rules/Azure.KeyVault.Rule.ps1
|
# Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # # Validation rules for Key Vault # # Synopsis: Limit access to Key Vault data Rule 'Azure.KeyVault.AccessPolicy' -Ref 'AZR-000118' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/accessPolicies' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } { Reason $LocalizedData.AccessPolicyLeastPrivilege; $accessPolicies = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.KeyVault/vaults') { $accessPolicies = @($TargetObject.Properties.accessPolicies); } if ($accessPolicies.Length -eq 0) { return $Assert.Pass(); } foreach ($policy in $accessPolicies) { $policy.permissions.keys -notin 'All', 'Purge' $policy.permissions.secrets -notin 'All', 'Purge' $policy.permissions.certificates -notin 'All', 'Purge' $policy.permissions.storage -notin 'All', 'Purge' } } # Synopsis: Ensure audit diagnostics logs are enabled to audit Key Vault access. Rule 'Azure.KeyVault.Logs' -Ref 'AZR-000119' -Type 'Microsoft.KeyVault/vaults' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = @('LT-4') } { $logCategoryGroups = 'audit', 'allLogs' $joinedLogCategoryGroups = $logCategoryGroups -join ', ' $diagnostics = @(GetSubResources -ResourceType 'microsoft.insights/diagnosticSettings', 'Microsoft.KeyVault/vaults/providers/diagnosticSettings' | ForEach-Object { $_.properties.logs | Where-Object { ($_.category -eq 'AuditEvent' -or $_.categoryGroup -in $logCategoryGroups) -and $_.enabled } }) $Assert.Greater($diagnostics, '.', 0).Reason( $LocalizedData.KeyVaultAuditDiagnosticSetting, 'AuditEvent', $joinedLogCategoryGroups ).PathPrefix('resources') } # Synopsis: Key Vault names should meet naming requirements. Rule 'Azure.KeyVault.Name' -Ref 'AZR-000120' -Type 'Microsoft.KeyVault/vaults' -Tag @{ release = 'GA'; ruleSet = '2021_03'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { # https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftkeyvault # Between 3 and 24 characters long $Assert.GreaterOrEqual($PSRule, 'TargetName', 3); $Assert.LessOrEqual($PSRule, 'TargetName', 24); # Alphanumerics and hyphens # Start with a letter # End with a letter or digit # Can not contain consecutive hyphens $Assert.Match($PSRule, 'TargetName', '^[A-Za-z](-|[A-Za-z0-9])*[A-Za-z0-9]$'); } # Synopsis: Key Vault Secret names should meet naming requirements. Rule 'Azure.KeyVault.SecretName' -Ref 'AZR-000121' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/secrets' -Tag @{ release = 'GA'; ruleSet = '2021_03'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { # https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftkeyvault $secrets = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.KeyVault/vaults') { $secrets = @(GetSubResources -ResourceType 'Microsoft.KeyVault/vaults/secrets'); } if ($secrets.Length -eq 0) { return $Assert.Pass(); } foreach ($secret in $secrets) { $nameParts = $secret.Name.Split('/'); $name = $nameParts[-1]; # Between 1 and 127 characters long $Assert.GreaterOrEqual($name, '.', 1); $Assert.LessOrEqual($name, '.', 127); # Alphanumerics