From d35fec49fb900c75b837a768216aa3136e3ae750 Mon Sep 17 00:00:00 2001 From: Agasthi Kothurkar Date: Thu, 9 Jul 2026 18:58:23 -0400 Subject: [PATCH] Anonymize sample-report account IDs and standardize on Python 3.12 - capture_screenshots.py now remaps real 12-digit account IDs to well-known AWS example IDs before capturing, with a shared, deterministic mapping across both sample reports - Re-anonymized sample HTML reports and regenerated screenshots - Use Python 3.12 consistently across README badge, prerequisites, CI description, and the python-tests workflow matrix --- .github/workflows/python-tests.yml | 2 +- README.md | 6 +- sample-reports/dashboard-overview-dark.png | Bin 145186 -> 155623 bytes sample-reports/dashboard-overview-light.png | Bin 146593 -> 157010 bytes sample-reports/findings-table.png | Bin 179514 -> 191276 bytes sample-reports/multi-account-summary.png | Bin 145026 -> 152530 bytes sample-reports/scripts/capture_screenshots.py | 77 + .../security_assessment_multi_account.html | 43190 ++++++++++++---- .../security_assessment_single_account.html | 11886 ++++- 9 files changed, 41455 insertions(+), 13706 deletions(-) diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml index b5288fc..3484076 100644 --- a/.github/workflows/python-tests.yml +++ b/.github/workflows/python-tests.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ["3.11", "3.12"] + python-version: ["3.12"] steps: - uses: actions/checkout@v4 diff --git a/README.md b/README.md index 302bab3..232fe8c 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ *A serverless framework that scans your AWS accounts for AI/ML security misconfigurations and produces an interactive, shareable report.* -[![License: MIT-0](https://img.shields.io/badge/License-MIT--0-yellow.svg)](https://opensource.org/licenses/MIT-0) [![Python 3.11+](https://img.shields.io/badge/Python-3.11+-blue.svg)](https://www.python.org/downloads/) [![AWS SAM](https://img.shields.io/badge/AWS-SAM-orange.svg)](https://aws.amazon.com/serverless/sam/) +[![License: MIT-0](https://img.shields.io/badge/License-MIT--0-yellow.svg)](https://opensource.org/licenses/MIT-0) [![Python 3.12](https://img.shields.io/badge/Python-3.12-blue.svg)](https://www.python.org/downloads/) [![AWS SAM](https://img.shields.io/badge/AWS-SAM-orange.svg)](https://aws.amazon.com/serverless/sam/) **Open-source automated security scanner for generative AI and machine learning workloads on AWS.** Core checks for Amazon Bedrock, Amazon SageMaker AI, and Amazon Bedrock AgentCore are built on the [AWS Well-Architected Framework — Generative AI Lens](https://docs.aws.amazon.com/wellarchitected/latest/generative-ai-lens/generative-ai-lens.html). An optional Financial Services GenAI risk module adds 64 checks aligned to the [AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption within Financial Services Industries](https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/whitepapers/compliance/AWS-User-Guide-Governance-Risk-Compliance-for-Responsible-AI-Adoption-Financial-Services.pdf). See the [AWS Security Blog announcement](https://aws.amazon.com/blogs/security/introducing-the-updated-aws-user-guide-to-governance-risk-and-compliance-for-responsible-ai-adoption/) for context on the updated guide. @@ -131,7 +131,7 @@ This tool operates within the [AWS Shared Responsibility Model](https://aws.amaz ## Prerequisites -- Python 3.12+ — [Install Python](https://www.python.org/downloads/) +- Python 3.12 — [Install Python](https://www.python.org/downloads/) - AWS SAM CLI — [Install the AWS SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) - Docker (optional) — [Install Docker](https://hub.docker.com/search/?type=edition&offering=community) — Only required for local development @@ -405,7 +405,7 @@ GitHub Actions workflows run automatically on pull requests and selected pushes: | Workflow | Trigger | What It Checks | |----------|---------|----------------| | **Python Code Quality** | PR | `ruff check` and `ruff format --check` on changed Python files | -| **AI/ML Security Assessment Tests** | PR, push to `main`/`develop` | Runs the `pytest` suite (assessment functions and report pipeline) on Python 3.11 and 3.12 | +| **AI/ML Security Assessment Tests** | PR, push to `main`/`develop` | Runs the `pytest` suite (assessment functions and report pipeline) on Python 3.12 | | **CloudFormation Lint** | PR | Validates deployment and SAM templates with `cfn-lint` | | **SAM Validate & Build** | PR | `sam validate --lint` and `sam build` on SAM templates | | **ASH Security Scan** | PR | Scans for secrets, dependency vulnerabilities, and IaC misconfigurations | diff --git a/sample-reports/dashboard-overview-dark.png b/sample-reports/dashboard-overview-dark.png index f868852368986497f391d9ed0caacb979b2ed37f..a94cd0a7bd31e8e47773950b82143efd1be65fcb 100644 GIT binary patch literal 155623 zcmb5W1yoe+*FJm@38fUJTM4BF>5`W2PH7lQxt?y80tGd zzxR2+_g(Azul4_67Hj6rz0SE~-`Bpbz4uL|s$068gfO)vQFyt@}-iWvCw+;z7LpPLEKd^}lW!^5(m%-m{WVd1Q2fGS1X z%Bmpw=fE6i2-(T)r(FKK+ZWI|c4ve?UEu%NL25DaTVFQNE zk5z82b~WNv6#~vig~C;qH+QngJ=xiA{pKd0H1(SZ_*}qG>oaH@C8e{4-TD+;V-r z>UoA|V`HPqtmP8+HK!8#d3AN~{p!&uMOyrkm!bWaf5-ahIs+}vR)Yz6qX3}*1~Pez znFz=PSRVrLuEgXC+?M8a#f@A7j>)Xm{e3RWu^CY(W1F|8Hg9QxA2+aJD-J)e-DHeS zc0-Jy{OHYvS^l4c4SDI2uI7wGgTDrHHu!}EurK`3VDV*7{$1kWz-mlc3#p>$q+I#@ z+uO~y+pB$+)!x{(!v-$sj~!XH8;zBfBrWFJPm+@Ts$FmIJi* zs_x?gC2G%A?VpQ?GvV`z&kt5*Th6BL-o~Q#rcHpLbJ6P~5AW^+vB2e(T`7_4irPh+ ziO*$1XT+(={(sI`fIsJT^P3z!>gQafF|}d=Rz2L!ZtJMGro8Moa`r^*j029wb63&bqEhpAwM#m&Wo zl#&cSG9q=ev$D(2&y`F|Yv+9N9r+fZ#pbO44u1I%5T?cgBqW1FiQ&46Qo5W#rl9Zg zz$FVWuQv65`TdYD=#(!cbX=P$i4O3w!0r_ds>=e zcZ)*z#Vt10TJDz9+OF%=SQDHZGgWS{h)=i>mbz{ht_lzj#}A6-u(hLpCyK515f#XE z;BlvuT;CS(9dbYie8eRnTicPI7xLY(0A8>%$11$-`G1GU**>cBJOZz>=Be%L&&MPc zKs(em4KQ8%W0UZ9<}?@hQu^a-Y3a{D3**)tDLUGRUUOP3B(u5(gD`G%fY)($61F#2 z<-fR+qQXdDa4!f-=5+XTHsZ{IoPzsajlarQ0ecTUy-R}w|IAP6P5#pzg9s1w_U}0f zn$zj&37!1*9vQkv*U<;mf-zt|Qw55>*4fSGNfSAJz8@TUx8~Q#M&Gh`XbLQjY{{r_MG;HUA zOwk7b*xZ6k0OpkX>C;2No)_{v@4b<*-NZ*a!1>1K$Efe5-D&EcFPdpz@a(Wib$IXU zLV1y}>zRufA5Yttiv%WhdO&z#V3vX)5c0!j+T)ewZ8?Ab7 zWMk_f6o3*2K}{4o%$M<+F8rH|%No+wzUyD`Qw>C?w6gj^HqHn>@yp#{f3KslsK@OD z^~lSCcgc-GG~|T$doVxdQ}MffZET!0Y&UuBL=4!^x9a4M;{JjR^>d(*Nls#yM@+!d z_gT#cxIzYyZR4CUjMHAT%BZM*@YP_*4$SBqpuN%X6~Rvu(kvuoj<(F}k~8ubNr@gc zX!fMJ2jIAN#Jqe${aFA5P|g%p!7~W?caNYElkE|F%MDdi3+c?Hq+%}lhIc?tPSt1j zN{jiltbtyGAnk3Q?-`A^-=GU%h>W{jPjx{jTa)4cD`mZCy zM!`B>xx%G@U%v(-$zP@1Qt(-#xgVUoT#XgAoA_e`yj2*Upy-tvuFJYwe~1C>!hIW@ z^ayG|M+f$I`Ny9Db5`Of05~hqCYF~B=z#hdHyW)Vv)^2L!bBn@@cMf9(5UVD4_U3Q zi#+*XV-Y_4bKLcvfz6@NMcDy20VRAjNZQVYvk9TM*t}Za>#^E)c4}< ze9MWh%!mTP83Yu1h-~)Q6OeL17k@-H+qgwGI}`kvG)ARs`TN2A9*KUs3iS2RZ#dzi z{QaA^Y!=nCUfBQeH8d;dlgyNq^^fl)fhA;L^~3zcY?H+iFNQO#fueWZ1xj<@y$hGo zWpQcD+=6sR4hBcR+n;j#aaa3=m}NFeJzLHnzjEI!z1eYMCVmsG@K#P?_#xf{Kd<$# z(#O^>pFUJjcnr`p=I2{lp#4P;cI7Ni$AMq4wyV6-A3vwy@PU}ZQ5(_gH3K_5YYsz^ zfTOt>+b1Rgw}-vddOfQyv-ZTmHR_6SyVj)1$GoQ|@}6kmF$z{hXWP$GVwg$k+pOby z{1Dzn=!$kXr~~sop4=3@Jd#D#W(v9+0?YwfMgBM|b~TL)h|XcXjz)hq(By zFgp`p1*gb!2;$6NuFv*-q~v>TWuwm)Hq5C&leus}*KlP0gV@r&8!Z2u$%qLzJG-9d zyGvZeq)2H0I=CCX`&JrnL;Ok|O5Y}y7MCf=4bIg0A9O2BzfJ6t1peU(oFTb58cea~ zmFe_y*&?3O2j$$G?C3#lu=tAj!Ud!9@*&6aA;5Xh>fXs0V;On<0^MgH*aNHT>gpzL zxK~|HQxp2uAlZJF=L?;ur?Gym(ER+O*4D%J^U3C9baT zdAV1Kh|)w3cPUQN8R_L(uNFD#92a%e^c>!?n^x=9o}SY9qvqr0v5GL_V8Z7+2NcDb zPubI|t?v?sTQ4dJe6`qhgi&k#k#e@-TWk;WkK#`=(7x0v`Rz^!*tdRM+1&JBYfojO zHV}9%IA+*xU8yVnAt0J$Xtu?CKG?f@KZk_NMe{Yx2@{0SjNkcR|9H)<_Y~#zhyzhFkeicnR`*3iaxUFA8AT8MLZucx~A59k#!VV}3F-5qJL>%HE*sW-NBbfn_;UU)N!w?`yo zV8EN92M*Z|O^0MNwQeePLt6u5Louhk;I$B2DzWd+4 zZGZMXdGsHh^@rmr*0!*!)=mlVX7UAKTP5eSyI@64W zc_o_P%6IPFzmHp0S6TX^g82orqrJ_&kkS`+pgvG5(;h#@@Dqg%V*z36qjPij09?$@ z9=N_IKFn!jbMtxH?`oGL>|k)C+uAx-*H#ug*^Jn{o*>7>JDSM;p00>$wAgL`9{(367e({)uYB%#Dr= zB?e)Iw{B{^p2gMWn1Qgk7?1SzFU0t~QoeR~FO#R5zxSJL9r~Ij=LTS8W+G3$c*fpC z*XC1hh|#-ua@xw-`>tUT7{`~_U0uoSGI@2JB=@nfX5h1H8ylM&#N_j&+gr$u<*hAZ zq}U5KksS|j%R&Y=X-Z;5=V0v()tZ`9y+ppfqa815H(sPE(fBqbz7<~O&c{=x`l7-p zzS%=WxlFslxb{9E6H6)R@cZIP;gH5)jDBfjzFv;%Hj(?vcLCsw>aPp~ecymz$UQB< z+0&Km^{=bzu#!