PCA logo
Focused certification exam prep
Start practice

PCA Domain 3: Designing for security and compliance - Complete Study Guide 2026

TL;DR
  • Domain 3 tests security architecture decisions, not memorized IAM role names or CLI syntax.
  • All 4 standard case studies - Altostrat Media, Cymbal Retail, EHR Healthcare, and KnightMotives Automotive - embed compliance constraints you must map to...
  • Case-study questions make up about 20-30% of the exam, and many draw directly from Domain 3 material.
  • Org Policy, VPC Service Controls, and CMEK/KMS are recurring architecture-choice topics across scenario questions.

Domain 3 Overview: What "Designing for Security and Compliance" Actually Means

Domain 3 of the Professional Cloud Architect exam guide is where Google Cloud tests whether you can translate a business or regulatory requirement into a concrete architecture. It is not a checklist of IAM permissions or a memory test on encryption acronyms - it is a judgment domain. Given a scenario with sensitive data, a regulated industry, or a multi-team organization, can you design access boundaries, network isolation, and data protection that actually satisfy the stated requirement without over-engineering the solution?

If you have already worked through the broader PCA Exam Domains 2026: Complete Guide to All 6 Content Areas, you know Domain 3 sits alongside design (Domain 1), provisioning (Domain 2), and operational domains later in the guide. Security and compliance threads through all of them, but Domain 3 is where it's tested directly and deliberately.

Scope Reality Check: Domain 3 expects fluency across identity, network, data, and organizational governance controls - plus the ability to recognize which control actually answers the question being asked in a scenario, since more than one option is often technically valid.

How Much of the PCA Exam Domain 3 Represents

Google does not publish a fixed percentage breakdown per domain for the standard PCA exam, and this article won't invent one. What is documented is the exam's overall shape: 50-60 multiple-choice and multiple-select questions, delivered in a 2-hour window, with case studies (Altostrat Media, Cymbal Retail, EHR Healthcare, and KnightMotives Automotive) contributing roughly 20-30% of the total question count. Because every one of those four case studies includes some form of regulatory, data-residency, or access-control requirement, Domain 3 concepts surface both as standalone questions and as case-study questions layered on top of a specific fictional company's constraints.

This dual exposure is why candidates who treat security as "one domain among six" tend to underestimate it. For a full picture of how Domain 3 relates to exam difficulty overall, see How Hard Is the PCA Exam? Complete Difficulty Guide 2026.

Key Takeaway

Study Domain 3 twice: once as a standalone topic list, and again by re-reading each of the four case studies specifically hunting for security and compliance clauses.

IAM, Resource Hierarchy, and Org Policy

Identity and access management is the backbone of this domain, but the exam rarely asks "which role grants this permission." Instead it asks you to choose between IAM at the project level, folder level, or organization level, and to justify that choice against least-privilege and manageability goals.

Identity and Access Management

Candidates must understand how the resource hierarchy (organization, folder, project, resource) affects policy inheritance and where to apply constraints for the least administrative overhead.

  • Predefined vs. custom roles and when each is architecturally justified
  • Service account design, impersonation, and workload identity federation
  • Org Policy constraints for restricting resource locations, external IP usage, and domain-restricted sharing
  • Group-based access management versus per-user grants at scale

Org Policy specifically deserves attention because it appears in scenarios where a company (often one resembling EHR Healthcare or Cymbal Retail) needs to enforce a rule organization-wide rather than trust individual project owners to configure it correctly. Recognizing "this needs to be enforced centrally, not per-project" is a recurring signal in the correct answer.

Data Protection, Encryption, and Key Management

Encryption questions on the PCA exam are almost always about control and ownership of keys, not about whether encryption exists - Google Cloud encrypts data at rest by default. The architectural decision is whether default encryption is sufficient or whether the scenario demands customer-managed encryption keys (CMEK) or customer-supplied encryption keys (CSEK), and where Cloud KMS or an external key management system fits.

Data Protection Topics to Master

These recur across case studies with compliance language such as healthcare records or payment data.