and hyphens $Assert.Match($name, '.', '^[A-Za-z0-9-]{1,127}$'); } } # Synopsis: Key Vault Key names should meet naming requirements. Rule 'Azure.KeyVault.KeyName' -Ref 'AZR-000122' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/keys' -Tag @{ release = 'GA'; ruleSet = '2021_03'; 'Azure.WAF/pillar' = 'Operational Excellence'; } { # https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftkeyvault $keys = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.KeyVault/vaults') { $keys = @(GetSubResources -ResourceType 'Microsoft.KeyVault/vaults/keys'); } if ($keys.Length -eq 0) { return $Assert.Pass(); } foreach ($key in $keys) { $nameParts = $key.Name.Split('/'); $name = $nameParts[-1]; # Between 1 and 127 characters long $Assert.GreaterOrEqual($name, '.', 1); $Assert.LessOrEqual($name, '.', 127); # Alphanumerics and hyphens $Assert.Match($name, '.', '^[A-Za-z0-9-]{1,127}$'); } } # Synopsis: Key Vault keys should have auto-rotation enabled. Rule 'Azure.KeyVault.AutoRotationPolicy' -Ref 'AZR-000123' -Type 'Microsoft.KeyVault/vaults', 'Microsoft.KeyVault/vaults/keys' -Tag @{ release = 'GA'; ruleSet = '2022_09'; 'Azure.WAF/pillar' = 'Security'; 'Azure.MCSB.v1/control' = 'IM-3' } { $keys = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.KeyVault/vaults') { $keys = @(GetSubResources -ResourceType 'Microsoft.KeyVault/vaults/keys'); } if ($keys.Length -eq 0) { return $Assert.Pass(); } foreach ($key in $keys) { $rotationPolicy = $key.Properties.rotationPolicy; $autoRotateActions = @($rotationPolicy.lifetimeActions | Where-Object { $_.action.type -eq 'rotate' }); $Assert.Greater($autoRotateActions, '.', 0).Reason( $LocalizedData.KeyVaultAutoRotationPolicy, $key.Name ); } } # Synopsis: KeyVaults should only accept explicitly allowed traffic. Rule 'Azure.KeyVault.Firewall' -Ref 'AZR-000355' -Type 'Microsoft.KeyVault/vaults' -Tag @{ release = 'GA'; ruleSet = '2023_03'; 'Azure.WAF/pillar' = 'Security'; } { $Assert.HasFieldValue($TargetObject, 'Properties.networkAcls.defaultAction', 'Deny') } # SIG # Begin signature block # MIIoKwYJKoZIhvcNAQcCoIIoHDCCKBgCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAnDKz3BV5H/rqm # xUq9CaKVqBLr1+3/ZeASnsTpHuwbhaCCDXYwggX0MIID3KADAgECAhMzAAADrzBA # DkyjTQVBAAAAAAOvMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjMxMTE2MTkwOTAwWhcNMjQxMTE0MTkwOTAwWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDOS8s1ra6f0YGtg0OhEaQa/t3Q+q1MEHhWJhqQVuO5amYXQpy8MDPNoJYk+FWA # hePP5LxwcSge5aen+f5Q6WNPd6EDxGzotvVpNi5ve0H97S3F7C/axDfKxyNh21MG # 0W8Sb0vxi/vorcLHOL9i+t2D6yvvDzLlEefUCbQV/zGCBjXGlYJcUj6RAzXyeNAN # xSpKXAGd7Fh+ocGHPPphcD9LQTOJgG7Y7aYztHqBLJiQQ4eAgZNU4ac6+8LnEGAL # go1ydC5BJEuJQjYKbNTy959HrKSu7LO3Ws0w8jw6pYdC1IMpdTkk2puTgY2PDNzB # tLM4evG7FYer3WX+8t1UMYNTAgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQURxxxNPIEPGSO8kqz+bgCAQWGXsEw # RQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEW # MBQGA1UEBRMNMjMwMDEyKzUwMTgyNjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzci # tW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEG # CCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQu # Y29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0 # MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAISxFt/zR2frTFPB45Yd # mhZpB2nNJoOoi+qlgcTlnO4QwlYN1w/vYwbDy/oFJolD5r6FMJd0RGcgEM8q9TgQ # 2OC7gQEmhweVJ7yuKJlQBH7P7Pg5RiqgV3cSonJ+OM4kFHbP3gPLiyzssSQdRuPY # 1mIWoGg9i7Y4ZC8ST7WhpSyc0pns2XsUe1XsIjaUcGu7zd7gg97eCUiLRdVklPmp # XobH9CEAWakRUGNICYN2AgjhRTC4j3KJfqMkU04R6Toyh4/Toswm1uoDcGr5laYn # TfcX3u5WnJqJLhuPe8Uj9kGAOcyo0O1mNwDa+LhFEzB6CB32+wfJMumfr6degvLT # e8x55urQLeTjimBQgS49BSUkhFN7ois3cZyNpnrMca5AZaC7pLI72vuqSsSlLalG # OcZmPHZGYJqZ0BacN274OZ80Q8B11iNokns9Od348bMb5Z4fihxaBWebl8kWEi2O # PvQImOAeq3nt7UWJBzJYLAGEpfasaA3ZQgIcEXdD+uwo6ymMzDY6UamFOfYqYWXk # ntxDGu7ngD2ugKUuccYKJJRiiz+LAUcj90BVcSHRLQop9N8zoALr/1sJuwPrVAtx # HNEgSW+AKBqIxYWM4Ev32l6agSUAezLMbq5f3d8x9qzT031jMDT+sUAoCw0M5wVt # CUQcqINPuYjbS1WgJyZIiEkBMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkq # hkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 # IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQG # EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG # A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQg # Q29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC # CgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03 # a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akr # rnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0Rrrg # OGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy # 4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9 # sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAh # dCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8k # A/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTB # w3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmn # Eyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90 # lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0w # ggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2o # ynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBa # BgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsG # AQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNV # HSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsG # AQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABl # AG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKb # C5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11l # hJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6 # I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0 # wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560 # STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQam # ASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGa # J+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ah # XJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA # 9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33Vt # Y5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr # /Xmfwb1tbWrJUnMTDXpQzTGCGgswghoHAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMw # EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVN # aWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNp # Z25pbmcgUENBIDIwMTECEzMAAAOvMEAOTKNNBUEAAAAAA68wDQYJYIZIAWUDBAIB # BQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO # MAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIETNHluanajewT1AC2xbQ0HP # jUW8aG0qySoBLWVE+KK3MEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8A # cwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEB # BQAEggEAhHysdTEGeT271UeesbQrIK1SivYlbeNmtCu8j5pHGW3u4CjZk7Xw4bGA # RQi+0jy8fxJOflQz8XCmSv0RuMNijswO7GpRsi+/JBgYRLucO9qYw+bTAdmiJjNQ # RGnp+cs2m8F9kJJz3Cax7j23HopQ2D+QhkoM9O0hLrPQOTA7kw/d0gDkBDzSxgyg # LIt1jFnptKBZeOz0T5hWcpXpH06Esi+QbzHjAZn3DEDIRNgA0UUoaz1dnhQp/DcS # DIuOnFpxE0PK9ppBD72NPoOLJ13bBfmSCvBUGR2Q+qrzEGqWE+F6eRh09/6yujAi # rhOVWU/0k9QosHaMNN3TeL6tgRU+d6GCF5UwgheRBgorBgEEAYI3AwMBMYIXgTCC # F30GCSqGSIb3DQEHAqCCF24wghdqAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFQBgsq # hkiG9w0BCRABBKCCAT8EggE7MIIBNwIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFl # AwQCAQUABCDkgLgvzHq8/4FtRIm/8t9go3LZwu0zjfmep9p5ublELwIGZXr4jXty # GBEyMDIzMTIxODA4MTQwMi43WjAEgAIB9KCB0aSBzjCByzELMAkGA1UEBhMCVVMx # EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoT # FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJp # Y2EgT3BlcmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjhEMDAtMDVF # MC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIR # 7TCCByAwggUIoAMCAQICEzMAAAHNVQcq58rBmR0AAQAAAc0wDQYJKoZIhvcNAQEL # BQAwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT # B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE # AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwHhcNMjMwNTI1MTkxMjA1 # WhcNMjQwMjAxMTkxMjA1WjCByzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp # bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw # b3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEn # MCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjhEMDAtMDVFMC1EOTQ3MSUwIwYDVQQD # ExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIICIjANBgkqhkiG9w0BAQEF # AAOCAg8AMIICCgKCAgEA0zgi1Uto5hFjqsc8oFu7OmC5ptvaY7wPgoelS+x5Uy/M # lLd2dCiM02tjvx76/2ic2tahFZJauzT4jq6QQCM+uey1ccBHOAcSYr+gevGvA0Ih # elgBRTWit1h4u038UZ6i6IYDc+72T8pWUF+/ea/DEL1+ersI4/0eIV50ezWuC5bu # JlrJpf8KelSagrsWZ7vY1+KmlMZ4HK3xU+/s75VwpcC2odp9Hhip2tXTozoMitNI # 2Kub7c6+TWfqlcamsPQ5hLI/b36mJH0Ga8tiTucJoF1+/TsezyzFH6k+PvMOSZHU # jKF99m9Q+nAylkVL+ao4mIeKP2vXoRPygJFFpUj22w0f2hpzySwBj8tqgPe2AgXn # iCY0SlEYHT5YROTuOpDo7vJ2CZyL8W7gtkKdo8cHOqw/TOj73PLGSHENdGCmVWCr # PeGD0pZIcF8LbW0WPo2Z0Ig5tmRYx/Ej3tSOhEXH3mF9cwmIxM3cFnJvnxWZpSQP # R0Fu2SQJjhAjjbXytvBERBBOcs6vk90DFT4YhHxIYHGLIdA3qFomBrA4ihLkvhRJ # TDMk+OevlNmUWtoW0UPe0HG72gHejlUC6d00KjRLtHrOWatMINggA3/kCkEf2Ovn # xoJPaiTSVtzLu+9SrYbj5TXyrLNAdc4dMWtcjeKgt86BPVKuk/K+xt/zrUhZrOMC # AwEAAaOCAUkwggFFMB0GA1UdDgQWBBShk/mmNmmawQCVSGYeZInKJHzVmjAfBgNV # HSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNVHR8EWDBWMFSgUqBQhk5o # dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBU # aW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYIKwYBBQUHAQEEYDBeMFwG # CCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz # L01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNV # HRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIH # gDANBgkqhkiG9w0BAQsFAAOCAgEAUqht6aSiFPovxDMMLaLaMZyn8NEl/909ehD2 # 48LACJljmeZywG2raKZfMxWPONYG+Xoi9Y/NYeA4hIl7fgSYByANiyISoUrHHe/a # DG6+t9Q4hKn/V+S2Ud1dyiGLLVNyu3+Q5O7W6G7h7vun2DP4DseOLIEVO2EPmE2B # 77/JOJjJ7omoSUZVPxdr2r3B1OboV4tO/CuJ0kQD51sl+4FYuolTAQVBePNt6Dxc # 5xHB7qe1TRkbRntcb55THdQrssXLTPHf6Ksk7McJSQDORf5Q8ZxFqEswJGndZ1r5 # GgHjFe/t/SKV4bn/Rt8W33yosgZ493EHogOEsUsAnZ8dNEQZV0uq/bRg2v6PUUtN # RTgAcypD+QgQ6ZuMKSnSFO+CrQR9rBOUGGJ+5YmFma9n/1PoIU5nThDj5FxHF/NR # +HUSVNvE4/4FGXcC/NcWofCp/nAe7zPx7N/yfLRdd2Tz/vDbV977uDa3IRwyWIIz # ovtSbkn/uI6Rf6RBD16fQLrIs5kppASuIlU+zcFbUZ0tbbPKgBhxj4Nhz2uG9rvZ # nrnlKKjVbTIW7piNcvnfWZE4TVwV89miLU9gvfQzN096mKgFJrylK8lUqTC1abHu # I3uVjelVZQgxSlhUR9tNmMRFVrGeW2jfQmqgmwktBGu7PThS2hDOXzZ/ZubOvZQ/ # 3pHFtqkwggdxMIIFWaADAgECAhMzAAAAFcXna54Cm0mZAAAAAAAVMA0GCSqGSIb3 # DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G # A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIw # MAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAx # MDAeFw0yMTA5MzAxODIyMjVaFw0zMDA5MzAxODMyMjVaMHwxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1l # LVN0YW1wIFBDQSAyMDEwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA # 5OGmTOe0ciELeaLL1yR5vQ7VgtP97pwHB9KpbE51yMo1V/YBf2xK4OK9uT4XYDP/ # XE/HZveVU3Fa4n5KWv64NmeFRiMMtY0Tz3cywBAY6GB9alKDRLemjkZrBxTzxXb1 # hlDcwUTIcVxRMTegCjhuje3XD9gmU3w5YQJ6xKr9cmmvHaus9ja+NSZk2pg7uhp7 # M62AW36MEBydUv626GIl3GoPz130/o5Tz9bshVZN7928jaTjkY+yOSxRnOlwaQ3K # Ni1wjjHINSi947SHJMPgyY9+tVSP3PoFVZhtaDuaRr3tpK56KTesy+uDRedGbsoy # 1cCGMFxPLOJiss254o2I5JasAUq7vnGpF1tnYN74kpEeHT39IM9zfUGaRnXNxF80 # 3RKJ1v2lIH1+/NmeRd+2ci/bfV+AutuqfjbsNkz2K26oElHovwUDo9Fzpk03dJQc # NIIP8BDyt0cY7afomXw/TNuvXsLz1dhzPUNOwTM5TI4CvEJoLhDqhFFG4tG9ahha # YQFzymeiXtcodgLiMxhy16cg8ML6EgrXY28MyTZki1ugpoMhXV8wdJGUlNi5UPkL # iWHzNgY1GIRH29wb0f2y1BzFa/ZcUlFdEtsluq9QBXpsxREdcu+N+VLEhReTwDwV # 2xo3xwgVGD94q0W29R6HXtqPnhZyacaue7e3PmriLq0CAwEAAaOCAd0wggHZMBIG # CSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFCqnUv5kxJq+gpE8RjUp # zxD/LwTuMB0GA1UdDgQWBBSfpxVdAF5iXYP05dJlpxtTNRnpcjBcBgNVHSAEVTBT # MFEGDCsGAQQBgjdMg30BATBBMD8GCCsGAQUFBwIBFjNodHRwOi8vd3d3Lm1pY3Jv # c29mdC5jb20vcGtpb3BzL0RvY3MvUmVwb3NpdG9yeS5odG0wEwYDVR0lBAwwCgYI # KwYBBQUHAwgwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGG # MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9lJBb186a # GMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3Br # aS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3JsMFoGCCsG # AQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29t # L3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwDQYJKoZIhvcN # AQELBQADggIBAJ1VffwqreEsH2cBMSRb4Z5yS/ypb+pcFLY+TkdkeLEGk5c9MTO1 # OdfCcTY/2mRsfNB1OW27DzHkwo/7bNGhlBgi7ulmZzpTTd2YurYeeNg2LpypglYA # A7AFvonoaeC6Ce5732pvvinLbtg/SHUB2RjebYIM9W0jVOR4U3UkV7ndn/OOPcbz # aN9l9qRWqveVtihVJ9AkvUCgvxm2EhIRXT0n4ECWOKz3+SmJw7wXsFSFQrP8DJ6L # GYnn8AtqgcKBGUIZUnWKNsIdw2FzLixre24/LAl4FOmRsqlb30mjdAy87JGA0j3m # Sj5mO0+7hvoyGtmW9I/2kQH2zsZ0/fZMcm8Qq3UwxTSwethQ/gpY3UA8x1RtnWN0 # SCyxTkctwRQEcb9k+SS+c23Kjgm9swFXSVRk2XPXfx5bRAGOWhmRaw2fpCjcZxko # JLo4S5pu+yFUa2pFEUep8beuyOiJXk+d0tBMdrVXVAmxaQFEfnyhYWxz/gq77EFm # PWn9y8FBSX5+k77L+DvktxW/tM4+pTFRhLy/AsGConsXHRWJjXD+57XQKBqJC482 # 2rpM+Zv/Cuk0+CQ1ZyvgDbjmjJnW4SLq8CdCPSWU5nR0W2rRnj7tfqAxM328y+l7 # vzhwRNGQ8cirOoo6CGJ/2XBjU02N7oJtpQUQwXEGahC0HVUzWLOhcGbyoYIDUDCC # AjgCAQEwgfmhgdGkgc4wgcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n # dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y # YXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJzAl # BgNVBAsTHm5TaGllbGQgVFNTIEVTTjo4RDAwLTA1RTAtRDk0NzElMCMGA1UEAxMc # TWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAaKn3 # ptiis7kWYyEmInxqJVTncgSggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UE # CBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9z # b2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQ # Q0EgMjAxMDANBgkqhkiG9w0BAQsFAAIFAOkqFEEwIhgPMjAyMzEyMTgwMDQzNDVa # GA8yMDIzMTIxOTAwNDM0NVowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA6SoUQQIB # ADAKAgEAAgITnAIB/zAHAgEAAgIUNzAKAgUA6StlwQIBADA2BgorBgEEAYRZCgQC # MSgwJjAMBgorBgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqG # SIb3DQEBCwUAA4IBAQBE8iBWOLzO+RBHx4c5QjU6HCd1h4prCbyG7wtret6/5mie # vZ5WwrZyHDT0koklKSdiemTig4pt37RvXF4yZ1e6TQYhYFdc/Tr5Y0PxootybKZG # 0FsXUEfT1ZsY5ZNR7y2teDMZqRkyM2D8zR7g3ZNuV5ExsFLqnctwLTwPC85rG0w7 # MGXMUjBEOstgWh6dHNOaH7H2CHEg42wKBwgvCJrXuv0cwGugFLjwl6/omChJzRj/ # mPkRhWCpML7f2rRuqN5daE6Kxgj6Qgnibq8tbCSEGh/aWnq4eVOJYOQIebz+Knwa # OtBMdikUi9/sbjz/hAhqAEqmlqq6b4HFhSwNXJGKMYIEDTCCBAkCAQEwgZMwfDEL # MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v # bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWlj # cm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAHNVQcq58rBmR0AAQAAAc0w # DQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAv # BgkqhkiG9w0BCQQxIgQgDcgK3U5AZLjMQSR/kI2M9MWA+z7Kgo32fmhgNi83gQQw # gfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCDiZqX4rVa9T2RoL0xHU6UrVHOh # jYeyza6EASsKVEaZCjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX # YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg # Q29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAy # MDEwAhMzAAABzVUHKufKwZkdAAEAAAHNMCIEIKzZ/T2BuuIwYOLYHusYPAf9NRgs # hfzMMg2odd82nYnXMA0GCSqGSIb3DQEBCwUABIICAMK5QAtAEZUzaCzwb9RupvBB # pkTETI7QJ0klqLxabENDqniZHf/fgZBH3AfjEOnMRajuZ7s9IeLTeGfBQEjcM04T # XLwRdzAJp9A6fmonrff1U9UL/OUkWUkGoKEFuQ9oeua9wRXD1ZcyawldG71+/1Ct # 60SdWFtq1eq3fWDR3OvT3ext14v4A4P7k3Tgup+edVAxkCqolcj2uAyLuKh41WiY # v1YGZmn5/hAEYZioEbVUYnkZ1qMgtVpEhaUWMzSzwt8vyHcrm5yc8/G97exH2RxD # /VvJC1rdNaV0kq+Nr6bHAKzLTE7bQh37LxSSa/PNv3BFWgm+x8pvOivMkNCP+rfe # 9G5xYhFvpN0qX02756UDyQ4nnBD8rbVIw7H6MieUhJvu6jhL/KuhgwuNUOLGrBB+ # E3KFgvp51K12lwmjrraCyYOYtmUvLeDpAl30YuKwuTODlhycQ+Z/mzggpHTaIxxc # JPgeWCOQSVw5lEwRCMkH+YmvCeTnlYg/jgh8zppMShpCpu2pHKEoAU3hEJeiHUza # trttcMXftjJFbcoqHpP2MZkwU1L8Te4S8Q63kG7YC0yfHJYKn3IP++0JKq9Dv9gM # V9HAh5B/UNj7CY0Xmf2HTmAvdR6GM7TicqnCfzg0ZU3GEE3wW+Nnm3V1ojvHCW74 # V067iSchAwricRS4W2P1 # SIG # End signature block |