~mXT%{GfO>JB66-6tJkOWn3J9n0eV+y8(o(i!Yg=1~988>C8J7C0 zi76Hb2S`fa+DU(9UDfvT=zpRGX!uD;4&5T1Ypl!rSSW@3sw`iE)rB{&i!~*t$zrJq z$w(@wd@g%och`rTVoHVsVkbR2!vX?=Z>~NKJcxX0;&*BOxuZdtcq5oY?CzkZcvX*e zuTdgjeQ(xtt@$7@H)+#b*zso>_r%EwRDrw71sNfBHSn1v+m{kxH;OYl{dGK%ve#XW zg+|LG0-4%fFVSK1zFD_sEt7%-B0inEXV=COwS235viX!KMf7xSJI%x|%J`jWJFOjB zt^OX5&D*!m?F&W}Ma|l!0cXD_cbX_bXG1gi`4t)9*v-IZc=W<;mc#TY@BPHdMw_Pq z9HEl=2pz!L7(yLo!0;q-VFB0s*Nxm;{$DkjJr9Jg+v3|ssdoFiXSb$dZ6jsRMrTG& z`ki*}^xL$Y!rr~>fCZugY@C793jMO7U%!m&-(Ph|_TJ@e-kby;3}uVp0ooPb3%!Wd zGCt$A!y5N!uoEp8N6nzfqzSy3T9I}we(e34T**ZqWv zCZ>71jGIpvB217y&yj@&tw*+u(WjFncR2`STfIw#iXUm8(j{)Lrkxh?X^5r8oV%;S zSW?;U2eDN0>6H4A$LJ`JYC~rmuV|^}M@~CrO)#*qr10>ug2HgDVf^md^nH?8yvvlvGGD>AgH44=5*6!T8(>i5PG;b zO`|prxtlrZPJ{ne)nJOh^55eFRCRT^9LEfW6aEQKeE;~m`)QCf0hqOy|M<;BDKW_$ax zLglF*R^Ho|+?`WJ7;ohE>Zc5Y^pqq|?|0 zaC61&xtP<)C>}scPIb9Sv*@t!=lC~KH1aT<47X?L*Z0`K+aiO>dw}TO?hO--iL@+V z(Y&bdS&c(r1B*rp?bQbbz<3bM{U?m z8guZ-x?}ogZbay%(|u(vtv?I?=Sit(w#UNBI*~t zauD5PV^wtra2nVr+`V~c@Lik#^ljE&F3C-+qw7^S;)R%)6Y7H|-xHvys8rB<+i!YU z;wBUyh=|Jsg1D{O)de1xvnxNBmD(|~R=<*BOcJ|VF-R(4^Sa84FUI!-O%vzOc|LK5 zpgScI@OzNWuyq?sR-Iao_#WG|b7@U&&Plp=8k1G$Xsm#zM@0fVITNC3L!q#A$_<(1 z5<5)&u1;lhW%2HqvPs-fLf~e;Zu00P5W7*+DA_A~L`+Efgj<3+#bKdpXMDJog_SjD zLslwuAOrE()%$9YB#i?~0Jt=o?Kx3U2Ogy?-pwhN(X+m`nTLsy?r(zTS2VF5o8fVN zkmRI3UR?wQxf(~?AA0}DR&W*)s}K`y0s*)>kzDb@-B4b zCncb-k5GoS0*pJx=S5kWZI2XE_C8Wl4q0#&_r_5R#2Bln2GPuSviR80^SodFsU;l! zpWPh&Py)$*ILX(xwocM|yX`sw3`{uvN_d=e@Z)qv=)m7)dqCQ!59FY#I-(T3`xk#! zD~h0jPV@e&zaKy-SRfQ7qqz}kVvblS0#J}X06@-+>cQ%bgP{d2-odY@b~uF3cXI*G zfVmg4SXZ~W3V)f8Ui0nJ@)IpB9=ASVgvJ>)28tT(3Vkkm=6eA1w{MF9o96Qv%9;E+ z`r672Wx`EX82$%G`Nu_(Y=|>tD#oj|-L749kvqKfXo1<}patrAW80QEMUP(?q`Sa%yb7aW=0FOC}-p zP|$5|+zW7aeq(1R^Y)V%(I0tv<>(k}2JB~6C*NgGD?xTN&IrZcd>9#m&>6i5!}df^oh6j$FQ9`zw^$6urLO~$eJBe zDU#RZgW*bW`mjq^D}976T01D=g@xzP-Y_OPEjG68@C;-Lg`oUJ85mk>G==VuEk9>M zLKNnyDdk?;PJ~ueOkY-CEqY(Azk2nYyV^xLQ!sF4!W%^{RNS&UFxKr#uzz*cXibAh zKp^0`{IHgk%JO4W)ECC6D0xZAV5BE~xrn)C*9hHR*YOw^w<}Uq)TQxR`Hg;kaV0d$ z@r|z_I?rR$qP>LWgH1_K36L0ntK-Gb)7X2brg=u* zMc-h>jkIVMeL;`t%${3_-fr(GM-`s@$jXGM^nURv?&`9+%JVzxCeXxvznh)_aC$l4 zPZ@Gu-^OFTi2WN-YRAP79hsNO9nBQ=Jp}C%jGBH+i8k@Sv?Y%2w%}UyKJK3PB|rtw`XY!PuGjAHiCtd%`rsz)37z3l5XzM~fEo|nVm2Xcd@5jFr zvteRpW^hf+?#L3rm?YrvJJbPjK6az=+fip^m46ZJ)xPIOjiswCeSH}Dm491=ItGr8grX|^nfjh767eXO>B&}zUH>d!(Y<; zm;}~}1%RUI_Er>hE0kF@eV|s!ZQ9ux-O&JmypA_1My6FlS?XTG#w0jtp4883hPw#+ z&Zw@k{eAF&QsYLO^K40tf|$a6cujG}(bt?DaZrPg^DqY79O86Z5)WlaWAOu~AVx8% zWSKNs7!M$qbLc*>5=VEwi>DCsS^M}dUKsUr62gb}CSP6Tdu6B3l=HYV*WXVV ztzDhou+pt#LT;5&(P(611{bg|@bIjysT&o)AJRZ1ur#co@oPOx2+tPYtGoBwB!6_c zV%b?Y{F2HC_bLV{k|mS7zi9x|QJt6>k?N)mmy!Ma&>1&!%6OQGp>VWOA{I}HguPoC z`WhdwQiffRa|F7dsMuDFjMhtT)J2B-FSV*l5zjoOs>d(gTJ+{O|yF!>HIuvUd>36T&qb5h=vg?sb^1aM(ZY63m?DGc<)ou_lXJIER!MhX0L}@@fA*6I0~IyQ23jkMIo4% zJwwJ|U2W~c(wp}{z@hz4S{ka5L zjsM-e4hV|^lxK5|`)R}A2aQOq5w?hwe(Uw421{HNs4+wbY{OJzVxH!usFw(7i+gi{F zS&sN>kp1Py*CPv09?_myD!CM2P39Dnz`Klhkx^}Y2YFTK8^eJ%H$8j6BUt*;E_eLB zH$gCtjP6#q_0O@fr@ytLi`Of<7V;nl!erGCf!3?-KokFSh_Z5k^Y^=t%W(NmI^}a; z7?m@H&rgyF5VNzGn7D%9&kt6ahNBQ&Nlfv%;W272k`Ds^Fx0NKi#pvU&^J0DsO^$k zFLuRpW$=~W${!z}e&)8ube{*sLO|0!8z%;)!uoi`QVRuyljB>hgpwi+ z@oMTL6jgSGypjbAim;yoyL;^ZxjK8H-zdJRz7U|~CF*{wELV8NVAS-q*>2s;2bS51 zX7*3I4|GK%Mhs$Y$WbO^)Zx`|DDejI#=REu(Bdt<;g%ELn}bUn9TUIP7FgR|OrJ#@ zxq#cmubdMjo?7>cmP?cQQN?V(jmgu%05Ok&7s0e(?E}GH7#l$QQef|fK(z4g=JXsd zi7D>z#0?7o#X=#>5D#!L>vIacRleS9R@Z zlL``8pu{=+Dukeom91In1`HPn(Y9WotVI`h6C%=HK?fRLtp>8VCHW){PwU&xya)Ll zdkPDz)u8;K3hcBm%^NH4*%9zUHt6TxZXXjAy>bM@ZeW&ZM4)36y1DRLzs2m}HuuD< ze&SF<$9}JqZoCZC!*w-vYOiRUqVZ0?K-38k58UVGf22I(_Tis*K{kUP%cxeJ;%P}q z$@HF5_+O59e?}UE?!KoqM+%E8NvUYyvYnBU$PK#hyLWwHo-LK#_eX2FxaV@Ntcuv_ zz|JOzVg9(FKBB8vB|C%H{H0cd_&I#*u+aF%_gMKG4nPIDKp{-h%KYS+Q%1QdwkdSV zyhZ6=g^{}?()Y!bW`d;u^6jShYt(9)=k56=i5Qrdx3hKNu2q!q47@Ln}@Ty7CPlC&c)8%$f?{EDE%zHmJUi7vpFE4rj7j5cWWmpTp>(Ij{8A)(? zGA~Q&_GSzW5NfMmTFaM*-3?O9z0^HThkpF{39gK=7t%}GlE{BFBRP}TY4kb5b3Y{R z2!?+B1APSy-=cPp4^~%_o<7|B41w%S-B#M(uJHJjmFs|`RY((Qbw^~M3{d(E8VR|q zP1HaY`0VFKCj=bwzE*7`4gxcHA+{1`QHQ)q>FS1t@^>X^t)mDKD7m19o+In7B<0&F z{yg~+dwC)+T&4Mn&;;Gpw{Eo&665-k#Bp zg~34vK0a70DYy5ZCsNK|V2U{}UcA^xsYmp#`uH^H>FK4W>CCfNjHFZRbPvRkkS^({ zYMQ;KTY=R{I2Qo{txAJ~($e`xyKlhc4F^a4*qDn?kh;d) zydhhe)a-1dk;x>%#qk+Ud@tU^lZw((UP|>flO9vf%q+^xEGi;-OKEQ{rM)-Aqq~=M z$MM_mgv9^${wG+%g$WPHWL6I$`-zPg(@Smi0R9mF z0qOjIRlj}5l%@GTOZlNOO!b9X<;?k1G)WYz)7gL0Jf_d;J|-M7R(3%HP=*4&gf#P$5>@Z?PE z*Shp&$`1@7RF#+a{FJb8gHUB=4h~%SwYD$x zNzYBGf673pnxF%39-)1pJ5wHd2rVt5jrXaXz-(yn{cXubod$7mVES02`Z9&D+_+2o zqpFxlmCs8a`n|oQec1@17g}%MPnTQdFL(xV2$B*r#M#Y-jx=UR zXGkG`ZIPbi;eAaVZCyPCTu310>4s2q zlTovuF}!f~m7mMdGN88x=@wQ5D8Q{bL!PHfqHx|~MwDJOO~ znTe{NniUAwK680sviEwf6ti)_86Ws%q5e&{P?uHv*E(|wA<(tL%N~IaoW&`F3+)ny z3t%VOI5^~F2jg3OMCcdS#Idh!TJ^10(LFblk9r8SBd6}YfhgdJ+t7@`$LuW~2A7Y5 z?uQvF586W<4!jNaQ`Mgu6>r@JR_JZv8W$;2e7Pl@#P z^}-0^9BmyP9ZRP(o~QNMm6Rl{RP2;-a`U_t66qf5c=gN<8OGf!hgZyp1-z|#j$wq3 z+Ct););8*qX^w@mSMf#es7Fe%It8)wj%pf>KPgGpYd^G`xJYOG%j<5zmPI zwXwLeHb13*opi|7!M5tr1B{Igz?AWk6hS;%@E?MQr>8g*Hm`ZKQpoZ8EUIuf-I}#x zPfyFKjVEdXRg03MGm05f9tunkltw=`bs`~|6%usy7S1)m0iGqK{SU13kz6L_aG~o z7%M#7*Xwej$%D**?r*ZN^Fp?ElzSthYWaSxiKeV zz`GLgZ^dqaOY{n$Z7M-TXi6mgz$O ze-~H(uM+J2cZvyFLVqbnXDs#gAYSCgUc+2c!`!?+o&o#k z=xC%V=Tn!)1*5Y#eC9CuGVOC`Zv$Un+Be0jXBHWQ0|TsOWejGoTJ&*naLV!VBT7_X zGzo^i(!-C7Gm9jBtA4-^2K~9YxuKf!H!Pfdo9~6*aY30=9s)CzbxBFp6718y(5Wfj zdpI~g$0wu<{magmexfY_v0%K>rpZ5f)aczBo{LK=iv_uR??WgnW5i%iJ(T0o%q&77 zk5FCGV}W3bSRzM?)pn79*yl<-Up9VG%`wGKng+NxIUMzLK%*u-x?UQ3pBIDJ`9US|n5qOUhTr+;q!F)qF5MSmm9NBr}j z%fwUjSQ$bTqC=9#!J9f6w*0iHVpN0@ir9PUyBsBiTs;U*uQpYCE9K>{6q^;Yn(ct7 z;u=Q_a$@(o80{To3w;^AO!EvV}Cx3j4P!T&jc@jMsus46sr7?bXu;6V?(9{zyqk-o;Hes9dIKkJ` zUPVO-jdp`ge|KkddS=GP$*B#pL;Ovyp`p3L_*ho~59dT?>^x-iL1U2y0Z7Lkf&>{0-Y~7URE_ ze0!VtG%|F(zW>~QacXJ`e(Wi0>L}`TnAjF@lmD&io*3<4sQG(lWS=2HO|s0vp7-W7 zEh25Y>!rr@%^8dT^y;v%=j}=HSYl!$4vDmkvKPV0f}n?JenceQ6au`&*B-U<1W*WLXd_BYKxYLaO` zt`k&5QWB;(?+~Y7;N2xKWy{NdG&x7;17o9om*B_bCETxt| zVG5~L4Z9U$S5n2Qe=e>gXng(PrL#=&)R;k&@gg3}yU^q=DF7S$VZhoUQ^3V`$zBGp zdS(2kv9~)o#~Lh;A4(?`4qj|!R3PB`7#qYDKTbX5)zw`!R+G2Jk6o&VvxOf38rB1u zoZi1bh%_S$dEG0rS~}~LC>+yL$>&XT z;pv2Ex;?L@s$?Tc%P*lRE-iYEVs)>rMPD$a%F4{lG8)Phet)>D2axjFj;+~_@9k3A zLB9DO{b^rXLVbp}e|mH#?mwZ`vbj=w3hjIV`qx z#nJYuFOL%6^VB?E7LV$)^G<596*MiQ4Dm;?rK$XxA)|40HfVl&%qdkfyT#mAZ2FaE zt2Axr*LZ~Wwf@()z5soI;NOto-*Zj#=DSo>zxy3Y*4ByF*0aU@<&tVJ=E+n$jEA$=&5k2v>C%iu1LIKj->O#Twlvf_!^d<^CkpT=cziZf2W6() z*Igu^JrfPM6WR83f=X3^mS1S%bGbI!DUt9C4rkn?AsfXkf${Oq=F*zAp3|ARQdYp!m7jZa;PjZl z#=%xuPO-`3w2D`X@F|ziHNUTK@5)MWl5E`6^yIzvYL1pF_wn%54J+W!$r&~1X@}S{ zur9GKP*=6JHTX0<`eoW6crd;c9YRcd?*Eh)=H6GRXw%ct@pL}e-!u+z?}W8YPfn=r zIN96S+uLZ?d$JW5mkPR=iWQFnpb*MewUDEt6$`v__r-n*WE!GG2$p=_y-79>-q_F@fKTHQ&5 zCa@>Tft977tn>1v2q>V=JK7|J>h;S|A9tf4AqB?KYRvguEYI0qKg&dUt|S-dJbuhd zEW|Cc*ERZl;t57Xcr1*o`{x|^`?WHMj*Vx1V)XfN+Znt^EP$lG_C5a`xGyd+Fn`mJ z<%Kq|kZ=G&qn^Y7Wme`Uo4$pExy~n;@Ak}N4LQNT#PFX;3A?o2Yv`7(+c_FcJOJx_ z7uULn z*z&^KzdtFhjb76Iz5-+T8sQZGG55{G_ z(Nx<8uD-`jk)vl=SqoKCx6j$S&K?yd`Oc0CrATH*mc#Xmn2(K(S3_;=-U1cEeN!dt z)wuO1m_*JJ{CDvO^#ZvbGkFzsP)xN0(YT!g(BHhf`T5?L+YtyjJm6;8*VXlyfklUh z_qBy(fv=D6u)z1c7Ujg4O1bR)UQaEs(m)t$X%!zATrIM* z-DY9?UhSQfrslxK zgPnjYtul2_-;vmlk#aH3(nLr69?16KZiOr(!&%C@Ut@L$aSjt37?>DF_9hFSpW5ibz+S#h4x`KOGP#j0 zetk$G#LNh%b;nN-vJCjj<1_f*|4g>M^4M=D!2YXO{$?=)4Q!;Oz}Iwt9)qU|CXdy1 zXzE4*NC~LH(|pwoiM;c^-DZ`JdzkaHBbWHZYV(v z5T8akvr=jp=9(Bd>py*L*1P+_>L;1DecFp~b}ngBebAPwVPxE-o=9rYF^v z7{vIjcM4)D*<~$kx3<=A4g(jaZ6;RgrphvSb#--tHx`;FwJd4JuCBn+@9tDK*ZFN~mnPsJJbZP~EgJ--Z^WKT+y(;c8f&;NHqeTyby>_>(bHnkQ z-S<8hhv36;vhd@gQ0u-9YSaoWkk7>nT&A#Dm${eFM!QY@|I~q636b`!`>Yq?wAjgNR(iMGWdou?H<`MPx-e{hToCaRY zggqb560F>=>{X!@-CaUzYG`TctK$NE6}>Xj1mm$OA6eN%TKq*Xhp+5vzm=7p&UB!I z`X>5clWn))Vk;|4SL}f%F*R6OUGxQm#`;g?16J}=BBN%P#%K(gII{6QdB2-$*_gP? z<1`vDe3npCTL*{3wY1$dx2kKa3$Of{DZmysF|$^vV_XO^_$Sr zL4PwhxHCDag@z{Xl5gKh(^lrQ8`*?