  • Default encryption vs. CMEK vs. CSEK trade-offs and operational overhead of each
  • Cloud KMS key rotation, separation of duties, and key access auditing
  • Sensitive Data Protection (formerly DLP) for discovering and de-identifying regulated data
  • Data residency and sovereignty controls tied to regional resource placement
Common Trap: Exam scenarios sometimes describe a requirement that sounds like it needs CSEK when a properly scoped CMEK setup with strict IAM and audit logging actually satisfies it with far less operational burden. Read for the underlying requirement, not the loudest keyword.

Network Security Architecture Decisions

Network security in Domain 3 overlaps with the provisioning concepts covered in PCA Domain 2: Managing and provisioning a cloud solution infrastructure - Complete Study Guide 2026, but here the emphasis shifts from "how do I build this" to "how do I isolate and defend it."

  • VPC Service Controls for restricting API access to sensitive services within a perimeter
  • Private Google Access, Private Service Connect, and when public IP exposure is genuinely unavoidable
  • Firewall rules and hierarchical firewall policies for org-wide enforcement versus project-level flexibility
  • Cloud Armor for edge protection against common web-layer threats in public-facing scenarios
  • Shared VPC designs for multi-team organizations that need centralized network governance with delegated project ownership

Expect scenario questions that combine two or three of these - for example, a retail company (echoing Cymbal Retail) needing PCI-adjacent isolation for a payment-processing service while keeping the rest of its e-commerce stack loosely coupled.

Compliance Requirements Inside the PCA Case Studies

The four standard case studies each carry a distinct compliance flavor, and Domain 3 questions frequently borrow context from them even outside the dedicated case-study section of the exam.

  • EHR Healthcare - regulated health data, access auditing, and strict identity controls tied to sensitive patient information.
  • Cymbal Retail - payment and customer data protection alongside a hybrid, multi-region footprint.
  • Altostrat Media - content protection, licensing boundaries, and access segregation across teams and partners.
  • KnightMotives Automotive - data generated from connected devices and manufacturing systems, with governance over who can access telemetry versus operational systems.

Key Takeaway

Before exam day, re-read each case study once specifically asking: "What is this company legally or contractually obligated to protect, and which Google Cloud control maps to that obligation?"

If case studies still feel abstract, the general strategy article PCA Study Guide 2026: How to Pass on Your First Attempt covers how to work through case-study material efficiently under the exam's 2-hour time limit.

Security Service Comparison Table

Many Domain 3 questions hinge on picking the right service for a stated need rather than knowing every configuration detail. This comparison reflects the kind of decision framing the exam rewards.

Requirement in ScenarioLikely Correct DirectionWhy
Enforce a rule across every project in the orgOrganization PolicyCentral enforcement, not dependent on per-project configuration
Restrict which APIs data can reach, even with valid credentialsVPC Service ControlsPerimeter-based control independent of IAM alone
Full control over encryption key lifecycle and rotationCloud KMS with CMEKBalances control with managed operational overhead
Discover and mask sensitive fields in stored dataSensitive Data ProtectionPurpose-built for classification and de-identification
Centralize network administration across many teamsShared VPCDelegated project use with centralized network governance

How Domain 3 Questions Are Actually Written

Domain 3 questions on the PCA exam are almost always scenario-based multiple-choice or multiple-select items, not recall questions. A typical stem describes a company, a data sensitivity requirement or regulatory constraint, and an existing architecture, then asks which change best satisfies the requirement. Multiple-select items usually ask for "two" or "three" actions, which is a deliberate signal that a single control is insufficient - the correct answer often combines an identity control with a network or data control.

Because this is a multiple-choice and multiple-select format delivered under a strict 2-hour clock with no open-book allowance, memorized command syntax is far less valuable than being able to reason about trade-offs quickly. For a breakdown of how this compares across all six domains, see PCA Exam Domains 2026: Complete Guide to All 6 Content Areas, and for realistic difficulty expectations, PCA Pass Rate 2026: What the Data Shows puts the exam's format into broader context.

Format Note: Google does not publish a fixed scored-versus-unscored split for the standard exam, so treat every question - including dense security scenarios - as worth full attention rather than trying to guess which ones "don't count."

