Model Armor 樓層設定

Model Armor 底限設定會定義規則,規定在資源階層的特定點 (即機構、資料夾或專案層級) 建立的所有 Model Armor 範本,都必須符合最低要求。 Google Cloud如果有多個底價設定相互衝突,系統會優先採用資源階層中較低的設定。舉例來說,如果在資料夾和專案層級建立樓層設定政策,系統會套用專案層級的政策。

以下範例說明 Model Armor 底價政策的運作方式。在啟用惡意網址篩選器的資料夾中,設定了 Floor 政策 X。 該資料夾中專案的提示詞注入和越獄偵測篩選器,已設為中等信心門檻的樓層政策 Y。因此,專案中建立的每個 Model Armor 範本,都必須至少設定提示注入和越獄偵測篩選器,並將信賴度門檻設為中等。在專案父項資料夾以外的資料夾中建立範本時,不需要惡意 URI 篩選器。

資安長和安全架構師可透過底限設定,在機構內的所有 Model Armor 範本中強制執行最低安全狀態,防止個別開發人員不慎或刻意將安全標準降至可接受的程度以下。如果客戶訂閱 Security Command Center 的 Premium 級或 Enterprise 級,系統會在發生樓層設定違規情形時觸發發現項目。也就是說,如果範本是在底限設定之前建立,且範本的設定較不嚴格,Security Command Center 就會顯示發現項目,協助您找出並修正安全性較低的 Model Armor 範本。

啟用及停用 Model Armor 底限設定

如要啟用 Model Armor 底限設定,請將 enable_floor_setting_enforcement 旗標設為 true。以下範例說明如何執行這項操作。

gcloud

  • 將 Model Armor 端點設為全域端點。

      gcloud config set api_endpoint_overrides/modelarmor "https://modelarmor.googleapis.com/"

  • 為特定專案啟用 Model Armor 底價設定。

      gcloud model-armor floorsettings update \
   --full-uri='projects/PROJECT_ID/locations/global/floorSetting' \
   --enable-floor-setting-enforcement=true

  • 為特定機構啟用 Model Armor 底價設定。

      gcloud model-armor floorsettings update \
  --full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting' \
  --enable-floor-setting-enforcement=true

  • 為特定資料夾啟用 Model Armor 底限設定。

      gcloud model-armor floorsettings update \
  --full-uri='folders/FOLDER_ID/locations/global/floorSetting' \
  --enable-floor-setting-enforcement=true

    更改下列內容:

  • PROJECT_ID 是範本的專案 ID。

  • FOLDER_ID 是範本的資料夾 ID。

  • ORGANIZATION_ID 是範本的機構 ID。

REST

  curl -X PATCH
  -d '{"enable_floor_setting_enforcement" : "true"}'
  -H "Content-Type: application/json"
  -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting?update_mask=enable_floor_setting_enforcement"

PROJECT_ID 替換為範本的專案 ID。

如不想使用 Model Armor 底價設定,請將 filter_config 旗標設為 empty,或將 enable_floor_setting_enforcement 旗標設為 false

gcloud

    gcloud model-armor floorsettings get 

    --full-uri='projects/PROJECT_ID/locations/global/floorSetting' 

    Flags
    --full-uri = name of the floor setting resource 

    --enable-floor-setting-enforcement=false 

    --filterConfig = {}

PROJECT_ID 替換為範本的專案 ID。

    curl -X PATCH 

    -H "Content-Type: application/json" 

    -H "Authorization: Bearer $(gcloud auth print-access-token)" 

    -d '{"filterConfig" :{},"enable_floor_setting_enforcement":"false"}' 

    "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

PROJECT_ID 替換為範本的專案 ID。

查看 Model Armor 樓層設定

執行下列指令,查看 Model Armor 底層設定。

gcloud

  • 查看特定專案的 Model Armor 底限設定。

      gcloud model-armor floorsettings describe \
  --full-uri='projects/PROJECT_ID/locations/global/floorSetting'

  • 查看特定機構的 Model Armor 底價設定。

      gcloud model-armor floorsettings describe \
  --full-uri='organizations/ORGANIZATION_ID/locations/global/floorSetting'

  • 查看特定資料夾的 Model Armor 底價設定。

       gcloud model-armor floorsettings describe \
   --full-uri='folders/FOLDER_ID/locations/global/floorSetting'

    更改下列內容:

    • PROJECT_ID 是範本的專案 ID。
    • FOLDER_ID 是範本的資料夾 ID。
    • ORGANIZATION_ID 是範本的機構 ID。

REST

  • 查看特定專案的 Model Armor 底限設定。

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

  • 查看特定資料夾的 Model Armor 底價設定。

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/folders/FOLDER_ID/locations/global/floorSetting"

  • 查看特定機構的 Model Armor 底價設定。

    curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
"https://modelarmor.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/floorSetting"

更改下列內容:

  • PROJECT_ID 是範本的專案 ID。
  • FOLDER_ID 是範本的資料夾 ID。
  • ORGANIZATION_ID 是範本的機構 ID。

Python

如要執行這項指令,請先在 Python 中初始化 Model Armor 用戶端

  • 查看特定專案的 Model Armor 底限設定。

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "projects/PROJECT_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

  • 查看特定資料夾的 Model Armor 底價設定。

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "folders/FOLDER_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

  • 查看特定機構的 Model Armor 底價設定。

    request = modelarmor_v1.GetFloorSettingRequest(
floor_setting={
  "name": "organizations/ORGANIZATION_ID/locations/global/floorSetting",
}
)
response = client.get_floor_setting(request=request)