%{4J-L&IJa3jQCxN18H80$X-W}#$_vwF8^;xdv1myH78t1^wf z^>mRSX?3*(5olD%oU>+W&0)~^8Q+-`TAK4*#vXM%ydbI|_VVeGLk2Iq!Ofo^pf!D| z&9_7p#Ga7S7*PnlSGSV!d8^BxBJz}4-~zNDWp?(aTKeLete`JTaJYWcfuy97k)#n7 zz~9(lVd>@;@~!-vn}^HZvvxHDgIsQ-`EH_s>2$@ZF(MWX!YA(4UKWH8h|-|^?(nrO zZcqD#*ZxzxbD6t8udm}w!IShBmU-hDN{JR$KA$t1d&?lxid1eBi6IeqAgt#3K*5?( zo2@7#M4f6!*2f~cV-k+b+Y*jE!oH?jh~)EU_IrCPP7AbhF367wA_5Z4{_duwK{g~6 z(gz=!>z%ZI5vd4Y8Op0CDl)FRG^T26$BSORHfoS8Rs|zgzoT4)up-*Oe1gNbi;y|_ zSs{_iL+rIYJa)BFLwuF4&R}_Q!NRPFP`wI_=PLGGtf;(H*!8Gkh~l4;`oGHQmW^$2 zu&Hf;;^6~=i2d+%qXxIxDJ2S|`vwo9IC8MEk#Cj zVB5}a$h{o*9-u`;^n_7m*`>j)DRh{&jXBHo_s8^C@A({6br`{d31>X_S{_!${_erD zAEhzIlID`n-Fb*8$+gpAvPOI9hnG{lyr+!igD=c`RIu^!4DNdMQTo_GsKjWliirQ^ z%H{3=Zf6AP0t8~cxx6ktt+ft?lEvjfENYuzJ8wiR=(?Ik5XoOV)Bc$eg=n?wyE21Lg|lzA|CP-bph*TiAvqfv?SNt zU9x#!aP~^e%G?(BHwqZPb;d0VDLj%gQ0U({4Xo5H{Y5w0uPt&k8*xV`SE?BWV${4j zX#>t9pY||m8Ft+&zvJ-Jrp~}j!2rL3P&sO2W1yV`o0#2zI&cT`6!Lv^{mH5$-Vu)T zd(T34F4;J;3~09FHkpD#ltNTAczh51ZvkkuFX&&JIZuS0ML%h6qz?FYs1g!!YeXEBqX4UNn%9lP^idJSJFydstD*-b^6`iYeTMY&_g7OnA_AwC8MJr%EfN9 zOq=B1;qT8UWq(F3>{Jv_GGiuHdUeaQKp@N$q(maGpNo|3gs{`Tc$=?IQrG)f-$4H} zIYn+n?EgdETSi6QegEHsAR!n1y7sdWL?P;D*fbd{%fKQgg^H2BRc8u~z9x^9KUjHH%K%6!8zJ&!#v7X{W>>Dbhy ze$$EsS^B?ya9f9|CyF3|4@(=u#6&t;f-QRAfd-E?{mNV2Byo2b{>&on>tC_=g z-(m+oq)bSPeXCjyZx1U}9~it3tTlfdm5TIaYzWb-F{S*5a7w{S&tqC!pFh-2#SXpD zy79d9(af&USm~dv%{Qp#A+cHHd{Bc);|OgH4cQby0L5Z*h~ovR^j zs;SGjI1F?Gb4P-JEmB;6Z(mPZO3j=E35-C5nz~}0`D|+?LJ1F_xwuHreOIndw2g|m z`ypjf(X(j}0(F*@n(}J5!|Pk=r$(s$RgV3OuYyq^zy&EYnJjR*xr~x7#;XC0!2x$w zV^CaN9T>)1-2v|vQnFLKWaD|9x@4=QRn@c#M(c3jze?~A!V0DkyaIuXoCo80SmLg$ zOU!_RgjjHFReoLlO#P1GA>~4o*Y=odp$Zd$RC_VmbY5j9(2D?usDoC#8-kJjw3FM& z7>VjN^}^WLLBRBaV$T|i$j(f8u(SxT{pz2s?o{-Ln96-?(s*)X;`E~=vrIj20@!o&d)^YE!9K^wla;AEO;@>f zTy*xUho^D`7~pbFsy5VE-}eQ6$4U^6;N?NTQoat2&0LE|+?y8&(2GwdoytySn+P)} zn4ESxLssbJ4#sgxhY-(L(0Y-4o(Xmcvp|0f3X~e7Q=ez=a^YebB zZa*KR`df5ugkXOIlRJt(TXM%eciLF!^$V|)z9d_jtmrVGt8_)Uixf~JTBW%64GioA zl{S;ln6|DY0MWMpM@fw4*Nb+`&CSjk8xldwT>bA~DI0$#F2{W^r=^XJQ<6dnPw#9^LKfDl;XBdjK9GNIB;#(W_0Vfk-DJm$K1zhP7*8KsFt| zncph<>;phr+<$1_`E*Fm??ljHAt0hsTC(`l+FGE+oSHN7MxT$Qi47T&Aj=E1Oz_?k z+?py9l|j18%I7^p*NXLZCpqF+FTb;@_jnM)fN=dNp=XTg>B~{JdL+n$0RE>h-_ezm z|1qVCk;2X(g9wxA)|Qqg?+kOD@`Dc)Gc$|-brY`=RBU#b*_?2(dmhaePLFYBi%Lmw zLxkt)ot;k8>d}AA@<~6%t1H`&&KlGE{s34>w)(pT*x%RusCbashJr$tzJG$-l|JUZ zg@vw~Qt0Ian8=5R4aHSeA*~OB`a7FGxv#a?jkB8#d#x3_px*;__EzuI%;&e~Y_XY3dDT4$3u`lohu5Wn zB>4#rbm~7z!Mnmm=B;^?1<@Ha|E=KEN|Skap1-qs|E^7x&KJP>eq9Ij$N&7fKDSJs zlJBzz5;c7B8B;C(KVL%s0i-tn{m}onQb+&q3L;Veui8@oKI8vNKmM;z{r|iI)h!Ak z;@&3&JDt>T`C1`dl#gL3hL|EVlDJ%WpO{eu;=@qxWN`d{(y<9ccGovIf3F)-Ki)s{ z#u!&^WTe(9tY?MDpC^D zNj+d@Zt}eHyhaB3QiRC|YFE-WalbGWG7K)fqrDp3Z=A!{s%b0yw)8mKJpu~Ms;W<( zJ)4Wpw*0z?{W2U06S$7^KYnDNJQU%Y5;QecJCo0Bh*6o<&`;IZO^*FmuUq_XffDH< z(*wln7S{{Y7eRwazKI2WARcu0?;Cx9PWawslV8W$gMe?MQIgNf%Uz)NAOWJFj#OvC zm$~cE5aqC+<7SFSJ?~K3AijxPeN*c>>-6C1i2mXD=Q=;o!56Kl)iRT>g-D0+ejueW zHft%((6D^?Mp*SMX%$5zl1>UD5}oB-A6FxcnZ}(7hsJk9;PT@k_;gYZFJ7B2&^X#s zFUpt;{G@<6n0@?Q8#(N zX2bFW2UFj9ZL8+~xf$XZf_D6FndmY3OA}&<qZ8&ZLDFH^y+eiDDJ+gAm{-f9~ ztf|zr;z+H#(HU81Nw4xBFTyW5)|!l9l_`|GqY8FN9F3ec2&^Muve%oryBnhxwCW*nI1F&-H|4W$q)Q>5n{N;6aJ| z=}Z2ZlU&sPyvq?GVv7x6`il1f`cI#2t^U=<@H7;6eZ*o3|J zi`UReYDo9mcFK)CK1jrT{{l0-u4csjQ%q&0s?vxjnlbq`wwe0@x0YL;arU|CyQ&}F%0SujH$-ZR!W*-?>| zmu4$q;6x_%PVXUN<}yEELT#M+rzd7@YaH#JTxGi^eO&m)sx%{Xm^hlZ0obDH>iE(c|2xJ-Df) zTJc-{J`eGAQNttrLsD_>k*4j7j%dbB~6 zm%=TcyE&MC0(qjk$x)ozJ(^OQp45PZT1N&|ptQ7&6wl#XpejFvZsyPLPJOUH&`aw@Y=o(Oh77HR;n?3)cg1)~stt^=){Sit{>=5pN45AFN})T&WM5;2g>lzP3jtI z9)9SmizF>S>wc`1j}%Rp_Y8t79F6iz&niY*BJEPsSH4+XeS9}6%FsP2MK5t^ZdC&9lkv3i2ywCyBwpU}mvRC~Ro2k+2kom+4@BTel|Ppr^2obQ zd|n#9G=4=vdTTQa$0>cZWn(9%Q&Np|A@kI8dD}*A*OyDRJZDxJa5U0 zrnBJg4STvepI<#&3JFTqRn*qTruYL-nVQvlZ%c`CYI+fvluIOnD~F9;%&hV2)O!jD zvF0a$$|EV)WtjH&ZrINls?Rxr;zdjs29>z1f44Ax7)ndzQcYBe)@PWBiyzgjLn7T< zX5L>9p4cO0(7I%1mVB~7ph7vVBOB7y@hX~r2XZNVWJ_rf0T<`)M$YSHCd^=keB{8* zD^TW5A;Db(-AkgFgh4W$xP^1^LzX#`Gt>F7>ucWRTKMgJZif!Re8V?S1R%e^uUB80 z`cZvgs9VgZ3-`Xy^WlSMQlj*}xx{H@R~Mf4oX9D>OIcqeF_H9-mnUws>c}3?U&{kS zTCh?W5ttDDz)*Y7m#0N4sX=5hdZJRk8I?HnF=q0XO?u;#h7GRn zs!inG3rB7&o8v*C)?FzcCRCY~Lw+Q~QBRFfgAx)5!qGzzP7ZDr2?>(|_50tZxF92;iwqPHfG0z!%FDaN{eA>c zeW1G=IyG9KTZaLTStmCFYG@>blTOXDsktD#E4gGkQlLQ-8q)P$#FAw0-Acp45LVX2 zy({pq!><&L)o2D)cdF#{RV(2r>N-7InaqRXi4M-UJ}Tw6CfhB>^qW9HsK4xAr|BgeE0`#4 z5OFSO5IJf>pb{51AU$#7P78A4KC-mKdIQ6z<>W!nD0SlQ@u|J*HS*FPSb5-*G7fvH z``k$&Y&@Z8+^uDv`$uabxhv=Q(ib`&t?zqv|LeJNYe`0I+rWSFxof#}*u9wvS0etj zPfDI8ABN$-@REMpCbFrt!LS@vqQ;5)vphI?Qau?PF1S&%RO0XiqYOk~nXXUw5SEKz ztD%{hv6-1a1I9ldL4Bz|%^RF88~BmNXnv{4Q5FJqGzPRy1sCrmjH;m!bm}#mE6{U$ zz;Wvf+eTmOXC870-)`AN>Q2E%^52Ti?|FNKb`}O5*@E6d>-5SF|xaki$D2~da^7%7_=~`mvR@2F{_0`eu^N(7(>tPA{-fBt+K9u?*9IqziVz_SBB=GElEv5uWINGk9ux{d0O z&R?Pvz(%48`iteB2H9YTH-kG5n}Wf6rl~$tOu^U$O{H75Y@m*F4fSMyaHe5Yd=A{L zY%a)YbM<6TJTfz>`jGLLYVnfJ&egY@FIIsj3=;zCMY+NwBh$r1GidxFt+UccYYe5H z2c4ADHgqmc6fALv;5EHb&?_lt?WWNwP_q|J@(^Sf`I z-Bi@G8;fJ#9K@)v4<^jSs9PGcoPifSAGlKb|8dfAYFV~zphGM0cQEYCIw?5F)dF7zskQz4?fkgRqO02=+U;ewkk!rkoQt=1 z4Ig_U70tlyJ}0JU<9rEBlKx|(-KN^ku?gfeDf!V>NTIcL5qSIN_uMg(w_ah~FsQ2L zb-K1)+I$>_C{VGSJho!Q@50W$N4|cqVo7+9tVT(MA>DZDsLU|k`}{mx=&C+D?GG1Z zz{|Wn<6L=Qptf6HCnxS`-`Q&|VA9`HprCO3R-+|p7Vn?&=ZE&xA31cxDn2C;sSsFa z&_JM(dYZvNxYTjU^hyUE5YnVYc3lk2OBO;r7wLm!llSvK2H5yy#7j>eZJlSK~&2h^V{}ELhU02_-zLZ>eSTQAwH#*p`LX*`3=4*ObY!ypteeR zIbMk-=V@8ch5(1L&SHv{2Gl(1O}*LTW?YdR#;L zIBh1F9YVi)rO6oLc3Ig)@^aE+iDz?ay7=#S!LVaEd4TZ~ffh6%!6sn7AM+ZJcrSn2 z4SW@xfSI>ET>{U5`tgIjQH2)+=UIU&Rvdx-pm;E9jG^IBE-Ga@#TZ%%%gL`_Zzn26 z(+B!l)AtJUtvL}j!unG&Xh#ZB_!m4p?ZLFh23%+p=YhDOPjLvpKubm)Kan08ZcqlUMjkD zxb6lwWP^z{>X*os)n5}JbOPoIv{oPH+(J_b(a)ZL8#G}<56f9Ou85Zv5{hWy+F@oc z)Ve+Wc*CzQt%dlB(NR_S{-skxQ)J@8?!IH3P1F8CV&ZIIe;od-2RRaigQNPa8i%Ie z0Jm8X(QuktP*jj@R^Py@gdZkXj2$)@@~uVu+RFNAbnlw0pV;3)t2X~{ZKJv{Y=>4b zYk?8gvj93B7-7DG(=gu!VC=z^)8h@^O97)!ZW0Ec!ND=X4lmki&&W8~NYN7C^|G86 zx*aI5oB-wC%2P_a$CS*Ct);Fp0@jbN&VFLaM0L&w(Q9a+Q|P^%8wj22l+MDdQ+$?I z^F~3*p<1|AyV>>P7bZ7!L%$CADjJ_^;sEqpkpsfU@d=s%(>7V5#H8!%TRo-~rh~*{ z%x=$F2D|zk)+=ACKv(u!1WCvreg2=p^O=Nv1laGaQ84*TKCO(3LTuY8mW3jL`Et;D zZ_B0?j2r(fu-+*H!wM|3(v)5N;T+8`_{}r(W`1dT9jv9^dY$IW`FMZ-8a-(AN=)o( zYl}?qYR837yKt7`bm?qAsRq6|Q8{m>ckwAvEq`L~`gDURMe}B2CB&$dAvR9^`C}&K z=TiNBK8Vft-8ev$+f^f&)QiL`p66SPSpJT@2?T?Mm)Z z9wHF9dmUP27hqM>^4E)NEwZMf2E&7DFbj|5BT$ia!OV=7fe@Eq#)E$^y)z;8b!7E5 zI9k5OSMl)EMK{Z~a&}*P*wXTb5lm-O}TV{ByoR$ zH+lKJ5@FEp)^D}Q)ai~%-q#J!V*Bc66K`rbCMehMIhLu2l0L7Pybrj0zefI8t;t(# zHm5gaT>Q$e{Op7=`Qx*buM#F;9UySh41(JXbFC(2An(Y|K8AXd4MVfel$+1Ftm|0W zr^CaT4xK)3Tj;2$jE%*HaBxj6CQ};bT_Okda;zk5a^XFQ>%Wgm9d~jh)@>H4|Nh(> zWCoWcD1!#8%F8T@O4Xm;Mh&gwv~Om_RWX2N49Ivg5=h62!`{QfhMZX36s^!#y%J`X$o$hhW)YIw=^%YwXi0M1T7!HaZ?4{me;gkm712Rj-!Rz{U_aUukrj0 z)SF(Mn0NpIEuZk~K13MXXl!QYVCr(w=VnxvosHc}MV_j?zoF z_Rm}OfuTiLB{*F9MXb3@vC_q4urxE!j#xxpaMXG}&<=9RFDpu_yZUD9tE*4`eDq?< zc4$p~%5U@|K+*NARS>e2xGyZ$=b;nY)z@db6-qM2RXr#tCmNLppx1#-e24sj-p;45 zUKOMwg#(@{<+U3*GP!R2E3X{IXC|*SxvHx{Mhl{-qvCr0`+g>7$eWDy^^zf{^z=t~ zQb`D>900I1283*HTW-G2RiGe>*OpBdG~NYDf*&fX8m_J~GFH0QVKy>ix37qZrU`IL zUpuebiEBwu%WS2foO#|aWiXyr#Qi_?p$ZNT9kjJxQMm%RgY)$2pTtNrcak`jb2 z zD!LeN77JWSY4q(rhC8Y ziVMo44cG`@XuaaG>;Xwuw5wp2?|fnk5hU#C&COgd1xtcP!=64@(`oW#6yPNAH7VDK z$(2ui<V^5~P4@|_MP&ht~c-n)F&OyjOCR31^$j)4HeurO?w z6S$+D9Tp~KBci72LH2y;u+Qo!!-E6ILMA5EKULc{cBw+Ld-nw>**kxJ{*m0Tcx0l3 zw_=oGwMZe8Tq(+G(c+%o?O)(DlqjKu(0`f z?kg`AUG|wH0++qvzo%vj*~?sA&Pj7@!gekYHR+iSTgZ=>dRSjfF5dfg!v$AufFI(M z2oi}(-a3kl6--*P#9>0R#4|53gMAc7BH@N=YHHa}pKd6mW|WI-emMErtK8J&1yD0~ z_E&hnZSJ*#-nhHikR-j}?Bqg8PT&PbGOH~mt8Hpv;DsTrIE4UoWNK(=exBx}FZ=Z& zk-Mu~{@1?GJ$a61@<9^frlwgN8 z+7c>zY!QaXzh-8_lh{UoO%|6_pG<{W z0c8_{B1JiOc-7%`gy23D;1VCb8bJ0KXl}ebJ)bH`If#0S+LoY^lam{Fg)KH%1;y1w z@dz+wZ||RT+v*gS7LM~_e0@wLcyNXfc)D0gx(^S{+OrrJ1e+ZaUI;J;)SGZl zqRMizVPY=(y_M0?fq_%n>NF@R=@ixEix1=If`SmHdN%SR-V5OGzgKL+i3yC&_7wHJ zFK5#IRZ4=Ao5Tic_e)qxoQ|EijY>ywvh)(g#fJ22&n~J8jk^_a(O&>L*Kn$UoUN>+ zd2PVR_cnv6$*C^ArtdMaoX%IDmPQow-y}wVjgPlW)t4McYsl}whk(L;gv`1K_^OVo zrv2&?QiAO4Ye%(Ci#>BsffFWy#f3I%(;XBuqPVSsf|kWbm# z++~iDw$+K4> zRrFJ#Ip2+=luK67crkUL8nLrbrpgqhXcoAS&#<>p2Eb6c#8;CY{WA0P^768hQt~Li z_d~w@gw?