure makes the trade-off questions far more intuitive.
Both formats appear across the exam's 50-60 multiple-choice and multiple-select questions. Security scenarios often use multiple-select when a single control is insufficient to fully satisfy the stated requirement.
EHR Healthcare centers on regulated patient data, but all four standard case studies - Altostrat Media, Cymbal Retail, EHR Healthcare, and KnightMotives Automotive - include some form of data protection or access-control requirement worth reviewing.
There's no official time allocation from Google, but because Domain 3 concepts recur inside case-study questions as well as standalone items, many candidates find it efficient to dedicate a full study block to it rather than folding it into general review, as outlined in the study timeline above.
- PCA Domain 1: Designing and planning a cloud solution architecture - Complete Study Guide 2026
- PCA Domain 2: Managing and provisioning a cloud solution infrastructure - Complete Study Guide 2026
- PCA Domain 4: Analyzing and optimizing technical and business processes - Complete Study Guide 2026
- PCA Exam Domains 2026: Complete Guide to All 6 Content Areas