Model Armor floor settings

Model Armor floor settings define rules that dictate minimum requirements for all Model Armor templates created at a specific point in the Google Cloud resource hierarchy (that is, at an organization, folder, or project level). If there are multiple floor settings that conflict with each other, the settings lower in the resource hierarchy take precedence. For example, if a floor setting policy is created at a folder and project level, the project-level policy would be applied.

Here's an example to showcase how a Model Armor floor setting policy works. Floor policy X is set at a folder with the malicious URL filter enabled. Floor policy Y is set on a project within that folder for the prompt injection and jailbreak detection filter with a medium confidence threshold. The result is that every Model Armor template created in the project must have at least the prompt injection and jailbreak detection filter set with a medium confidence threshold. A template created in a folder other than the parent folder of this project does not require the malicious URI filter.

Floor settings help CISOs and security architects enforce a minimum security posture across all Model Armor templates within their organization, preventing individual developers from accidentally or intentionally lowering security standards below acceptable levels. For customers with a Premium tier or Enterprise tier of Security Command Center, floor setting violations trigger findings. That means that if a template is created before a floor setting, and the template has any less-restrictive settings, a finding will surface in Security Command Center to help you identify and remediate less secure Model Armor templates.

Enable and disable Model Armor floor settings

To enable Model Armor floor settings, set the enable_floor_setting_enforcement flag to true. The following examples show how to do this.

gcloud

  • Set the Model Armor endpoint to its global endpoint.

      gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.googleapis.com/"

  • Enable the Model Armor floor settings for a given project.

      gcloud model-armor floorsettings update \
   --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
   --enable-floor-setting-enforcement=true

  • Enable the Model Armor floor settings for a given organization.

      gcloud model-armor floorsettings update \
  --full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting' \
  --enable-floor-setting-enforcement=true

  • Enable the Model Armor floor settings for a given folder.

      gcloud model-armor floorsettings update \
  --full-uri='folders/FOLDER_ID/locations/global/floorSetting' \
  --enable-floor-setting-enforcement=true

    Replace the following:

  • PROJECT_ID is the ID of the project for the template.

  • FOLDER_ID is the ID of the folder for the template.

  • ORGANIZATION_ID is the ID of the organization for the template.

REST

  curl -X PATCH
  -d '{"enable_floor_setting_enforcement" : "true"}'
  -H "Content-Type: application/json"
  -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting?update_mask=enable_floor_setting_enforcement"

Replace PROJECT_ID with the ID of the project for the template.

If you don't want to use the Model Armor floor settings, set the filter_config flag to empty or set the enable_floor_setting_enforcement flag to false.

gcloud

    gcloud model-armor floorsettings get 

    --full-uri='projects/PROJECT_ID/locations/global/floorSetting' 

    Flags
    --full-uri = name of the floor setting resource 

    --enable-floor-setting-enforcement=false 

    --filterConfig = {}

Replace PROJECT_ID with the ID of the project for the template.

    curl -X PATCH 

    -H "Content-Type: application/json" 

    -H "Authorization: Bearer $(gcloud auth print-access-token)" 

    -d '{"filterConfig" :{},"enable_floor_setting_enforcement":"false"}' 

    "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

Replace PROJECT_ID with the ID of the project for the template.

View Model Armor floor settings

Run the following command to view the Model Armor floor settings.

gcloud

  • View the Model Armor floor setting for a given project.

      gcloud model-armor floorsettings describe \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting'

  • View the Model Armor floor setting for a given organization.

      gcloud model-armor floorsettings describe \
  --full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting'

  • View the Model Armor floor setting for a given folder.

       gcloud model-armor floorsettings describe \
   --full-uri='folders/FOLDER_ID/locations/global/floorSetting'

    Replace the following:

    • PROJECT_ID is the ID of the project for the template.
    • FOLDER_ID is the ID of the folder for the template.
    • ORGANIZATION_ID is the ID of the organization for the template.

REST

  • View the Model Armor floor setting for a given project.

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

  • View the Model Armor floor setting for a given folder.

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/folders/FOLDER_ID/locations/global/floorSetting"

  • View the Model Armor floor setting for a given organization.

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/floorSetting"

Replace the following:

  • PROJECT_ID is the ID of the project for the template.
  • FOLDER_ID is the ID of the folder for the template.
  • ORGANIZATION_ID is the ID of the organization for the template.

Python

To run this command, first initialize a Model Armor client in Python.

  • View the Model Armor floor setting for a given project.

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "projects/PROJECT_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

  • View the Model Armor floor setting for a given folder.

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "folders/FOLDER_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

  • View the Model Armor floor setting for a given organization.