    更改下列內容:

    • PROJECT_ID 是範本所屬的專案 ID。
    • FOLDER_ID 是範本的資料夾 ID。
    • ORGANIZATION_ID 是範本的機構 ID。

更新 Model Armor 底層設定

執行下列指令,更新 Model Armor 底板設定。

gcloud

   gcloud model-armor floorsettings update --full-uri=<full-uri-of-the-floorsetting>

範例指令:

       gcloud model-armor floorsettings update \
       --malicious-uri-filter-settings-enforcement=ENABLED \
       --pi-and-jailbreak-filter-settings-enforcement=DISABLED \
       --pi-and-jailbreak-filter-settings-confidence-level=LOW_AND_ABOVE \
       --basic-config-filter-enforcement=ENABLED \
       --add-rai-settings-filters='[{"confidenceLevel": "low_and_above", "filterType": "HARASSMENT"}, {"confidenceLevel": "high", "filterType": "SEXUALLY_EXPLICIT"}]'
       --full-uri='folders/FOLDER_ID/locations/global/floorSetting' \
       --enable-floor-setting-enforcement=true

FOLDER_ID 替換為範本的資料夾 ID。

REST

  • 更新特定專案的 Model Armor 底價設定。

    curl -X PATCH -d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }, "rai_settings":{"rai_filters":{"filter_type":"DANGEROUS", "confidence_level":"LOW_AND_ABOVE" },
"rai_filters":{"filter_type":"HATE_SPEECH", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"HARASSMENT", "confidence_level":"LOW_AND_ABOVE" }, "rai_filters":{"filter_type":"SEXUALLY_EXPLICIT", "confidence_level":"LOW_AND_ABOVE" }}},"enable_floor_setting_enforcement":"true"}' -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth print-access-token) "https://modelarmor.googleapis.com/v1/projects/PROJECT_ID/locations/global/floorSetting"

  • 更新指定資料夾的 Model Armor 地板設定。

    curl -X PATCH \
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
  "https://modelarmor.googleapis.com/v1/folders/FOLDER_ID/locations/global/floorSetting"

  • 更新特定機構的 Model Armor 底價設定。

    curl -X PATCH \
-d '{"filterConfig" :{"piAndJailbreakFilterSettings": { "filterEnforcement": "ENABLED"}, "maliciousUriFilterSettings": { "filterEnforcement": "ENABLED" }},"enable_floor_setting_enforcement":"true"}' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
    "https://modelarmor.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/floorSetting"

    更改下列內容:

    • PROJECT_ID 是範本的專案 ID。
    • FOLDER_ID 是範本的資料夾 ID。
    • ORGANIZATION_ID 是範本的機構 ID。

    更新指令會傳回下列回應:

    {
"name": "projects/PROJECT_ID/locations/global/floorSetting",
"updateTime": "2024-12-19T15:36:21.318191Z",
"filterConfig": {
"piAndJailbreakFilterSettings": {
  "filterEnforcement": "ENABLED"
},
"maliciousUriFilterSettings": {
"filterEnforcement": "ENABLED"
}
}
}

Python

如要執行這項指令,請先在 Python 中初始化 Model Armor 用戶端

  • 更新特定專案的 Model Armor 底價設定。

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "projects/PROJECT_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG,
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

  • 更新指定資料夾的 Model Armor 地板設定。

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "folders/FOLDER_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

  • 更新特定機構的 Model Armor 底價設定。

    request = modelarmor_v1.UpdateFloorSettingRequest(
floor_setting={
  "name": "organizations/ORGANIZATION_ID/locations/global/floorSetting",
  "filter_config": FILTER_CONFIG
  "enable_floor_setting_enforcement": True
}
)
response = client.update_floor_setting(request=request)

    更改下列內容:

  • FILTER_CONFIG 是範本的篩選器設定。

  • PROJECT_ID 是範本所屬的專案 ID。

  • FOLDER_ID:範本的資料夾 ID。

  • ORGANIZATION_ID 是範本的機構 ID。

違反底限設定

每項 Model Armor 服務發現項目都會指出底限設定違規情形,也就是 Model Armor 範本未達到資源階層底限設定所定義的最低安全標準。底限設定會決定範本中各篩選器允許的最低嚴格程度。如果範本未包含必要篩選器,或這些篩選器的信心水準未達最低門檻,就可能違反底限設定。偵測到違規行為時,Security Command Center 會發布嚴重程度高的發現項目。發現項目會指定違反的底限設定、不符規定的範本,以及違規詳細資料。詳情請參閱「Model Armor 服務發現」。

以下是樓層設定違規事項中發現項目的 source_properties 欄位範例。

{
  "filterConfig": {
    "raiSettings": {
      "raiFilters": [
        {
          "filterType": "HATE_SPEECH",
          "confidenceLevel": {
            "floorSettings": "LOW_AND_ABOVE",
            "template": "MEDIUM_AND_ABOVE"
          }
        },
        {
          "filterType": "HARASSMENT",
          "confidenceLevel": {
            "floorSettings": "MEDIUM_AND_ABOVE",
            "template": "HIGH"
          }
        }
      ]
    },
    "piAndJailbreakFilterSettings": {
      "confidenceLevel": {
        "floorSettings": "LOW_AND_ABOVE",
        "template": "HIGH"
      }
    },
    "maliciousUriFilterSettings": {
      "floorSettings": "ENABLED",
      "template": "DISABLED"
    }
  }
}

後續步驟