->o}pK1c^T~4So&M~DRGuyA6}OE7 z*RCsr%s|5nnTLGnYrI8sioc12rls0J)lUsp?!7;)pT*1`Mhb@$^S^54HXlzpri=7m zxbfDz=^mm?uOLvdB#7w+G~|P99h%siANzdnGTjf!h<1nujLIu8%ZGlZ7?x>R5en8H zFPR3bh(Zi)x7pqwO%$VXAM!MA8s~a6c+^PE{#IVWe}#wco6R1#AlVEw*I8P{3r^6D zo#2X!2NkMJodf$g`?cTAz6ohBs`${Ji_1a>zWHnCNq!VIX#Sl}kaS|J^lY{3fb-&= z3$k$T&F8jwMz6dE5x@O;SP18Eb2?IpQQ5<{QlhJX))9o07j*Q(;l(n zua0r6f%tthg%pk3jXgOzxx=^@+3Ul}K(b_V)npF~HkRn1rSU{NNAj(zVt!%+_F@3Q zD5Q1S9@$@P9ws19E}*2WJh*W<$ovAbG@qcn_WnJil+@+v4ihWub7p1=Jb|z7FOoV) z`003sO2=_><>lokobnN;p?+671u+GgF)=-T4*gxnajf5y_^ku8t2mut+p9Z`R+m!( zeAU{TbD>FWk01kQS8rw1fO7r%e2x{vzQ&ZFV-5f%dby>kw>|HShf)Qy)$(&>lcJIn z&M!-aI61jON!baLK2x&``izdPb#}h>DY-re3LcUQQ$D^16_t5G$E{DI>GLgS(+T4Y z5QDL=`JjLnEVbpyY>Vw#4>1hYRM8+{cL^?gjq#SoGCVexb21XlDsKD>UD!TddUgC> z>#|Wjco6Z>FZ(!Hg6@A>zlCl8`rvF}z?QrwQ^oPIu5$(>=E1?i)b+Xc`EEHd!Ah6| z2`y|44BMyrKJ{(_YA-D2Dy+~TOGyhp&Hh(F!bV264PbVEKe7A-78@JTL_l10a3M4` zH90x-U4Y1UgbxGaTU^ZS4`d2pA;Xq1Fi3X83$@diG@pq~@2EFN&LN%o)ElF$taNjB z9T!^p_17UGz_^{lZHQkB`Fj73=Y&y_V4*_L-_o$ep+RV#Z)3#dqzHMqA9gvtptrjE zDRuNz!cFs+eoJYS!+!fu#_>(ncdTJ;COoejK1qlpU{!}pHv%_EAHjqTS)wFfrNpgu zoLls{ZdS`ygEdklB_*$IuB{Q_*1BESBVV3kQF4Ca&0L^t^g?wzKU4A%6l|VIlBe9s zd8hy(<}@9M?I*fj_!B2CCLhoL*0##to?A?emXJkros#(HhtgCUT=aDojqfRmSKX{a zx!H8X+CL_ymv;@ z4QVAdy$mL&C)d{3i-5Lf)VS;2q@HZD!q*3HwPh-Ne4Sf=wl3io^!I{wZDLZ=^zHuT zIeTuRvYWE%y5NmT^*}#sgL3IN|nYrFTOX&cN$$+t(;ynoPN45juk(w@+=*%Xr2tL_Fi{$fMEG^Pq`j8%iK4 zdy0vfUKJJ=pa@@I_db|;7p$S9u3h1?NMW&&I*Rp#&mpfeOXD=Awzx_)Ur{<^{r9??Tef>+bs%la`Tpof;N@#yF zz*wd+KQlq>ac*Rwhz@b}xCHJZ!_V&CwS(Uo?Z_Udc09BCSHJ`Uv(xM{{BX;~gFc43 zveM)gu{w(`|MboC=UdR&-@D@@imA9RGAwaK1gi{BJJEsy^S>5=RYf#iQX*+SWnXj* zzCtoT*xaM@cXjy~p1L}>@^cPuZc26=^5c!|4ck9nl8(T!s#E!v5H+Q^2m}=<5X0pt z;7S#ilvv`|Bnx;+({L)C!<{uP`O)-!rR8UN15C-I= znMP%`&DAHsx`PwzRw5~5zj*!fB`dc!OKf&-_PVLr*eKyHJqe!>90Th?IvHJqBenxX zQcAigzr@DIQd&yd&e&ooUo1xIf@Hk)0nGVGGVT zKTn>mm5`jQ>3vxpS7WOtULO~M6EcYE+nSaZT3K0=^yXHmUD1|+fbiMlFRf_?gfW~( zCIdimB$A8&eVH3Ss%NZoa`!B%1Dx&H$%!GH!m!LEF_k5@r=(jiR{E(ucWKi8`E;qS zwY3Gy^XH7rjLy!^quOVyWwb#!h>G%Zcc9458U8NEMw~;c;O?$vplEm5OZSXcK$Wf> zteL+wxof7Y%(Jk{NQdHJJ+!!e`0eYr=y}D(cjW4O9bYHR0iD~9hLbZE-i{{m^e4>k zG8a|i6ckdNoMp>vpysHtb2;XBIEj42R8m~}+UeZYWW=COR!vubcYO!=GxSTCB~Nvq ztZqu&+g#g9)>j(wE-rb(u-5a--$MaWhNme|ca`ufW*rxcUP|=M$PzFBl~O;k2g8VL zbE#;G7pkQe=xT(x3HSbo5a|}ct`zC7#E8wLo{e!w%MWpfeIqgql+MP2C{u7 z!yt7O`b2CbpW#m$Hhu_heIW-YX9}Ok#qR(|z%3^8TXz9h0YL3wY7UAZ#h$I_l1^9r zX;QvLw#B)-IS=ydx(|)y)ClFO8f}oBv7rUb3%{*2O?}pHn@Glfv>gwA1+A=r%Q3gMiZns^vYVOmR^)TvkHj*Sb}8b5yEa&aeJ zEi6vV)S7KLE1zz89~PFDt{mRi0elo=L4Jm^hh*ma)vfKVv?kjMS*A5ilw&+8IVaVl zKg*l>jE~;Ei(Olrh@d*l5o_sRImbHa?;kwIK}SIak-3c}xQ?!>;T}9bZf-O=WoVUq zp=9UD_VzYBM%-F1EUfs%MZJS-P0 zVu25nY7F*=7k#YEY=L5ND+6D>xTNR!OdTF5OnlOK@vVRDs3i;= z+tk#PR^)JOY%V+do?}S%b2XsXlb4ZtHS7Ao!7*1hiJGkj7bD<7T}Dp*ED+%;K6C%Q zxq&5=vSn$NjwbX*0N4uvKR4u>IT{;R1+!z#S8(#kh9!*Ii@@A)BThg{NGdwqdFU9s ziZm=RQCV5r*vh)!gbh>X0l$vGea{fT=qtb9SDVIWS*8q*Gv5hqyQxAxZo5z*~oa#)9g;#W@8N7I*K- zkfZ)WtD@}R^qj|>M^-3QRr|gtA09JF&{7NBbWXA!xB1O-B>;^oiM{FE6kq?C7Lus|Y|FN_2*T)p-+;Su}SOt|P^j>!+{%2^kedDo5c#>8TBc1%>a z#vH^)*d|*)@jeIJ4RUT?W!P+8jSQpynx9!kY#KrVO;dqwY^OFg#cn$I?fGLMFUX;> z`tXopf2vq}x>Qq3b1;QZh@WPwEq~L%)irT;qn_4CYD{-HoH;cig%I~~(Nx~^zACZdL`yv6gGYfEX+NlZj^fK+8Z+$7S8JBK5qqP!<^h-dHQ4~ z8{v(Y%B0#`%mLqyco@}a3cpnoR*A>zM{~a)P?5nb+-Wb`s%J_Mc-G4BBaK5Jz)>g; zZ&siAiRj3DzVFLruPts9nAsFVvzGIQ=~tzTu}snpUy^Pl!77=_d&AhoWN8R6?3^6j zH&>?-P=AX>6Q#`2Na%$4Tv?!d(=5+Jsc35@DfxFcZxlbZPum7p z<{8!ukdHwan|(w zzzl)kWY!l?4lR7VxfvNz)YsMJ^qLYAuV7J*i9x?dFPkFjT%+Cwtk$ZfsdwaH&ch#r^!3~+K1)^8Fj8_(QIwd;P zXb=xHG)n!&kFdbT`R_pdr+mHZFDAOXyPIz2L?hbX9zppUdiAFbj5?+JTYuz&J`xM9 zwJr$c%9H2baM@}A5_iCW?cmTM5bH@7=gPZ5gYzv;6}_4TskCeL3*LMcULN;nliuQ? z;l1M|vLd(JA)BaNJWPp9aR%1L_@or?M%Ac^Vx0LEooleL!DB zP0Rh{C_fVoCo6|enLRTQE4jh$QJVn=Cl_#S_iJ@r4f<+{DNuTgO)IkczmPMB*HTr8> zl9k0)l9aA)vI-LkuMyqxpvle|MxfR9Zp~x1Z`&_jB`X6IQ6RE}{T<^K_2uOuT`^H9 zpxFFxBHZ|dsD}_ICnprhq;7bd!3&-87j!Qg`#+0!2QfZn6ttQ76D1n;jQf;=^}r}= zDi9_A289nY4$vbp6+AEcH09rjO7M*kPxx^x0dUUB z(&$>6E&{pYveNUt&1cxs>msRqJB{4x+|;L3AV_s@U%wRVR^0zu*3l)vVb8^x9Gy)1 zn}`rj_BAC={N4n|)V)Z<8$&vXf13uE$J;lGCLTv9v+Shk=9D7Ua(o`V zmxGC64M0r3y?sbI6UQ1Qd9u6k+UY_TPZHJt*Zc%@bx9B+sUSn3sVQ_aG5#Riuh--W zpJ(I+k~IjfRcx?)CdI=R{u;L^FZ&tI7jt6>XetMUs1)-f8Gd#Kh(ix|sX3pz4PD(Y zZM<1WB+uoSvH}hJP(lqGEiFMPHffE|FhWW>R{$K_vPvsogjFaJs;W6+=(2Khuy(k<3phEfe|H;h{!^}${UOgbjrC!Jnub3PVC(Lq*pfy_xVj0&%Ks{v1-fy<<|c@99@9pExe(L@y!iRD03Nt3<$Ez( z>Cs&c0yIGS)@Afk25egpUlNotYA(z9Wmh{)%UAwO(SSs>-<%{NEA_=iL+?+U+yg;GBe zD+k8}vafXhi)TGRRP1ASo6^h~tmpNK8g510lvOKfo0D%#@8N8d%5K{h2~U?rWe38| zF@vM21#g*`UsL0(EZ$dbMR9_vas4ZV>l;t$>7k>ppm+$%y+g2EE1)5O)Ol>&-F_&! z0N89ZH6|uGHfo`BeA6rbp0L~b?nQn5m0x2@=mpe;HqFP0+cezA+#&P?CFyGvE}4(p zT-)GbE;9wGpkJpEVJu-vvu8BK4@GW&m&Wm9ol-s((t*rD2Quvg8O%+9|4K(Ie>Hw@ zaXb^vK&ONe(cS;NFH9x`4KG}uU(j~ziipxJ!2nloFziwuk;$?v(;qT;?pL2PJ2gdk z&zG*(I;fiEd$rxb$V*dxZ#5A$EoV!Qqfg<2=8oc$_p)AX7FX8h#tAAby(_=&ai;n_ z)>l3oI6EJ$V~yU?bH>Of4A{rNa&-Xe7^)*f(e)R*l!x_-uT$_84C91{dd5?IzPhS# zr4hHoxi#TFfhjP23aU!%7e$2d}_kYR_51H$TMIT_M z!`s(AmNNp?lOaDm4&5Ps@V4A;Uv4}x&yT`mYe_=}Y$)sNN1xM?!+VYFXUOv_bBk#} zx;QT4w9U%{$=865!sB2Q(`B1T86f+PD&W!d1MV6bbeSW^N zxVWljBgp#|Q9P(bC>N15Qo-8XXx8mqkgKXFITHzogCya&7-pH~PD;)0Wm*)}%k^aS zJE%f~os=L#h*JeTRE5VZIG0Yp7$Z^w}KV?%C;v~=GI5DB>kgd!|} zv_o0BX2lzn0&^e5-eT{C*C5sDn4V!b4=<9{>gY+DYbc5GL-qeO5-lF9O2>}ck_qSp z*A^cy+$OJ5GHfE`rp-BSb)d+Q2`1Ij5(wD72L$9*iIvO^+m`L}(;ffF-4YG4HEC+( zAT-aB$FW0qXzE8h&(l+9e_AIla8L)o`Ms6%By4PGNUesm;ARjA6ef-ooD4*Ct5O=muEr6tJ_4@5FoFB{3aWG>C95-s(4<{W+faV?~Rzw5}ReLC@3>WRY0&wmGCrji!F`Fz9K z?0o~Gde`~qL5etQ8ymBHJVhGE=%9S1WH!-oYT-D^L)3JiU;DH{^s zx?TLV=jY$6>%bRk9}%L!H(&#cMgKRY zPg6-nvkA)CCN7^qW7IQZ3XMz>sn981Qad&tj(dpnZAs^Dp6qV+#Ip4y!FynE!HABf zDwo75!P0z-l{sPO1+vqdXG{SB8zfj$f0lrzN zHBd_WI(bYv{q*9sw8lkN`HP14-*JP5g_9G~I&n)Xoo3Ikbo^Z3NS!i&e7I36BR2<| z(gFe0#gsHBlDWa@hWPtzcsP*<%(D_vfrQl@#B4po^c@7 zJ|}xc`wCH;?rdjGdb40lJ+JY2PW}x0{lB5cvuV_K)N*S!#8a~)r42~Q0M_Y&jg(dy zg8q}71OWmAdK-ZILhC0%A;xVRTmwLO%6CV5PyYu#zR+?38jm|55{gzci9rZEM0yAr zF<0sBjW-Scj{sG6VhOGa*dI51;A0y$F8oXe>n!?19`MMnFu_u574Wk;r-swuARF@x z|0+r=JGBJ2hGCBYw6+N_l_z&_B9Jq@QFr3@9kDT!D0}cfY%S_hBjEFgU~ItOVR`M) z&CWyYn)dfye!{&l8;zSx&Xu~zNJ_MccoVq`FqH8uL?zck`rtGqjh2dcTs$Qnk|q&h zvp0^E94J27^=LM?>d^!DM0h;?W-}es`cZ~}GBU6D+mG`1nT~Qd;l2nC_yXP$$H?^? zbhhtP&6a7WSOV6#8e8bX+{M0l9I!wU{nC$_q72$AOO7~$zDc0rqYyvf4oBi4FE`d z$sGKzqlxq`r8&@420#8ZIv*A;iw)R!c-~8q4I8-ZHcUxD7#dqT`r1XT;q{x``LLn! zPkIy*9?gMwDwsalNCE=jc5bAVB;-#t$+Ezkql_+@N&F9a6UCs=8)~QAxyu7{3P>P#%sG0Wd9l*-%@}xN+N-31xn%k-B0|`X#6v2_5G>bHC)74BaEs34egJF@e!}v zK#uAWs91JDcR=fp{O@m4`FBVbV_yU8N8hCbz$M~q# z0gZkqH;FH5K>Dkv-~$w%=zkyS&nq6@l8j?Z>!T8&-~nU#2t1Ly|Noz{?A0Gfl?YTr zaNpG%G7=9l|J}(VKqo6`F!UVw>J3oe^=cO;E!wqy6<{^tKH^?*ncG7oggA^l6~YVx;^zsaJ6WQ1RWN4{yNJ z2wn7(XCVAn!~7ART=Hdcmk3848(rX~v+M?qfw4m>2ooC(RK}*yFxDRCXIm17eD;rhbJTDma##VAs&cs$(qGK|`Z#ye%OhNXuTv zlUyST4}CJ8dOb496+cTcb|ga$MeL4xn@2Pn_-1Y&K8nd!D>P^|3PKUVB@IIze)U%e zJdND1{)Qxq#F;$K)b_;Bon=h>5hA-OZN?G%ac?T9Nqo-d853lsnQ?K+L8QfN`(iC85S3j}$n*+q4nIx0WtHdQFG`C-*j{TDC(wje zS6kPu$BPCw9jAT9G2b=yv16^8gF7}Zc7cUCBQ>gjIV^!A8_b}~rY|5G=mE4w^l%#` z)z00Cth3;8iatrHqJkG_5cZFtfYSWf80lSE{+Ha(o3iULApA{e=ND)Tp-nThWA`A4 zlm&!dvpVbdu5n!V5iCkx*M*%;!G#pADK)SmVa;|{*NLuItLJAwA7{!u2q1hOHxz-6>FnqN_VbpJl2VZB zuXlT1R?^%CKLERkei-=kBQkA?$_K|~`l|i+#KgeY%AzED4411oBoy5ne(s?mhsGuX z6w_4MLWA^p{b z6WybcEmpTiEL=3bQC>2nJiSszTsb#Lg@P^NR!66sz~0I6fQjm~<-54mM(b8B_qvSG z)Z!#2$EAEDzDbjmGVYV2?59I9qO zU61_YEpDS>Ns^DuE$+u9rfZ3;6_c%hkz7BYJJQe3kOZtI3`@H8j`@BzH(362JS&+C z=Hz{Sh3}cvDXc%pg~*z`1E((#siWHRzAP^@ND&i0zP|>gDmTeWraWX!8`Xv-^8|q? z>LZqPjj0bI@wUS+WL;EmRzw3rZ}wQ7(ggg*aC9A=TGD(oTk*X%RG=$LvEqlw8p8fH z#sOROt2!SKKFRO18UL|P$Hq7SJ^Q{qZQPi*{A%f}@--%;D?2rnxmn(dxYEhl5kQbt zR0IRrHkGjalIrg6#S}DqY=n*V{q(H(0?KdXoay~M!_o=~p>zP(#rL;4nvorQ}*$<71lj2qpf{7E`J`4^!0`TLUu2?S6(c|ki3i)XD??