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "organizations/ORGANIZATION_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

    Replace the following:

    • PROJECT_ID is the ID of the project that the template belongs to.
    • FOLDER_ID is the ID of the folder for the template.
    • ORGANIZATION_ID is the ID of the organization for the template.

Update Model Armor floor settings

Run the following command to update the Model Armor floor settings.

gcloud

   gcloud model-armor floorsettings update --full-uri=<full-uri-of-the-floorsetting>

Example command:

       gcloud model-armor floorsettings update \
       --malicious-uri-filter-settings-enforcement=ENABLED \
       --pi-and-jailbreak-filter-settings-enforcement=DISABLED \
       --pi-and-jailbreak-filter-settings-confidence-level=LOW_AND_ABOVE \
       --basic-config-filter-enforcement=ENABLED \
       --add-rai-settings-filters='[{"confidenceLevel": "low_and_above", "filterType": "HARASSMENT"}, {"confidenceLevel": "high", "filterType": "SEXUALLY_EXPLICIT"}]'
       --full-uri='folders/FOLDER_ID/locations/global/floorSetting' \
       --enable-floor-setting-enforcement=true

Replace FOLDER_ID with the ID of the folder for the template.

REST

  • Update the Model Armor floor setting for a given project.

    curl -X PATCH -d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }, "rai_settings":{"rai_filters":{"filter_type":"DANGEROUS", "confidence_level":"LOW_AND_ABOVE" },
"rai_filters":{"filter_type":"HATE_SPEECH", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"HARASSMENT", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"SEXUALLY_EXPLICIT", "confidence_level":"LOW_AND_ABOVE" }}},"enable_floor_setting_enforcement":"true"}' -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth print-access-token) "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

  • Update the Model Armor floor setting for a given folder.

    curl -X PATCH \
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://modelarmor.googleapis.com/v1/folders/FOLDER_ID/locations/global/floorSetting"

  • Update the Model Armor floor setting for a given organization.

    curl -X PATCH \
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
    "https://modelarmor.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/floorSetting"

    Replace the following:

    • PROJECT_ID is the ID of the project for the template.
    • FOLDER_ID is the ID of the folder for the template.
    • ORGANIZATION_ID is the ID of the organization for the template.

    The update command returns the following response:

    {
"name": "projects/PROJECT_ID/locations/global/floorSetting",
"updateTime": "2024-12-19T15:36:21.318191Z",
"filterConfig": {
"piAndJailbreakFilterSettings": {
  "filterEnforcement": "ENABLED"
},
"maliciousUriFilterSettings": {
"filterEnforcement": "ENABLED"
}
}
}

Python

To run this command, first initialize a Model Armor client in Python.

  • Update the Model Armor floor setting for a given project.

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "projects/PROJECT_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG,
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

  • Update the Model Armor floor setting for a given folder.

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "folders/FOLDER_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

  • Update the Model Armor floor setting for a given organization.

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "organizations/ORGANIZATION_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

    Replace the following:

  • FILTER_CONFIG is the filter configuration for the template.

  • PROJECT_ID is the ID of the project that the template belongs to.

  • FOLDER_ID: is the ID of the folder for the template.

  • ORGANIZATION_ID is the ID of the organization for the template.

Floor settings violation

Each Model Armor service finding identifies a floor setting violation that occurs when a Model Armor template fails to meet the minimum security standards defined by the resource hierarchy floor settings. Floor settings dictate the least stringent level allowed for each filter within a template. A floor setting violation might involve a template that does not include the required filters or does not meet minimum confidence level for those filters. When a violation is detected, a high-severity finding is published in Security Command Center. The finding specifies the violated floor setting, the non-compliant template, and details about the violation. For more information, see Model Armor service findings.

This is an example of the source_properties field of the finding within floor settings violation.

{
  "filterConfig": {
    "raiSettings": {
      "raiFilters": [
        {
          "filterType": "HATE_SPEECH",
          "confidenceLevel": {
            "floorSettings": "LOW_AND_ABOVE",
            "template": "MEDIUM_AND_ABOVE"
          }
        },
        {
          "filterType": "HARASSMENT",
          "confidenceLevel": {
            "floorSettings": "MEDIUM_AND_ABOVE",
            "template": "HIGH"
          }
        }
      ]
    },
    "piAndJailbreakFilterSettings": {
      "confidenceLevel": {
        "floorSettings": "LOW_AND_ABOVE",
        "template": "HIGH"
      }
    },
    "maliciousUriFilterSettings": {
      "floorSettings": "ENABLED",
      "template": "DISABLED"
    }
  }
}

What's next