Ready for mixed practice. Move into case-study questions and explain your trade-offs out loud.

Keep drilling this domain. Revisit the objectives and decision patterns, then retake this quiz.

Google Professional Cloud Architect Domain 3 Guide

What This Domain Tests

Expect least-privilege, separation-of-duties, encryption, policy, audit, remote access, data sovereignty, and compliance trade-offs. Secure-by-default answers usually win.

Exam Weight

Google lists this domain at ~17.5% of the standard Professional Cloud Architect exam.

How to Think

Read the scenario like an architect: identify constraints, rank trade-offs, and choose the answer that best satisfies the stated business and technical goals.

Study move: For this domain, do not only memorize product names. Practice explaining why the wrong answers are attractive but incomplete.

Ready to drill this domain?

Use the tabs above to move from official objectives to decision patterns, scenario practice, and a quick quiz.

Official Objective Map

Use this as your domain study outline.

1Design for security

Apply IAM, resource hierarchy, organizations, folders, projects, groups, service accounts, and least privilege.
Protect data with encryption, Cloud KMS, secret management, separation of duties, and appropriate key ownership.
Use controls such as audit logs, VPC Service Controls, Context-Aware Access, organization policy, and hierarchical firewall policies.

2Secure access and software supply chain

Design secure remote access with Identity-Aware Proxy, service account impersonation, Chrome Enterprise Premium, and Workload Identity Federation.
Reduce credential sprawl and avoid broad long-lived keys where federation or impersonation is safer.
Include software supply chain controls when deployment integrity is part of the scenario.

3Secure AI systems

Account for Model Armor, Sensitive Data Protection, and secure model deployment when AI appears in a case study.
Protect prompts, responses, training data, and model endpoints with the same rigor as other sensitive systems.
Match AI controls to business risk and data sensitivity.

4Design for compliance

Recognize privacy, data ownership, data sovereignty, health record privacy, children's privacy, and commercial sensitive data requirements.
Support audits with logging, access review, policy enforcement, and evidence retention.
Map industry certifications and regulations to architecture controls.

Decision Patterns

These are the mental shortcuts that help under exam pressure.

IAM scopeGrant roles at the narrowest resource level that still supports the operating model.

Project structureUse folders and projects to separate environments, teams, billing, policy, and blast radius.

Key managementUse customer-managed keys when control, separation of duties, or compliance requires it.

Remote accessPrefer identity-aware and federated access patterns over open network paths and long-lived credentials.

Compliance evidenceDesign logging and auditability into the architecture, not after the system launches.

Mini Scenarios

Open each card, answer in your own words, then compare.

Prompt: A finance company needs developers to deploy apps without being able to read production customer data.

Strong answer: Separate duties with IAM, service accounts, deployment pipelines, environment boundaries, audit logs, and data access controls.

Prompt: A partner needs temporary access from an external identity provider.

Strong answer: Use federation or controlled impersonation patterns, limited roles, expiration, logging, and avoid creating unmanaged long-lived keys.

Prompt: A gen AI solution will process sensitive customer text.

Strong answer: Add data classification, sensitive data protection, model access controls, logging, policy boundaries, and evaluation of model/prompt security controls.

Readiness Checklist

Track what you can confidently explain without notes.

0 of 6 complete

Can design IAM with least privilege and separation of duties

Can use resource hierarchy to enforce organization-level policy

Can choose encryption and key management patterns

Can explain VPC Service Controls, Context-Aware Access, and audit logs at a high level

Can design secure remote access without broad public exposure

Can connect compliance requirements to technical controls

Five-Question Quiz

Use this as a quick readiness pulse, not a score predictor.

Common Traps

These are the answer patterns to catch before exam day.

Owner, editor, and viewer are rarely the best exam answer for production access.

The exam expects security and compliance to be designed in early.

Encryption protects data, but access control still decides who can use it.

Public IPs and open firewalls are usually wrong unless the scenario clearly requires them and controls are present.

The current guide explicitly includes securing AI, Sensitive Data Protection, and Model Armor.

FAQ and Sources

Quick answers plus official references to verify details before exam registration.

IAM is central, but the domain also includes data protection, network controls, remote access, supply chain, AI security, and compliance.

No. Know how to translate privacy, sovereignty, regulated data, and audit requirements into architecture controls.

Master resource hierarchy plus IAM scope. Many security questions become easier after that.

Understand when Google-managed keys are enough and when customer-managed keys are required.

Identify the sensitive asset, actor, access path, policy boundary, and evidence requirement.

Google Cloud Professional Cloud Architect certification page Official Professional Cloud Architect exam guide Professional Cloud Architect learning path