%hZ!0)Oop zKURh0H8!W*KB!iFcx}(>Q17)muHO6AO^^1x>1z^4&tQu9>(~KajS6S-1ScnG8&mZ@yA&*A41lrCLz9A8^0;{nimv zPB%iC-Iar1hnp?G3?yYqKCR|YLodD7@j9>g@0|p8a``=2p|;Ybzi6Zo-Mbwm)kqqa zeFS9bjYshRQF?i&Nb{2`zHz#m7Z^b;&SDx;Q6Y-u7!gz~NV<<@@=mhv0QI}~b%Ud) z$2=d;g_K@R%yW~{Nk-h?B?L;DTp*w_rezP7>c`o4I( zFR3m+eS`#^_5@JR!R>m>gn9v>0|J~j4qpwPBCT5ttuoT}q+@8nC(6M6n_Y9LN3GBl~g4-U$ z!OnTp$R63SBn+X}*4A|c(UwAavOLmNj^>4J2Y?kl3G5tbZfo0o8hwT&73|vLkE8wj z@kDoZKe*z}G`;U*pWmVlE0v3z$6WvY<=sGZKzo}D8xuzRhk>0fYDp4G|>5E28WT^jSDMlU-;^a=_H0v(=!)nzMdE z_XR9in6@eIH9T$d=Oy$qFAo4*YjyS}h6%zMZDRV^aE+ewO|34>}b-VuMdkbMarKDMHiA5hh|W9aP%hxx+$kty)m zJiX!Im2RUEd|Y5~!0vW=*xirJ%H=Xg%i&QB=T4e=ZywJ5S`^n)-&Q(9OTNg#lrNge zq>4J*N#=BzgbbiU5etq6xOb95`RO9~_*!RY)zsBB5PtkvURau+)zDN=dPEKafb6(u zfExVfx%oMOJfmHZT{f|%z95B4n6VCDTlb$}CP0$|2WT>3Q?ta(xGtblPj5vw0=;#W zJ2p{W&M7|lSo+8UY*SS?MbA_+dw4u@9ojwlQC;2rRs<`xh|;j$;zex6**fj+F07Wx zQk!iIbL(%^Ys_n85Rc{_Wyb^LsUTW;ctuv)%GUa03p2m&GEPr!@xjW9_evv_1-Qgo z^QmWu@OgkV{*tE$0p(QaL?%keheFW#JaIwyj%`JNuxUZZmB=Oa*ytu*slTzu zv-#57R<&Gy!xqdvITkl+3i5vwaqrVKe$8U}FYC3n*kv^zr{ruAcqw>0xbQ%jH{81ruHnh+S{)~I ztC0!MwE}ZX!{*ts7ov04q??(Qd{hvuj+teBe<^3HodGaZ;V~A;z0w=nCe}BXkMW+> z(iY;ubT{Bn8yF8O)VTXJYsK}B-rmm9kf8toqUpPLYUE6Fj2{F_TPJbc z{Kx*g!8-u>PEBW4_FwQhJ;1K!!u9}NMjKeu%1f%~Isu_xM_p6(WPejfQ@31=k>t>d zJVT$9^bi2tujNu{)p{2)j1wj<8cPt^UChe<3dF#W3`B^ln}Du~KVC6HS$1r(buL7l zw5aVr6UPc9kF3kAtx5y_{IRy?kiroV=C!%Kq`N9UC@kD9%Jhmq<*a%+BhT`CTAPtE zfisG!oS%3b+qfAIGCI2TDV)1~(PdYL!z@s#hjzVRX@{0633`js;=&6%$(2c4)L=iW zMwhQ&)Cnc{z^<~Khd+5f9m53OO#q7vfO6kD*g8@Eq6H5y^*G(K+G-Xd-b!w>V zzXBDF8w{~CKI{uss=8r>h4+H`^`#5mTJNASm{{VQ%m4L)JH76lKT6F~7$Rz9(DA(R z;15C8aaaHub(^>2?Z3#%!tLX$YHfg(V2|Iv_BA#)9x(oOMlPeI_AaSZ-ALM%TRC=1 znqBvDP;#GIW*X9wt|tqU>^T$355%<3=dSQ3Sw-e6v^G`ZKDbz!Sd*!&T>jZi>>=OFzn$svyog{Y2npy+35vw5&`@qodk{ zI?yQdB%25TCw<^5@SsMyaJtPofP?9p%nO-;FoFQ*qs`RyBBtWl7#sLCJsyae1-#79ySVu2 zJxcJ`HE}0ZnzX(K>~K(aMFYJ6olIk4aHU^NP>?<@v5yX&u8ovh=0|q4}$VN# zg@|EBrl8lP+OxECrEZ7m>A=S13{N6^=l$%A@n;IRwUswB&XVS1w;9OJXU`rde}}7i z0Ls-iT(9Y2F|UK8&12KA6$%0Z9uM#YtJ!4y4jKhh2IJybm_2SA6*aBDZ%gjd_npEz z3Dt=8jY``SoxIlblykgk>c9M+j;xcW_5w&zL+@ToS$kyw7>%cx&Xqszg6Gbh0f0OE z+!lvg#e*MGpUKWonizg)of}$=@86eaw<)eYS8jH|Q>=zp{9^37a0pEnh(-t9IPU1+ zm0x)J45yVK=8ZFyhmCjhY@RCX4L?D^SC*8^KfUKGsz>h#!izE*qGe1-C(D2)^EY^m zc1q7i5j&D|u!C?7FC0|RP5Dp5s5Gbt4bJuNf0e~KJK`-B!GZRvg7WhbU;mYVive`| zPyewe^_0_5IVwJ~*Dh#sR@GRt){M()FSb(OClIHT0R^movhGZ=NJxDsBWMYGQ=iOd z#cH2%_Y8za{=ua9cWCb4PHc}U1||U0LH_Ky{z5{ZL`B8*&dhy;*E1?U!rH_{OvjiE zARRl7HKAWv=GRb9npaat3KG9VM4X>ddlLoE0=Bj;uEdD^Ii#or7}RVP6ac!D_zDt8 zG=~mEyV61rwne-X@;W15a&s!^$o<8EXyQp}qIB|*eyHIGh4g%jEa2k)k}kfY29cRk&(tEXVd1ksmRo;nyQH zL2Er{_Y}pp7R;~k~ok54SN;$%VVL6lFl;BDfce+{1!A(4LYh_^v!FkXBbey{hZ z-?D_MsPNIKm9PeGHz0d1q@5e`BCgJ8d=13O-{C=L<+_I2?*&!k`ZFM^_u4{w-1g(O z3_XKP->I(BdTPUnvO60QvA2$IX1b7VB${CJZ*+_WRsIML?hB_agsolY~I@gYBZ^^?1a?o&;%U5w#FL zafTKSyuaw58G=cP#gRHi-ZCN%)>yv!A7iRPqIt=2+A+S{*^kv@Ul6vjU{Xv3wYq}R zrdQ0&B}e(RbMj%(G$U=9uZ%0}1~s*yP56}GdLmu{nG*abD74e`Kay}>MP-M$D(W=d zoLZ(?50Rh=fpFp#@YZ5nCI$+MWAK@nRGPlo#*z;(=TU1|XMHF7D6Iu9oFAy8q!QtY zH6HZiPkUO3JK}W@|7l7oUAju;nuRRI%e|rXE2E^OY>%3x*#lARxjo0T+F(2tTwk28 zR;i1MWZBcwQPpJXNNeef#y{az+iYvs|2;4v#&N;+s#X;-s1Ni-OXaX?Sw47z-3z^z zDV8vrnRM?-PVc(i=_j_m7&xvnOPQ@7UpZc<3 zg2^s5O?6LhuxpHZ<^nlGP0erl0*zHDpm(DftH`$+8VPKyY|!i5=qQE15&}s{8ZVdD zumo>wWImdW+KVuz&qVwYG;JjZF0}%)XNP+JfnGvH>lP|Qj(s^Ci@D3Kn=&c_-QzXw zgvdne>w^59Kj5NlN9|^lo#?YWjLsWFcK5F-f@uUld6D++YR_hz;zoRP)j;U!F8F%fP~%~r_G?t0!lYdP4#KOb8oh^T zK?+$Hm}T_ciO3+AKE<(Z(>Dq-CU2ev3~wH)-wN2w5~3dag;YavbuU|}GQKk^{bf$0 zu%jyLsUhg9k#-UY1Xr9Y3isu)_)UP`5^{IVd*f(cEKG3w&Yb4~!=W@B9EgsxA_X=_ zYga%K$Y%_6cUWv*e}R?fyy!k@673ce?TVs#q!uDSdiql_ zzU|YFQB?W~*EMs80;5q3iR?T=KkFFuyE)dalw6`{EUVljk%{1NCtDoiq6D+&s*blwl_jO8C665*|T(ZbgGvgs# zVJ{AzW=lH?s@D!w{MT{^ALAosPBdF~Z(xfH)VEg^`6_sPSCst6JEL9zU?KJ0wu6$C z`Z_u+oj`Mz0HpW>y_dwMx0u`fK@9hJUeH=qT5C*uOUbZziO-($GjE(F;avymihLSK zbc7{G<*JO_VL2Ip@CeqV`v}v5i-Js#4sL&f%Y*eZbij>fEYO4o61lxbc@}?$R2?C}d)k*Js`ovS z|Hs!9j1RXcm)X^&x)G*t5|Wc&pggdbJW9`+j*8vhYBAWElHVijakJ=cA)};X>B(o< ziWJqc+QaVhUX_U(Wd?b97Hp(e?{OL8BdSMefj41r0Xz=0U8(^d-&V= zr0`AZsIc{P339)I9&i+pJd_Iu_X6wov~XzHC1qQX}E=Z zPP8||nfNj+ne+U%0x!&v@o@`lnG*=z%tZ0I!VvH7rSu-H#L}MIi4tU3YN_m@v}9>_ zU|~l{WN817CJqC$Gae6eyrgU)Vx}dX+Y}__?+Hb!MyMb&-49q}f=27R8#Xre_#FW> z$2>UU&b*TEmd+F;of(H7eoH&k>=*96ScW#-b3s@AoqZ!&eWN~Q7u?sd1# zKWN3Nh!Z>hgHM1U;!0?Ef8_TB%uGE!4-trYNDg)fH5u}&*uSRR$l6@Z+>VcLm@90U zi>W`4_I(H*KkGMGHDlbaseFP!Hnu-=)uO{LDwq1>};=fOAt91~Dbg+hDg1$A*w3{&rfB^Zb414Ladiz%3230L(*!yC4FI4{P?3#_TtH zWcb!l$IB32j&l*EUZNgxUnw6nwfsThhYK0bD@@S&8v!oEBe(HIRCr- z?EK3?ko{YNW_e(;AHV6%h|$OUUiT=yTy@e#{{jjmI-d`-ws(VBnGNq=qS^J^!-`D4 zeZ>?HB>CuQS=yK=D-mlS%=Dz29`;RYsF|C#AQc+7sAQ65r*uc3ZJ0L2X1a+;ifS+a zX~nuNj>S0c?x?|PtkQXL>oEfL-R%`v;;p&g6yAeemLbv0^73TZ>8RyoR!8yE@E$ox zIIed?Qb?!^XHe-Y@$HcKhpxAUzdG;JBO`oR(*`Qre)lSN%wrF>0sI)N>qop#lF=7` z(4czNw@Ynqi+z@aR9z!4Jx0Ux33>?Pv#G;Q8Ac^G)xW7}FKaMUwAS*4>H}!3a$>#O zn)btFQ9NvUorTh%Z2YLP!i&H3pPUoFD5CDD&9c`u5gvEACp5#s0QCNN!%!#d;yD^=F6@r5B$b=#CV2-(G$FSUX9H-6pI)mQLj zzI+25dL{EJDO&Q_9i~EOGfcUEwxsoXdeeq9hE-phbo$Zl^HuHfJzyJY{%ahIowZF! zmO=>0(h{-6b98|p$13YIn6}LMJ9)@deTf&%wDbZXFBN>VWy$VyIrWInDj}1~@62`q zVz3OXPe_eXQgp-Q4;HG9>A6!e5TLsAbo1MSgE;q;v_9W8HPrq1enbHLFE16 zC>ukEx%9L`q2Bg{zwH0EpkMrF0F4S$(mTJ7Ox?Z7=D)Cg`YjB{{;kx8rT&poza<1ppda;Umc5l9 zx@uxUXd!WKE)R|EUQevc)~-(%3-Fl{`hzX{>*yd&Cz*HAW0j>>2Q_;1?@?4V#r<~k z8T0~D@A9JgL1eL->QnoKFVDjoLJHSop)cpi`$A}LeStIvt=)hAc90G(Yva-$|S(c4P6CM9}2-2uM1;u`#Nndyp5v; z8F@(X2yl%@gH6AEo1N8gI7t(D6_y2bno;^ZpjH5sJnnf#SdUK792JS6)Uj=nz0*{@Vnh7>K-|ovY@_1Ujt@ zP{hRJTuS19F>m97v|Jv~#gFxF@evj4A9^%MaxW5z`8OVn`Sg@Y3N`ca(oGa5<9!|E zN6^2D2NqDjJ!VoYc`h0G1~Qucxk=R|MM0MK06upi^T0|(H5COJwRPV#CU3UUnyTmY z6VP|LYv{klfR`y=5=9~#lVRDyD7;RS-tB(N7HXgcUjd?>kwI+{s}YguNQew$w=rO+ zFZY%1xuSLgOehL6x6Rh?{|GA^8bR0-!|jRfEB|_zo_NX^dD8%3?_H60GA0N4YWP4` z`g+HG&j+Pu4<}Bx9~mLS?&+=WwzjKXC0vSGybqL+hs zYx{Z4&dU&43C7Ncf~>aNM8ISv8KyoqU7JYrD{1&Otnw+n=*3ulvhi+*OY64Gc6M>& zkU@^^EPM7%n15R#7dhG^`;)Qlpn9!O7fE?sj2J4crhqx_;&CjMuB&QcqZJiSgbYnn zy4lj+hm6nuE@mM}abb(~5Q9yKT4aOlrUIFsdimz2`s51jwzMWz4nHCdyC8u#^b_WLn6 z8gq@TY#um5_@sSR2Mwvr4RTwpW)O%!}gLp?#qcZfZTEVF_zHP-BxtQ#u^u& zpvUQ-Szy8+7O|W#LZ)vHkIsy~oyxwPX1&lPu2)s(uyIPS@%wq$+b5U@;Pfw2wp~vf z-uGp_@-H2#0l1G1VLS6L9^S^X^zr0EOV3iBr0?dghLj*b>x8aKqF?@2dZ)0=!-F7C zw=nOsMWC5DzFwTZJ7jpI?;Z+ zI>EE2q2TMe7>E`{K2oYZ!6S82mIG&`YfUp#G@5N_dS!sMJpAFc^|ilAgsIXSvewDVFQ7}z2`la0jeuE8PaTd!c@ow{B{ zY5Wf2Fr1ZuCo9OZ#V+mJP2*eIO`bPXfA)^}qA1}gLyZ>nThZYAf(VVxI!~<88+e2b z1BZv#6xEUdC7ajPaAu{Uhh@^m6e~c#VX7_!Az3VO8E|IkAa$T1BfSUrdfBcpKq3<; z$N(k?1d&rNyLPXQJwcd^f&m4{`#Oa|@L>c`=S0@Q;cGre(fApxtn+@a7mI>_ia@M*4d4*Y0JB{k-wqDGRne?(-5K_V}D3^fYv2*AY@=&JZ+Ms2R0g$}1!- zE9_fQbMBNVGllQlW)sSCH3)jz82IDXO8N;ogbe2fIg&u8{piKp+hH{tGjBP8XP&jh zfEimg7S!K1OqzEJ$D5i=U}+fs4!d<1y|+C@DNzp>)&9w%kN4z*`t5De;qGs&OxlIDOC`*|j**6q-V{04~z2LY~j@gXJaadt;t-&8?cTZXm; z2W6u3Lf3Cfh&S%8dr#?Bsn4;HWS25Np#AM%+zC+WG7u`@zN` z+nwPV4Z049f#Wwnp|%z=7pr~s5b_iyJ)uK;zm{(+>k1`{s0b+#ved`HQq)Her~@lI z?fO(pdxS;qh0)c6?E$+lSA-wkx)cxmho@1cojobKFhpax^{FOee(Z*jfLHEZPZs=Y zrvxC}crJIj;EcOz(m4?t_UIqLS5_jTn*B(qdoq)MsAU&pFd>u&2Jf>92nM~v{me@} z2{-3$V!O%G4(DaDjRUU|$G#)QlU~~}328mhy~2*QYT76kpF#dmXL@gI0LC15qgi73 zETys*N9B%L82bycs?8pux1pIA1x_YuL+{rDH>r#@sYJ&6#0Bq=xc0 zS|7~aggjifDT|Uvt4S~nIqs%vHcG5%gr>hbn-ImZ;BuF3Z#?0Xx}sc;`EM^)e(U6C zoYIx{wb;7-dER3<`ZC{WQll6Zguz?r5};lS^1^Be3V22J4mi}q*(|(QnvI&iAGXr# zk)DFI(poG@aM# z_n#wj-pmL1?0mc0@>|*B@xVPSqIFr39(N0@T$P@73tX51koQL1Ud26v&y#Ida3=y^ ziNu`rF12hxU+&o9sMvXmaysU08rUq8GuYfpq2nWLb*Dm+&$s?p4{2w%smz;L2rmyu zuuFh)6Iwdt2uK|fY`%71Uy(H8Eg`QLG|W=+(TL$-qGSxxwzpkX?Chil2HY0CYGG>W z3aInmzU9k%(mmpHxY;lV*PEc^T>2cnJG< zhPLRn0kKPrnw$xCPcP_)5I+$g2IMf|p_UCmjsDmj_lAX1m3dj3-}Jo^m6jdCr!E+1 zH!ZS-%VdyX49@{$Ek@Od{N=V;>av5^a$P54`w>y+$c(i>+Q z&A+eh$nn7m5YBCf@6ztU!i+52f{$QY-^!{pNm>RJ0bpw`x)Lkwvdo{SU^Nda-zR7)U#~1Z!QRWJ+UCR6E?H_8HXARUBOmCf-7A2*i=)9H=Z{#@o$;B=1DepGE(Z|xQZ9G5D<2{+ws?WTvWhE}GC z_FD58yO8m7bcx`KrhHDuH)6zJ{5Y>8%Bq3N6xMHMu0_KCuctcY7fH&nZ>pw@DSzJ> zm2y|5Pe7)7xhh>QB|SrLZ~K?@nstHeGA;CKm1=X@VJWiw4&3WuZ?oMR`$W9v_AlKY zwiIc*(OsQrPfr&I^iF@*zmtm%#T~4o1YY`IpVPzu6F{#lEV$8>u1cS;u4{5djxDG@ zfU$uAX8>b?n;eLaQ;|b3xP2gz#ldv?|A!LN=^$P14-8!SL;HnRW7CkKh6N`qk@owA z@4tut-def7UU&=wg$=%uNfPH3#j%vSqPe>|@4fd>OYBnGkhYP^ef7kBo-8iUPv+(? zod#OJ_YY2D?HnB*-M9yfQ&S;~$0jt=q8QN9;nsqZLgnhedQ=m0+6epMZ8T2;^h$K27ht68t%>G|R9BKzCDqqyX4ko&N3_NS?k7ILbTmryD z`PaDcZn~Y_^Wfe?UiVL!