A Focused Study Timeline for Domain 3

Generic study techniques like spaced repetition or timed drills only help if they're pointed at the right material at the right time. Here is one way to sequence Domain 3 preparation within a broader multi-week plan.

Week 1

IAM and Org Governance

  • Map the resource hierarchy and practice choosing where to apply IAM bindings versus Org Policy
  • Review service account and workload identity federation patterns
Week 2

Data Protection Deep Dive

  • Compare CMEK, CSEK, and default encryption scenarios until the trade-offs feel automatic
  • Study Sensitive Data Protection use cases for regulated data handling
Week 3

Network Isolation Patterns

  • Work through VPC Service Controls, Shared VPC, and Cloud Armor scenarios
  • Practice combining network controls with IAM in multi-select style questions
Week 4

Case Study Synthesis

  • Re-read all four case studies specifically for compliance language
  • Take timed practice sets on the PCA practice test platform to simulate the 2-hour exam pace

Who Hires for This Skill Set

Domain 3 competency is exactly what employers are testing for when they list "Google Cloud security architecture" as a requirement. Roles that lean heavily on this domain include cloud security architects, infrastructure engineers at regulated companies (healthcare, financial services, retail with payment data), and platform teams responsible for organization-wide governance. Browsing current listings on PCA Jobs makes the pattern clear - postings frequently call out IAM design, encryption key management, and network segmentation by name, all Domain 3 territory.

For candidates evaluating whether the certification translates into hiring interest and compensation, PCA Salary Guide 2026: Complete Earnings Analysis and Is the PCA Certification Worth It? Complete ROI Analysis 2026 are useful companions, and PCA Certification Cost 2026: Complete Pricing Breakdown covers the $200 standard exam fee (plus tax) and the $100 renewal path so there are no surprises during registration.

Registration Reminder: The standard exam is scheduled through CM Connect/CertMetrics with either online-proctored or onsite Pearson VUE delivery. Renewal, when the time comes, opens 60 days before your 2-year certification expires and can be completed via the shorter 1-hour, 25-question renewal exam or eligible Google Skills renewal options.

To see how Domain 3 fits alongside the other five content areas - including the design work in Domain 1 and the optimization focus of Domain 4 - review PCA Domain 1: Designing and planning a cloud solution architecture - Complete Study Guide 2026 and PCA Domain 4: Analyzing and optimizing technical and business processes - Complete Study Guide 2026. Practicing full-length, timed question sets on our PCA practice exam platform is one of the most reliable ways to confirm Domain 3 concepts hold up under real exam conditions rather than just in isolated review.

Frequently Asked Questions

Is Domain 3 the most heavily weighted domain on the PCA exam?

Google does not publish an official per-domain percentage breakdown for the standard exam, so no domain's exact weight is confirmed. What is documented is that case studies - which frequently include security and compliance requirements - make up about 20-30% of the exam.

Do I need hands-on experience with Cloud KMS and VPC Service Controls to pass this domain?

The exam tests architectural decision-making rather than step-by-step configuration, but Google recommends 3+ years of industry experience including 1+ year designing and managing solutions on Google Cloud, and practical exposure makes the trade-off questions far more intuitive.

Are Domain 3 questions multiple-select or single-answer?

Both formats appear across the exam's 50-60 multiple-choice and multiple-select questions. Security scenarios often use multiple-select when a single control is insufficient to fully satisfy the stated requirement.

Which case study has the heaviest compliance emphasis?

EHR Healthcare centers on regulated patient data, but all four standard case studies - Altostrat Media, Cymbal Retail, EHR Healthcare, and KnightMotives Automotive - include some form of data protection or access-control requirement worth reviewing.

How does Domain 3 preparation fit into overall exam study time?

There's no official time allocation from Google, but because Domain 3 concepts recur inside case-study questions as well as standalone items, many candidates find it efficient to dedicate a full study block to it rather than folding it into general review, as outlined in the study timeline above.

Ready to pass your PCA exam?

Put this into practice with free PCA questions across every exam domain.