$|sUGX`!~d^@ivWi@QYi4wy` zJ*komgkXMK_+gCv-V=kmbbj5M=TCR0g(V6Lk7K+OQp?*wvq)XS4q-X@>@1;u%t_84z-<6!+{P z#onuTDEj}LTOf*R{D9z^9}o!8hSii+w(}tvH5UL80?tY}6%;1;l?`z<)0siX$=wnJ!=onRxSX zU#$ZR)!P7fI^q_%3j9bP0JlG}n4k$dLt3!~?gcnEhOO0Mz;pG(d1GNNr2OwA!RtcT zLq}r%i6M`8^MvxA{LOd(3j;9$n}-fkWem9%V5(#xk;Ije|NI%4oVY{Y1zXOMFWmrW z!oQ!VOF+Y(mfp%{5O|&HGbEwYnBrB?zyfdu_*iKp4uPRJOHHI5q?4|>^O7o%$dl}? zCQUTV#L^FP`Xr5xwmz>xXqRc5bGo*}u8*8Aqcr~+_*Cs*CZ#cOYXu;}-MZ1*J&qAJ z`TyOQm3znq>C6qnR#;!5+{u$jQQ_5 zH!G_x`MK9{hHN()^Rzi8UAIp*w!#|3W>t)rK37IsaHDmXp$wCI9CD*S+4T!iaNo+= z%xI?Fz8ZF7keMnAgRsm5Tliw1Z?bL(qVC*@b2(GR$vg>##jgX}i}cmh(k+nxc*3?SEdDoRN3o-6I$~1yFhE^Z%>^_5qMA0M-G!Y*o6) z?G+H#2c+)83Sb5UvhyHby!|hC82I>eymEM)x@OkUxSdLw+`HZT`kU(J=Bw9uO>V7T zhb4Z$Qas!&_CwrdME~d8e}Biq8)t#XZFpIa8g|5^MZc^Q-e^}iFI_Jmmr`^8KA(?* z`$lt7datJ2P3esIE;S0Hj`U(U6j;qC0^#_{(WpdhGQp?LqeF^@#iWp6-~9`%)U?b` z_Un76s}!%`pm%rHOFO#m0{`od{I~1>SV@4G0lAt$F#g#NU1cMwT3lx69i*(L$E|Qc z07V!u`h zzrkiUv=IFZ3asUpNc)wZT-z1+KV2*dJfLlDRj&7;{Cl~v5l*85wleR)v{r;`$dE{0 ztf)wDo;b>$$J5r>sX!X#*4RIRG=OG;_?Z$R^8#5h@6s|w@K@^{vk-cEgRNXrGRdv& zKP!EgHDd92m9w(~8ag#+PeGOTK00a(YfHBm=zB0~;Z|K;Aq}k=HbSP?!Gk$Dlr5{0 zAl`-N&Yy*rIbSqXooX7-I+t_=xj)_SPECCT4@*VA1P^}T5_|z@5MNAPZ;$`{F#`>Z zmRnnRGqV@X9q8z4HSzI3Qb-IcX1oNxbexgA-U9WeaQWe*G_mVHSc4efomg48Z>}uD zhO0!{(%-h?Hj5rOe%i=1TNxxkYg``XeC_(tkteG{>kA_RTM=ICrjIZyKvP6TjzX(y z7N^p@vg5q6B}RoWTQL2V0TCXD?$T2LIy)PY%NX0gs*wm|KD@JkJ4BMffc3$z! zvutVE#g`bIo0sC}%bd0#c^&KkDlQc~xY2or`=&WRzPGIgz41vlI}o^u&f>jTKI?dt z`fw6E_z@#jvdF~6^FhB={m8jOQ!{HDp3KU{Ls@zG?rt0;T*8VUh7XEKRChRDup1d^ z}c$#-KB97sK5T8cUkYe)qIiXJ?H-mp|3n+UP<-OtJ68X9I0dPB{Gi3OV}WIfsUl zl!PN~jsQqXuWxUgRuxa@6M}cS-%7~zZl;uk5u8xNLXw)2 zwFsB^pr}CrVIk)NWb4LVc8Gaq@so+zGxWKvd6n(t4_S7=7N$2(zOlBZDi1aluI#Rh z6W7vU!&1~!dVu})4}8@b>v@BnwXE`yMTmPB<++@ATytXc!H!H)&|%zRTpR9pVGeE~ za8<=%LHKFmX>H?p&?^+T<5rx?dFf#{8X;ZPB*Qf>-+xqVcg=CnBPBgbfSFbtzE(!k zvZ~Jqv7&?4xA-VJ@+w(g$pOcrhv^{#khLPxnYHDPz&97Be?Ot`&+-iUo71U>|7Z;%#8jr)nEpXYz z#U>ujnzV651TKn7orzhH&)mTW?*=fb)}e--&Zj;Lv9cNJy7LomM-Nd))Xnl8b-X-W z?{BH1<5!-%8<*9!)Gh^)c}-RB6C=)6`;30{pYXwMkM2TXFC3iiMDzqeRgDvuYV3lA zrALAAuZ!v7!^^3|OWe%ZM6A~uMk)jD1~8OA9OZ z9te)tPPV&ar`%ov_5_Nw{fb4oWtw)1w)Q;QkC_x7ta9R{5OX9N$M3l-n<@%SKiau( zdC2y&+HC9IAm*=cyo%l*TyU%L`XuzB) zc7$UUtf+ve!kSAl2bNDKlGfJVYvHa34{@&Xlsl|R9>HI0YFX}?m;vddzjO5|T~Pou zGOll9?blFw#&2e}`rY5lY{wN0eg`@hI(HH@ltwtZ{Z%k!Q(?2{m19R(70rLw~ESW znF6bJFgCmCfMULn-Td)2E%Yj(F#AhJ1{c?R4IO1|ZG9UVk@u*Q9;YcSi}Ub3AVtj1BqH8fCH)z&|P-tT@Z zoVzZQnLqcta^uecD#=8{Ie#BL3qoG;GNVPv?G-W{k)#%=c(_N2%71Fv&ji3A~@1m}=k^D$|`zO3>6$(};)v4%X)97wFFDZ5Z=GD;R3(5PZ)kJ?*?n z@{*6DrNNwNwzu1op;$Xe?55_>%2M{5t*n?DWrB^({yTB3*2+?cQo&fRICbTGZLYq~ zuZ*>MpQgPfI?%w-VEO7aqb8$5@XbYRw^2-z?9N9o5*tD%bz6NZY+_1^I-Sv#@!`|} z>ef-tkAlISE28v5IuG6ktKo$H7FL$S?0`P(0~vAtR{DtvC+uM9p`b4oQ`j$s{LWl; zDw25qW=DOtRuvBtye~y@%Py zo~mKFtCb(XVe&2RbW;+m9o}IrFOHKnL$95t-_lXlEfQzd{*|RriuYDJx1+kgs~_kmi2x55GKvOzJ^cGf zGh%p%1}=&U&r~~@swspe3EkqsTd+X(1o|iwfE^QXIdqt&$wm+M0G?sgoatSqT4@a{ z{nqvZM{+2>8mt1Zi%j+GBj#Y{j)7oVP5i6 z$&9kJ@hk}NIVuIN&FKWQ^`5Jx5F+-E?--erWC3RQ&z;4+J9XoV3J!lpdi#I&9{El2 z2Z&SKT7ZFPuht&fq7hr68X26Pnc*J553fJ}A_W9z0fR+rhMk!82tfqlz`y@2Hmram zi{BViSzYa8`)6{QI26uqs-7xVgg3#6C`f^<=-pH_$pZwOLH%c=>N{bK)ob|?)8K)= z@V`Tn@vCZv21>{W&9lwTv!6gow1Y{db1DiY^JnCSB=c`H;X+g6Qd_3@47>Q7Kh#_4 z!37jEMOA3OufP_T?v1-mz14H6SOio2dUO3Cz&bocThnmZpy!g=_jNAK<+H6E8U%x_ zF^Gyd*r6!{tt4I7P*p`$T}=YJcjfTu_>i^A#vrM%y)Xk8h3Gm0Zz=4dMxeg0o>kbx z_kJ`?7qiia3-AmLaoHN;k^sxu$&`qNmwJ)WF(~+~^*xW+lAsBoDGi7Nk+`}cI9fr!{&5P!spGO;0<*S>4k`+InZ$E+S^ zz{7|yyS$Y7j^(IEi*S_!&tM>i99w}wrht#-I^j+BD!6FclAV!x_jFOBufVfiv0x0S zF+Og0pd-$Qx{z1vu*Q;MeE-6jIC$ULg^eH+W3%@XXwvh_JU*woAg{2&*Vok(Y+lop z@9o?KIfKfW)f6_|#(rNmsQjiRc9j{NG+4a>pe_y_wsgPf!gW^WG%NgFW|eZXE}H&I zdD^M3VlX+?0iC-U#x1F9zv|jQ&t5ezDX}gtDbFIK%wcp;w|xfG=fXJ%GzsWSBP~)= z5`eei@U#8--<_*`;V=5Sepf??ZzWugj|>dwRq+WLgR>0Z#j`{VGaqxaRN0JX1_RK4 z_SK2V$Z@o_PEJzDk7|d<0h@6_i%g(}=?U7zK|8&6;PsZFr;RD^1Uoh9HD^A47$23_ z8KGAY`Ks=++I5m?#4)i{4WT@@Cfc>KIHQe{EL*?{2(JdH z|Ey_g@$dJ)D-|wO2tfXwtpR^Fb2q0t(&ojf9RQKgf5Q3ufHYO7T;s|JR$iFo8izkJ zDvu`pT`ym|2$(s{aWF_7#a$ zqi=QGSOo@O3jX_@Uon0$kti-*FH(zo<0VJM%pq31T5E(u1jNWvi7#iW$)53!k#%u; z;j?`!fFdbPJN5hbab{U^xa_bF|E)eBRB=jyot>@jWVMrnAMf>)gxL;Z{CjNf8)?re z=!b@Z?MvNxHdSf|IqPrRvUITnAb;F28oyQe@BXc0()m+=;(&BfWf)ytl+P;N&Q8yB zqfFfK0>qZ{H$VBs;biy_NwcWO^OQ%5=wx-}(dE6HMQYL@0fD;9b30E0n)>n@Tm0A2 zt(&^DBhEJ%TRnl=&7UIQkthA2T74C;d=e*HAR4~;TD!*alGfPrLvX=70X|{<$;qXM zz~S%Xjql4K4jzHY4ydsDNhYw@hEfGsmiqGFL;?FLzs=Fxz03HJrK}VTfy_GH;9_ID zVWp;!DD7>=JB!kpt(TD-GNo}R2ziZ4r zIVF)x$A(-NY)4+1@BSl3fS_2Q861l7= zj*YzZA6v`>q!Meh)12=05a4=h16M~^ojKgCpLSn@D`M|A5Fi)pWRb% z(OOBcJfA2slr>fL@)B6aR|U&rm|D|XAPvL_w2NQX>^oqe>9R4oDQD7d68yt;dpM4} z3&pO=oP1P$5`z+v(=ZM8g_N*O-Ate@EDu{H;B`uupS&*=wm!0VN!0s_o2u3Il&_AASr)j(JbYDk-o^L{I|E#YO()AL3D zEjzE{_PlI3bdcb_zzjK>93~_j^ZX3iSi{a1U>R;qO%?nVuPV@KALay|I0D>Y!2*>; zSz7JKTi=%ph7Njs*?6#@??#QN^2FTBZ*aZPB%ye#Hy3*)Ku)BLLpQ(8^Z9-Ta;Rew$Cgaf@{OusbE&=`iCZUrm@eCAMI&qx( z?q8T~q26jy|Ery1{JK}mR|E%ypPZzi6t!4R7`-gOHWz(N~0FR6P{Y1F+y=j2oyG(O#J~^s_~vxat>+_bJ4|+Vhq8go*ZmU>)iY zMt%~k95p66Y^B2w8k=7^-fl4f zxm9vp#l{=PFXpueyNT#qd4W8Y`pnF1v9e|k{eK~=Grh(0N7c*a5m#J@L3E&OwKC0m z9X@QW^sItjW8W3octg{Pqvr9bXw02$%O9d|c@8otC@&tpubidWs1_tK#^MZ$8z{Z@nj;JLZm1Ni0xf4uapf zzWX(PraxUSIMBIS^BNeesq@i7TfzlU42)#=;k}D}#$j62ICA;av0Aja4hQk=JQW75 z?sMQqB0>W8(Qz}gJ?VTIijC_Qf_8A<9&}7T3KiwMXn|rIa)HN%%*R~rCY~Ll#1HkZ z>k{i=oNUXY9z|v9M7{{FBPLcRz(U)Dc=#CGG!>W_ZnMQ47VPxhv+P0056{XgN_2I8 z(IEc$ovugSojG%KCH}&F(~|g{}*lqQ?)oPfvRzd)|hRV4Npe9&+Sx~L_PH|<@s{P?dN()VYE*?6QPPC zjM&!-H_dH|Y17=CLVC(ts9hw#|1RS-w!?KUes%Orw`$g*%0>ymR;5lG_WZgI-@^(2 zJx13Aqf(hg4Q{EksbjzBmFn;`^;^2+A$87zFH~eHq&Jgm1Y1Kj4ndlmNgzU!G7{?u z>o5yD5NP`w0sdZM!giATvq9E4x^Tiya^y&KQ#-h9n!EP1YMka!&F?Q%*r*a~{;;Wa zx}yGr8?RS&kUc1$007rVJo-Ao!gk5xm}x55B8@0(vvTWQkH`BBEmTkY{K)BM*NaWV z`Z{lS$jf*{pKRl@F~?6VtoH32$-LdGt7ISwk~(_DotC8Q^!y;??B;Wy6Y?TXl}#2^ zUzXfSfzlKYhV1C@5Yt~?k%l1o#oU#4b2!xQ3F+tx%}rkX560dCs;aN+7e0h^Nh9GQ zr36H}TUuI>PDM)UAkqyYUDDFh-7VeH-5}E4^(}n<&s+DqSIeYK5)||hZ zJqF<^sm*LJ4jIo!dSyMVcE$7SeyQ$neQ1_dZ>al%-P%3qd4_Dg*zn{T9xaLrBbaiE z7ChaJ=;Pj8T$D!5|BRd1#23HPoY4g;^6uRRM>VXhB@%J-_!?K$s;`$xjwxRZ?y;Ci zc&1pcgS`J;(ydS`>kB+zDE3ofNnH3?Q<+HoaCkpi^2_D3um>)c@<8jf2i6V6zl_k&tWfa1;ElRN8YQUTPvj*UfD`(DUa;nC`9wMm0XbFNU$ zn77a4nBX}E%9gNGwemaqp9(JzzOglb1X*&JB9JA3^vf%NXFbLB4}w{Sp`9fS&cU;y zAj@9Eax6b`l1-5oBQA#V4`E&8+&bc;Uw=|5h*EBRmMigXGem|23~1XA7UJtNnX3A^K?c?#|}b^vUBs*y(SE29Y0rXkE>r_@VG6#V$-Jrw6- zZPLw8rl4oK%n>CRq{^8&sju-POlx&moNBs5`_}P;X?xVN9A*~~RC1$H*^Npy=`*QP zF?T1|Gux@Wl-5gTsqvTs+F}zE?_01UdrBi#M%Y=j-zikTRe6gvtd{*YY?hO63>$L! zr~~u4)s1EJ%vI;*^k!!)EKP|%ib*QqimG%+$!0c#$hp2PTP<%#!(v5{J~{aHNMCp7 zc{YF*h2Npoip%?RMj0yPXm8FfHWp1j@)0eb&CpHSP?^QBu;8tAX6loJl(fo0pfSDn z9GCeB)!1YLDxWn}-UY&`Zcl^sE6q zz_9X&LU_f4uhDkXduW3i<>26HV?mN3u5H6i8ynMv#XJO`6Q^v%h&ULDAM!wBsW6}ozJOT!z3<1`UAwrY0nYQBxL zx|Ip~tlpcQo36U2!C2U(YK)OnNnGqVm6nPY?l8DTrwk7;dXWwodMpjcmSGUl9fsLa zz1fAA3#v(PbfUG_FhAA)@fk3EhO%-twp%rG7MmAqx_WeQBTZjNw3o-TD^(C`Yyl9i zA9x=x8Pb>uFuw1-rT*y z%|%DB2TAqsm^V#ix6ZFzjI~_Esd~;XcWzE%Pfs7;DFy`SlTo-owo&d5HB)HLW1x>_ zQn#p6w{}Mt(Gj@jf{bx-L`bOJbRhcROG-wX)uvXBX@L{ZbdohS!<_Gps*?61akX3X zBtNH68BXHd-s$IdTvTosN>ui;Y3T%gi>`$fi#T0HWColh=Mx#ofs5cx^<$bI|D5bJ z?dVCohyi=YnIt5B2=nv)=Y!z5dRM(KXizUb3;1P^;ez^ir>#9 z9WZSJU?!e{PrG(#7@*YW?Z1qXbBZwhQ?VQLN;RLzs)tLv>H)pb?shF*=8wDt!H~jT zH^E8V$pZvKs)#8gE~(ykY^|R-ZA_fZq6|N{j!}?ylzbZqd2W@p9-|R#?oh%C!|4pe zES{u>K6-3Jx3H5;PP&y!OfrU#58K)1yWb;CGR24#B8)1{&AMGGjiRW2S91^JDQG|N zn3$!%TC&wD{O$j{>TZFwRQAh7lwvqwfWD3qDqy^3lUJg_eWl1JEQRMbWY#P+&RzK@ zu5u>J8S;nEHL3da8}?^Gy;2D>a$}=S9|5GJqvJPmm30Kq-wpmOUZ8!GhhgZ08$A6h zZ;B|subV*DQR8fE>Z7^j_y7};o!#*l+1?d+GNaOO8#1hi&W$qrqMJIdk$O^GwcMr5 z6L$?v(b4L^ydWE1U|W!g{su*j8%@)AC7Iz6PS=J8L`(3VpfRl7?D0-t*$g^7tsDo` zi87UP%l-x?smxr7%+awBAnK0-Eg!EA^@O}H_V zF?97>5<&7BqX%;z#U;hvHCn$I#-rq8)5A$d!uzA*B2p3rHM+AxX5Wt1HB@orBqAHU zc1T)V;H~C+S_x zU&l&uw>1bj)lt%nOw4~#uni|dLulU=i7!b&7$f$zqBl(~SHcLD2*tC6^vB{pHc3^? z8?hfc!LONP?1%)*doFybI*xL@hrh+9Z(7o}EE>dw;)JqvR8o|e>;Q15{MM)fADdBH7 zQU<816vySG7|u$a`htcL6OI<2m{gSlecjDwN8=y+U`A2l_8S&_{Fo99i|V(vNp#S_ z+xdV??1Z$QoMEN6%00=yj*b`ysZN%Lqj;U4fO>nh@FTWski`XP#{mor3GZG1;21mp zK~d0;D@H@jZzHu3>=(E}6{T5LKbp_4){hYy1z((HLCm5`OKN-*^WUSP#T&3Gi;+#g z-A$45H=H=-^Ea$L^f!?Jz|oA~C4dsn^_m;J^2DHlhbPPBY~04|1&PM@SGceF`bsqN zYa7b^(Q9lm17mL1)_y;xfrChPn3@Yllz&&sGsX<-um-sVYFo^X8okki0rQMeOyy;E zHLm&H1V^ozbyY&mB{&fJh#wUVk=M(*$zZN9EKxm5zgu_w7(I9wrfstFX7U%uOWsb2 zr*TmNHQ;jFUMl1jSo(>XmTN^W_>9zE(1iX_*jMPD_s&KD5a=8${pBM+mN*|%&9(%+ z+`$z@PpVSQD1Fcq@wjAXvWiY2NwY+4Ys6CW(FUj5=8jJfHxG>1MGZ&)a{_i6Rx^$> z){3>x=K;VR3DJ;?1T1b}{EiTNM-8l$m2bSTqWHAwj&An8uK`u@+PQRPtKk zC~iSf((`_NP;PFiG{udVpn=sTQjdE3aTZ)6b+@{6vZdM5S|n?iJtC|cU#&&6i9 zuuHK%;Lure#Oc!kq<7Brr*}kb!%JLCt5!_*y-pYdq6jj){mao;pv&eZBaHHLVP{Lk zAW-K-4ojgzVJq0|P+`cSI&&6y_Vlx*k>w|a>ax0Y!B1-@Y|;p#80V+(Epz=2a@PyS zIZv^Wd=%>k%u3tMfAVgyH4kk#OwC&pK{N;Gc7M8_N36OxhZ#=w45!uD5Mhk?xN&QP zz$GsTZ91KQfS`5t}UVlx0yut z)DJn|UG~M|lQzHt!mFgIVV^E;P0i}+sL0}E_LNYZCw{o_g#o78-;|`dOK{35I4YOB z+VQG^qEwAfP$=B6IvRE%sMlz%P8VhM`2euurCFzh#UpD!`yK273c3yt zX`6Ywg-R+2h|XF!R`N`Sw2xNmOi@fvr(UoLu}?Mai-6q&@-2n<^x9P=*VX2HIe5RZ zvVv`PZo>Jd-&m9n2LmbK%7s#mjyfQnzDPQx!(?vKO@anD1Y^M;vFCvS^%hOQRT00f z-V}ju{;SY^TzS}t>QzriK5n|cM$UT~F1&;n4sT72=yL)#$}>0Q_k7aIV>kVoqlOmN z+b5p^=d&8bDk|MH%)$9W5vL@5ylQt|UqgA*j_>jaaESVolbjq8VqSr`7DOAo+b91f zMSga->{d1Eawr6Mtn@@s8fXPiS5&aM{Q1M+(SnVUKWTo5pQG~ez!5EI`?8O^unY3N zu_|hIq|DIS&RmBsg27ZaS*Gg|;#ME2fY5&X%GAJNV!&H0q(7dTH1Yb$+}|)EA~;H_ zD)nVeJEzVF4&RFk_LPn()52GJizPVF6~k0n)RPvRr08)pcYYssph94>{FP2adU0R} z*pjz^6fBhKCA~TN)%5bt07{%W`FtCLt;3lX`_&||H}gEdbA5d-zX&o7RnO816pooZ z(?;QBXTChFo}Zbt0xjOo*a{s&_Cctftw2d+M&}Gr{gC#HkqfV@+Z_Jak7+g?_`3)@ z|3C$6Ih^xWqh~h=mD5uWDPm3EDC7quV7YzYE)Dh}5)^v>FAs$VLxbDW*^n^q%tEQz;xC=0vHO0ll0E$Mtz2x>|(%hYr9`39k25jBd z#$DIDykb0xf;T*GKKPn0x1>=AAD7P+aE1b`Jj$4QnXf(EJtnnVW@EAnkYBls_$Ult zuzs1xmN6CQpE2>vLv zzpvBFnJlEyTZ{VF8Ah&5x|j&VJ9i4lK?KMj9x|$A(2ctX4QZr@&Q071nPb+vI%CWS zOB1%ktbZXqnNEnZG)LDfVJ6o%my3&!?M^z&A-}G7w3&zQ;67z3sj?a?uyQkvK0c>> zL3{S-rXlIew`qO|7)dEiZtoqfV(N6nhG2{W^b&j-1a73qjG`q*8-(p~lxvV0 zXjs8kUv7T{@9r^DtD5iy1K)aXc)V@rSNdj%0Ei~XU&74;7dqQgP#W7lhrgBmqFBaTHK5w%92d-0MPFOy{9 zumllKs5y-0QV_z74mX26oS~5abn3lnyi%f>HzMhIBe8x9(Pe0&i{;*%Dl@x!Yb(oaQCedH*zO9(u_)HpKmHty~a2_sQhx zC#34!zK zM=BOVdHfxLFC+BLQ=0S?2vrki1Q!tlN@W{+@JCll6*C%qKU5MeoLo>TIDhozmOZ$l zc`L(xGB18dv`mjwng%=wsVx&g6Bo;@q5Pn040j0_H~Jk{BDvJWz$1W%O2~_1xAC56 zqXaKpep$Xa;#w>lv@?AspS>_uv{z1_48yjvCih8oiGz+4r*?={$cK;^co6r;E3PPk z{&B*NdRMBmiPU_L{K2CAkGi*;1=|MX8sKi{93T=OT2b|||9);+0P{iF1p#3*4)%r*#l zeY^AeVMJ9lplufs{V_3k>0>E@XXfrNr%=LF+Ka0MV)Tjwm$us$iyTedVTxH^I4r(E zMc!^}q*pxuT!gt`_EJkafY>C#Ru$d2p+HaG*I7AwJa0f9;qBnY9SFQ0FZ4)(ZWm`0 zD0;?iL81*pL1&mx7D(h?jr6Y zv5MgXQRU@K$a_-gCAaUCQN2We9pbJO&slTy{f$Ft(AIXK=mHVQW5=iucwjD_G&4Kz7=y6LPq{w!Qn0M^0K<(ZIr+qx{ z2}H-8d!)?h{J(sBP_G(bH^&kNPFFXxTFj)egMQ-BaOun`Y_O!D?NmYG=_OBLf?|}k zF}?fOByqj#h%!r?Q$H~@p@9=3;Dux4N$vPgpW(}@_p4%x_7e2EaO1CnsX&M_P4^y; zOF}?G4Y;PZMi@20z&8@V@2``+Wb_EQ4`c**fN2DLvon7-?`ZwL9pgU9C~# zQxjcdV`ozZnklb$mxukaEQGx%?*}75;PFh&gC8Jf-(QnHv?7e->42)m$kDu~=C0HeU`!ryqRv9@`u*3U z|IhM&P{PBCkdXsMYxj<)U%Ywbr5hRl^U4(#H|nVyL6_er2RIZ1VGumxLrk)hnwYXQ z6Yx5v6U+Jg;3uj=@@uucg8KSbcQti(cjVR=X|{1eL0BK-Zi&$9-)VZKazMIba_n+L3EryeKjCPlQ@ z^$|e*Pjfu;Ai$sf^bw_+%dRhLzLLPZDN0{QLki1^X~($pI13P*fCGO_X573zEPJa5J-G zmL9$Ilf=ttgD9!!X(?+dpdr?o?(Uo*Lh$hkf;(_)Rn(O<0nHb1W&H@=JwkJ2qV{!~ z8p-73Gbv>AgwDr-(E7xhVDXe}C=<7nnGptr51WjmU^|Y82qp3lpF_jOOjh?Xjwr6e zbMk+ytA0C7L7@L#rB-Htg!V>tZ8TQaC}h z16Jf()4YoHZa{ds3bS?U1Ud}6TCrm7^*y&6TTUT?Uscr>un+y~4qqfA{U@q+l62|^ z_;|Ti?D!x{Ev*^lqj;wZh4_*K1M;k_1FKU8B(XG)<|J&i>T3#g*Cte>e;l`nI%hx|Sp-1C$6%fcAiZ@-erd2=q?JFI6qB#xpHw zaLvW-wKWt&2aG75k^osdDH)O_DRwAgqtx3b(pR%#3e1WX;}t>lhhJ<>O<;kB(<2SI zrC@wa_wiW5vD>>2D%*{e#@alx#J&mc>5Zd0O#}P!+7JQ-v|OX{8ulh0xE2Z|DZ~<1|!A)SB=`6610^yiJ)U|c{q&($6CuKNr?Qo1l`>!IA_O_#LYN5o2 z1gGyLL6BdCA0jt?%lC%z6Gze$y9yqCk~L+hx5wOk*5!DHwzzAw zsoKTipsLMmpU=+K)V#H(DK<_Y3Pdd;s!E#by4)Y@pAlnJz;@1&Z)W^>zu-=eamt5= z^((yQ;;7y;x1=E7D$Xse)++F+cG-H8AlJ)OyP*aGrI><<0sw{8lJHtel_DDe1si%hcv9>&&%2#mi0Hp&la|XW1G-U`7Rs2O@h!`*)^n=#vO21> zYy!Xd1$k$xs<#ggM@OTK@rL@_0qCuai|MnRdz`c5*=mmlw~B5C-~ zoDwm%6$1nhh1QRqXU`quzxp38w-(GLb;e=^_n<)LNRU1MPaO}PQ~>x%AeG{?gh8as z6pEkO^$!##D+ag$3|+=q5`Ze&ldN)?BWHsM8ErnW#H{S1G$0wXbBz`*f{4&XMP))f z{{W>BTLG93yhcRm2*AzNBM@I_Y9}eFuIsUnnI$$}Ro!QzdHiV(`(mo(n*zt~zL1@r zt-DmQwjl`}{*Sy|Qi>hS3k0j=Yq{RuHxse%$K-LDYgz2xb_2Gq?Xde*Cpbh9N^ zVkZ=(S0*T#m{~UK9evV&fCk;Y*h!)Jt&*mWn$C>Vae_3B^@r_~8eJWHA8K2j;Z}o@ zv~T)KI$FBiQyxr9=bRkXwp~@52*iEt%C;7srnBcxtgQVZ z7^g9@>Q(#uP0s7^I1(dmQ`Qt@r7=bs82th3l#Rk1-?a15?K^ML({%m2{mZ*!L=mUaR-l?} z+HC6e?%m7w*|;8x`%TbCQ|9Ed$k6-Ty68ilke#6G#js9HJ8Z>ivEr!;ix-i8;Ct@K zYHBTk2n_PTVJ!(UcAN#)=EfM>o$kLWYM5Z5eOjuTt{7yK7d1R=zfgiMfxT5hN<4*5 zpE-i9_4{zi-my!i96D90uP^}vBST^e8E|t@RJ#BbLQTb2?R^Ixjkq{hy)c*|P#(hn zcfCl->|+zBs86;B&VnK(RHZ!6o`G>dP(nEw@BZGNkf=j+L@_TV=}7POtd7z&I0#V6 z6@DNpBrKm?jZY!&W2Hw!GLP!{meYgmdE@=lah?%EqxZ0sA~r1I`rw#rbQM!4Eh@ix z(bTB7`+L8wO&3;h-XO=!m?5t(9nD zH@r7<_w%uMhtK7ML5n=cWBl7e|NSV4&R0mYa-^ z%2268{{2?YBG^mBK$ibGt_oVNjtH6`D6+zXul(+E?Sq#jwnl(7a(5td?RK*CL`z7FugF{oBt=+>)uQR!Qg#P7~|5c=3 z)5T;prsg;cNNStzvh?eq1^ZCDy;HGmebO?&pWL3Ej>ybs z35MQS^@2yzyC0|Q?2W1LITWgQ1)(vr@lcTQ;U~t(f>J3rEUq+;%@e%*8% zx8OnwsmY{(e5}{e@uVIvf5iw0snknF{7-ABxchkWUBm}W#$l|JNjKE8BLwvN#G5|XP0z`-5Dc44ThCzW^*!w0)|59 z0MsU=+GOWfjivgg)FEw1i-OO0J3IM8$ABGF>ZrFyd(wjDI`nU9Qj=MuzxxyhqAOf; zs!Pg}uvJacS)*=11I5r*9!&7;#o)&2mkyP^WpU;R36Cn-nhIyZl%^C5u`hXfK&m^l zFlmqJLLq9v{bpX#&Xz6y>ol)3C{FP*#Hk*~M8)N(rmWHDc!esf6xA2Vyr)T z>9ly@(x|#hjb7?(a1>ostJw?V zom01jWf9zG_wDt#5Vleq>CdUXgFSe1?ZeXrJWXGm-Bg3!weocnkUfjqx>ofR>J;vD zODc_RhAR75a(wVn1_iEYAQz1k?uW|WG^!ySsgu;P(ibnSa#|^D;oC}Ea?0u^c439v zju2467F$@Z|dJ{@q@0w)vDd4&I%oa%R@2Dt(=3u)?VAgUwg zP7f=f@JD8JJ>0(VCkeVYfSmnN4s4T+pLUOU2g$?3rr*;S{#c{X=@@@LI7 zHTX8WksuDBJkOzi#vR6VtF5L($Zc7m@$${fZ>E&yhX#=})HXkUnSOVxpak%n344ncy(%U()>eX{KfWGa4 z!bZlTK=7VAVO?@pbP3T0a!$q7s=gWUcA*AV5 zy59|T(={a+H!3x8bROQdL%MPI5>Z+llZA)|N#Gf`B~`^5TbtEoH9kN(%zd8(_gb5@ zbE^b+xklzDHjh8It8AWJ(8D;rci3mnVUMPvlY5QsoSPk#I0wi#aOJjwG$`lS@|_n~ zbLjS?yDs&0M;v05m3g|E2ynsEHUE`C^<$*|?>VH#7*47;{$dXZdi@;ujTuFts!7|DF(U4H&l?9f*OZ zwomwImzc4Ii=?{MP^FwqHHnNkD3^c_vUmTOmmF3N{B9cMGWBeWZfn4EVoVIPbD-a> zf%h~Br`V~V9w`mOLZpAp`9fgFw*HWY&eYjlG);*@$h~v_SlMXUz@zusm&`b#)vN!( zQyvPlk9gF(dAzZeAz{F0W@RziSnISJwFU{sz2aT3!9eH4@t*|5DarAcR*NnNe;B-J z=2$jP)}}gFzhrM_irYS1ZMXf>QEX%%(HyWDX^xOgQH14xFIfYP7zg=x^BEI1HcK{Z z1vcq0j5+JsS;^4~P39Cb68KmJN8*xX0iI7kF+kdi59=uelGt|i%PT;OOZsJNN-62E zY?eq#%Ls;GP9lH#{@0=X%6c-EFmzA0nXmTw_Rsi2ui@QeO@UvN*A1AJ=HlJn#ZFeX z*;CKmq+pG3cUe=s=UKwOkntu?CSA7+{QS(uiQ5tR{adjhUl3LReCLnN7x$?cMWVSWTICqM=TQG) z>9`seAAcnDyuEnWgaX-bxI>#WjdS^uZNA5+sjN;-D3?tq1qbDSR@{_(+8J{keo&8$ zgNTO#+}07&JLlK?9`BvHLOCFx4*3`1p@AH09_J3>P#!U8A)msg9@z@$w%CZj#@yoJ zOIjs}{cLv4daWxCYW)e8!ByxqLtF%?b8v&;@6@P$ae_L8iotbkY+a(1QGw!gVhYEu z3*k!ddrI=t!fm-@g9!H#Rb4$_d`aX#YGEY!l0fH3=lDB8N&1ES4XJb_4GOzo;_D;Z z7zcXXhgygf`&+xHbaF+v zlXjl_r#IxcUBTkU{KX3wpVl@u`IQ4|6zP|BtvzuE1zE_6X8N>^4Zplvkitm3L_DW| z#RX(XHFz0*8`JCP=~5p_>t^rIMxe9BDZ{`c>I3n-yDtXXJgpGh;xy-Y2Ur) zYZ2;`v(5;5noKCsB90g-pCaH535ZsimmC-*IGZqbwCRZk_w_B=z{7DQ)9@u>?KPr9f?!*iqAwA<_t z&xDbN`My+$ta>?WO*0`gtAoREG%h>9)9OukSDc9eFVs}S$t#k5f+}KWk9`MTZ8mE2Pb~~l^{R$ z3?`twa8AELyqU;J&tjG?6(rWM(&Am^`2ouHPmbTe`V>n5c$WYyIT8G4uOH@eB6<;r zA*BW4s!*kc7XT{$5eXwdi1uS?|qN$5eWk|cj8*^H<=C`I9o;UDB5QRXby+pDGvnA5`7ebYoalVMcL*SYh zt;;Q+BmA3-!l}szffg6m5+5Rt9LQ`#NlW|i%dY}gA9AIQNVI#o$mRpLI1LbrLn=T% z6d+VQ;+GzNmnWEMCz7sb{PH{m#a7gsL}t$c0pJv;2OxHlpH*BKs*v5)ytc2T&(P360tWw&`4Ji z#6Ut)&4=6uF5ijv%C@MxKx`D!fqx>B0*shi^5O8TUNyaZIBXlfi^-4UQq2hK2%#4b zST|s7^hsQKg>3^GD0QdN@FcwV$9`&V!IV5D4_3 ze+tF>hTP`k1MQ9+87VvZ@-v+Z@@v~+CaWW6-89zpV4sZg5qy@)qw@tC;iYrKBD8;p z4Bh6Zmw^W*eX^4r zWF$n@-XQVV+1d3mF#+K|I6=eK4>4N*Wx~aOjdtqU&J>{oNlTQnPeMs= z5*WZ(3>+C(ZeqRj{Rzmc$=0?kQ&Z-)qJsBCM1&J3pNldAkdV>P(3u#4#m^$o!U70z zQ%EOA_%vicZJo3c#KgeERhFd--Y@X8#BEb72z5m2U&QF|ZZ|p}&P_je)ye3&Z;5(+ zILSjE`n36GB}g^roZ`<_oW~7+YFFa#Y&7)Xl>0fNrrUx0l37b9JLy>*N=Yk_a24r| zEp+PugMrZb1Gnl~Ob9P;?fm@wrQag}(LNy~qo9EIJUaT)_9|35OQm?y{&uF)&+n1+ z?=H&BAN{ETf0Ku%rN%h9>gH2wH-j*q^7>w5Q#2mzkxqG`z@KZiMu6el1u$cKa%Ap! zy1@4Yn(q9W8q(v6?iiK@eAF>|)HD7cvt>qLW-}q}d<==(JX9on%d4pO2wZ;x>Q$f7 z2EnLr=AA0NL9>{skewgLinNjwy_29)dBq1fm+T5HMw&DwO=9M0maSC`yngx64@K=m8<7ZHm9fL=&z!MW53idsa$Nf$( zA_%x40Rh-)LH!bdIlvH@3Bu3p|K`*A%zxRJlCFPzw^u*!<74RUHFn%10&QVyJ-Me~ z1m;hjdOlvE&g71FLPw=ZNpmg<%XT3|gY@*w98WOftpR=1`Tpx=v|i5Wwu94pI1Fyg zA1*X0DJk~%??getSD|Ff6ZixKeFR6_lf|ViJR2K?gd1A^F+C=Y)i$pcj| zKqF+gNwv%EkAZ6rW-G+c@AP2La$6j^DVVo@psS?^Za7e;T$?#j=R8|L#9&Bd_Pa)TbcnF2rTEGGfMwI!O)T=6#?3K0kLV}*t@l|DqpR=`_s=bBFhF*wNhVI)ZBqT{GNr;|!IfFol z%dK}ya-M>hqu58#3%)m((VET(6TB;b<8F7A_KKM9;t0F>{$`_TYH^ZZi0^2c)s=yX zNjsy5m8qDRlw40o=b~lxb>rd8YwENw0Z(r|rJ3Dt-xXV4NhWB|p6@Q+C);?)L2+Eq z(DnH|&gMf0-Avclxe|AeI_&MsDIKM>UEW!|0`E0NFNc(bBG5I7KQkh&^;UQOiGml* zJZ*c4GFQHdjr;nHw0KnX2?VThMZuH6Y^Xj}EW~rz;M4WMKchS&tG46mcjT+<&aN&UmdQWe zZ0G(fD}eXhmX0v2Z{7R5;%i@p(?sMj;Gp?th$9FUS2vXsXx6wNx&lI1ZgwGYlI7BM z0YF4_QHDk)^i142xs`2}9PplMbhLgZnjH*;K@t!sVQ{T}w~3vkuK4j>e`bdzBRw+< zBg<~RvjPn+cctU!IhM8r_t(b3@+{4cyX>^M)fKRnAQ7CJAv7!iO*}5_M=Sk*lQo#_ zkpj&_3)qb*cadBc3CPy4uA*w}HjS)yQ&?|2?zfkgGZ-uRaOdA!>JDaQ6w*WVdW6okN}P1zV(^63Jdw0@O$w%mgP z3U>iuU7m8@8h8jpfaY5^tIQz0_T!#l&S+^_nd|bL%jl?TT?_$)=a*aHtoPeO>-`;& zts*1v`zSAOM(}jbL(B^YlBpu2s7P_%m7FsyaJM%4@}+9=&4p?8>}h|1FiT8tjm^mv z-s=xUgdQg&*uTwko;sfdbtBb^uUK!LhG4opNnCJ04gpg6ee?GMb}NW)2u@dr+3x%>^lC*@^e>yvubHHGihh6xLJ5EXR`Hm+i0&v7MA zkoW`na0>BLG{hT!&c>ei-J@$@JZ_p2kD$=+W0y&X{HyU84sL#K{#szmy17e_EXxg2 zE}k^5)+X9`hlVBx`Ce0DX;K1+>)FECX%aOsY-R3TzrbsM5%qDSlujZbag@n7 z9YLTGNxvK?ez~i{IpVQ*+#~UWIr&Q=C?czkUw&+_h4^~~9e#n$unW(U;R2Ecc2}BZ z*w`pOG>!anP=Y2?^uQZgCz^)N0iUI%?=M8L>>4jETr$jqKZ$iJBF_&JqB7!la@s)9yu&r`o z)vV<;mIFWeU{FwLdtqfo)$pBCB!2@KH(do^C2ra7!2m(ay^j9ZOWc2Pq+G0MW`6S5Weuse&`$I zuSzRW&sxZf@id38TYJ)to}YzJp&l3&Ib3gNgR?sk1lOjwBu&z`U@lh=XIk z&C?p6*6(fBVFE?`WL0x>Hx69ec6>Eb?uHTB-+yhK!$Vqeu>$_u3AfLk+w}Ii1kgeC zFzZA85OfK0S*3wu#R%w^KyD()-ulme{)HO|x}1k{0kseahQ$Hy9^zf3(rrPW2EEj` zg$oygMnPj{15o9k>vpVK-# z_I}BM1X1)ohjW_%!t-Qn&dqn^ST322dBX;l?^z&_@*d0bnb2ebL4m0^+SSi+Q2uDV zfiti*yxZm0-=C}B|8t0^5qvo_-iKPnBLWMQC#3HrjhYCtl9eXi4ezx6a?#P{B74A1Xg;?OwexM*;2YV~`p@esnMd?}Y|MRc`?CvncK#5` z%EAjZ55GTfZZtJrZ?P}K7!gf*@!=?AU4s9yck9xwHa9jouN3n8Sidx{CVu4)9pDr6 z*VZO?BLZo0OZ#>Kkp?QgYC`b9Bi0s2U`;HS5X3}pX~fES&&|5M zxBT?Wu)24xx1fM5f1EkDaj^6^8@soqnm6ZEVxJQtuiMUaJvG% z4RH8Wr&qomSdZZZP$e@u_g`a83%E(jw)ii&q0=XIOw4*x9Z`5jIX4}jeEr+ z8|M&o;m*nU-R(})j1n?!wm$kVO%cG_!2_Abd8?kfTdk!9T*Wc=)L86Ya4A=)?~3>t?g-V zB@-BgJW+F6>FB6`bMKzkkj{>Cz)!9?g@vjD$^B9_V_B8eA-N~)V@M9sh^^F1<;FQ^ zJ|CQY@^B2FL`+moXjgxB;M29W4U)=8qu=U}4@hzUE&f{gIBjby;p;!A)^#TUpv%5& z0Zu3^$+g>vy-rs#AsZ;n0Is_$^!cbI&3OAN9Oh_l&GjbApAlt212!#jdQ}1-KRdhz?(V+H&45@G#&&MgD+6@Bm5P!f_SEy zS)e;*Ukv#O2F8M0bd`KbL1qqaCrE~sNPoVZzzG^`5rCjRV3c1Xcg(P{0_K|v#;Yo- zK#<1;-tT*((#)(%H?8_LJ6_7h)T`$68$%OyZ(Q2ecjj-Y#ZgeGb-}Z7; z^|sn27%iAv5S(hoLYJ-BZa1~B^_pS3TUqFkrSoeSn>ikblZ#z#L8t0%YrSU12-(n7 zp3`pQF#hCF^mmJHJ3%?n`IQ5NuGcAi4r@PP=D8&$zqXHW|8(pZ7Z+k;W38DV2_FT$ z^Mf~pE_s~qRyXu;VC}yY<%5(2nK+o+9?srh7Iq7te!dOUb5~|2ymocp3o|!#-C+fg`489q{oT zPf3bzPoC{J93qM03h6sU3Jdcej~CyN+^>4vR~Cz@iIttDE?!jEi09c@CM1wm&qhvZ z6c!b=TZLp)Z@W!B?fRkdb3f~SE1V*nTPh%$?H<;S!Aaqsm zadU-tF#4n=O`NH(kJWW!76QdV5jve7+Miv#{k<)0O#FL?-zFJM3HB4)ESatLaYabC zenL{t*&`46S3-E1p!8?e-^lD-dhz)Fh7jV0YiblreeBRc7-SE0Y!Y3z+#qE7p<@Gy zVl?Ix3P??)=b!}!*zmU|?|E&y3B&61xf+(Jp4WmWA0^c}tIP80evgS`%h8SiBxE$& zMx;ONpyK6a&Q#4Gq=Nz(yf;?}LhcU6=xQ437DvZ6^9}C%Eb!Wa5{Tw+S>o)SIdnQc z#r3sTU)W7q&C=AtLEM}7-Q-Bq5a8~02WbA4V7wQk+&F8=Wdu~UJ7SNJ|8H~U{=&3) zuH3i|WF?%S7#XtwNan-PITMh5e*^{@$xRKI8pT!0u~g^hUoSP?BIo7jc|n1TOowG7 zhLnie>^SreZ+>ySQ1|VK&9}!_ccYWD+A44F*7ffet*f;eV=Uqb!4krn6jm^rGX zTcNy5ps}(knwP%OO9XO5v54p&del1F-04A6HBa|K^{BH4)O~4<(2j5)r-rKCmh>Tz zK@48RFSuP7c6R<2#KeTKz2M?{A(W7(*@LxGnc5_VT%G)9c+LYM9k_jvPeR|*X#0RG!>;u_F;D`6l0wa3BLfT<82ARx%P4_X0d^eF9(IA@Fst$i z0})N_*3K%_rRp}hz$#-)KD?QmyXC^w=i-aW2C7wUTS32^u)CZ-S*2jV|M41H&=&}M ziSQ!J0#(lphgBALGwL8gDKStg_g{9Me_i|?y{bPzSCA?vi*Y2*{?dbrY=5D)?e1=EdWu|o&Ia}S_D=|7$!zMNHS;Io3PbZ~c|Kf$4sy)X4% zA7qLA`7dew0@4&@;339wng&&bBN>=PP`_6Hc-&e9_;DV{%-@xz4`tz6eXBKig^?RK z3e~U^!h^}|-*@*D1WW(~T4YM_auC}7f6*nY1x5m0a_29kOvjyj)OLd zzka_YKEk}VTaaYL!z#VeWJN%4-P%U1AVD417qQ|3T9G7QLT|5yxFrbnvh(Qmn4 z2M>yJ)zP4chl#XvNax)KnsuLiP#bQ)pCiBS8=txFm{pD~X0S?)D3HJbYJ4grV(&q@ zP#Kt%z){T)`}_qYew?+4=0im%z=MK!MYAtOML~N&vInRk;em8UKG;q~-Vz_sQ$u5} zqt`1~ymjrE0s8)!?n}q=7*Q2rjCAf}I#lnH;o+QHU#j0z#7Msrs8A2;&#Ek@S_8>RJ=we>&`k^&t`6GzW4NzjIE1jEBr@P+u(| zUnb8U{n&2>J^zTA$`k((%0F3q`nyelT9{)x^BK9x?5M}AIqRcSu*LJ9H~|y{tg~>? zbheSaKQH$N+WQljCTf6>0aq~Im$j);rn@&By8ddU2hm@RB%0H-Q*k{)4*R|{%6Ico z^BVWZDzIkvd4rv|TQv`W>P>j#pw+eH!L<@Dh)4i#fNSB0XW6^x{5y`8tw^HHHk zzOCBU1Ruo@Z^b)}2V5r$SgX2i5W6*=)P&gd5t)E6bBw9#i-1fHW-5SV0NnZEr!2!K z;#RZe4^w<3Q_bX1aK21)3qMo`#8D*Q-K_tbucwxwb0{|jgDm)kjSw43eFR@47&;TO zLV%jc|DW}KUBqOidcN-J5<{_;YFs-I-cMdpbz>;j?kezQC|{D1T+>)zJ#50Qe%GF7 z3$S?hG3fmBupw zx#st)ZMTCdpA~WvF|>?*0qO(8=6D6$U!~?+2q-3k00QL7 zOmG9x8qmv@jTRRYso?~APz}~?jPIhb?hNAgb3VQ|gyk@&r6G0)) zH@xlNZ3bxh0PM`nLCIDkX4+^mv*Zz9EMU0?95hQyX3+QDm197g$}~lP=HrXg2QaL$ zSJ%XIf#c$X?2ZSygpXXHzFB(@Psa_M>t61$g1%wg#KB)m2*x|jW}3rZB4+%eoN*9L zP(`pU=)=YAM45fV+k_A7DX)QTFp`w!lW>W&xi4LKLIXAg@F%o7{&^deFCxshWRJwZ z8}e}yjc5=j5$j`d@@#M-Rns%Q1MILA8Q(WV^@r0p$Z)mufR;^?RgV?i$77?_0*Z!B zPJS3A*wKHB0)0Gar94XuBzJ10l;b}faH{jrcI>{i^krgX=6Sn-{qi+nC*x%_3Lmy$ ze-PxENYL9a3-q*%R+j+hz{=86=RHa2#u;psIROv>idsd-%z$^C@}shJv;FCNa-@2r z5)~$+tZ{>aXxq@O=-U)wM%Q061)2epshH4}Cn88{^(c$M$1Vyx#9x~}aNON_R+hb8 z<9WQJC2A82W;O=C`@@Q++Z6Pn!|W z(J&2o-x+Qfi(?@6tje^mVO!IIM@(h}5SqfPPM*C7`%?oXCM;p86V4eHj}&%A=H!`G z|NK2AFwHpl#8lVjOYBBrH%14^ds|l2ae+7bO{drt^JYF=LGez><(sEBiK)1SZG3;P z>}&JmOFroyS|5DFMsakgr?*=thYr<+tcf^I`$H&+t+4GiPzsoazwUeR>=ypm3R3W= zPWrO0)X~koBg%FZhk)Pq`Oj6rs#Obx?luV;*ts~$%Gy4twETl)0PY|%A4mObHMLfz zUCmIdMSMuFz_-%pA(CFfnQX8OIOC!sL*x>GK5)9?0CSV%Z}#%!R9UcW*bK zs~5Oj?_DCe3+fY^oqJ2noml5tuCu~H9yMi0yqc;m=VC(et%fGCil~vdSzNiA<6{C# z;fd!OhHo4)m90-_Dm}7{yV^#^h7RUKJoyiL`4EMFAFZxOF@3K6YvF+%q@t#wn5meW zY6z6_|Qh%H$2MJ2;tXXKHIMmtsRX+azSp3y%ZG z*?FGsI99P}a^n(JF5V@G`bhmn(VCEqs3IJttE0QSvnPNQAh`bhRKmITj{}8vf#X~I z<=}L^d@lkG?WI#{Fv99}FmA|n(qQ$bM7 z>#eEo{6R~Q-u)&YlpvYzpl+t{JBt-AE+AH&Eab5)M&t85KH_){BLT>v0HAMj6UYJ9 zP#YS8WG|J(7Z4J2Us~HQ+N~|h*1XyxsC~Or;}ol=W@felU*AQX{GtrOe^z~Y5;xU) zc!-tgykRQi`A*j(C+~D*XbBY>;$kNS_yD20ed{T=lOZl*0nY>QpIteD!=%nkGf5GT zc`5DE=x!ii8hFJbh1cA_NV|D5BxP7=m~(RAXKz$=6FPBnFlR@bNcGG0@lRnrZ=Bki zw62!LFeTpk&r8zzglV8caB|k603vRkojqD3%t-aIo=kJNB4!yN)4FpD{2p+6cbY5; zzst|4;E+p>Nle6mG8Dgrhhsp<@8&@GP_e4`tOm@&v_f=vnCC4T39zNK8mm(f zkL8^9vvMd&FZZ2PP7tNM`wH3vV@57<;I|7`*51t-#1+cyV0jWJt<0>6>Rr%3kF`3( z_He|T{D3{SEzva=T9}BCV(iNNN}sAmGJc>h2Qa*>2c2CkfG8Z-bFGP^!~x`mrNGtg zZq4`-38F9X`bOQ%T}(T+-)eH7YRUCFz@yN-+ep1K^>=GGmGiE)+Jx{i(STU9OR6Lq z#99I533TQ32Pds-ZDF0u0=I(1WWUuH1pl+HA$so8&;9uzl8Ov1xia(926Eq= zXM)F9tBmH7A}2(>DZtjeS)BAV|R-^cU=%v$sjvY$hGq-D?^@DgG(|LR8e*2-Je z5U&XB-1>Di`Iuh@tOTy>be`I_o};W)+l)sM+h7KczM-nQxyi4d4vAv!djTTdIXTwV zC-hOsMU|CTQgs(ZZW~0_vz0d?;YY_43_>TDFov#)&dkih0XyQ&|I7t+ZdM~(T~AwG zL96A119=xi!{^W6Y2`66F%?C36HTg94Y)0~wzu~c+(|PtGXs3ii(0qNU_ux3xHzPO z7csqF{kzAwxHuXW?(Ym$A-b&W(2vw0q{|S$h7N(S?X3$A&JmWS<3!jIm~Le7_BILm zCwzP!JJV&F%*q2HdAW=)%!qEoC)Fk2uby=4hZW?1w_fK{r>3q`>uf##+Kp&z%=WA3XY?~=8l}J@pE#}8eOnKR; z(DuN;-FFN|g3E3Ku)VS6;TL=_F)Zx4(Lx$p}TMM6Jer6zG>5-N5I=YjnXlzJr zrI4g(!hZf{n8QDq*yBW@muO^^+y2%}LlK$Rj>7d`TA%`mN&!xCvT}CUsY2tHjLb`F zY6{8f^@c>xwXn>Mhb3wrdwcx=QJ_!R1brXPDP(k8Ykyjzrm3kgI6)fWpu)JawY61w zaj~_f0e9rLI-T13)xm}v@ij7IST#iG{O)u7!EgocpMUU|&++Q-M!0orh8ynUomH!?Fm?y%R_a%fD+&`mQKmsjU{aP)#!E>V}z(dN6CCv$7%Le8i*?94t9 zepZy|I$woY4(?{=aXwoErU=y6S~)m;&jb5pH@Qq38n@Q@ewUp4-Z}!diNJs&e?#EP zL5SL8_pBql*XsmJ$a%hsAp^9GS)2QGXproSc&cpLVPnN<`9v`Q&P=)Ok_x$Gmefp} zJkhANneT5)oSPAP%B!YcwVHwJsgkA+gP+3V>N1o)uMX~j{WoA$kSWDi)Ms8y=&ZIy zukmTnKRX4#H{NoP*vu&G_L4%cyExt5VC-9V_vClc02FZZWGcBaT|VaXO;!#0juGHM z53{P_=>*;qVIC$G6P{=WB~cS`y*ZYi`Kav^Gx zZ#ZoNpR6G7w(Z(*u(qCHhZ9cEjTk?ihP-v2eC)sVA0Ob!%ViHELl=ou`T1}E;8(%N zV--lj95A(SJam5^aQ&pM?|1J(I;uvVR`;ub=j5GMhjRGt@gQ$i=Mn~j7ZP^8!ZqW5X?48@42>{S6 z?Cktfh?y$M6xKoasWIVC8<%o{2M3Bj2d%WV)HJkIzWX4Jaq8k+-+n80?Sl%1rG;r0 z5JHnbOZ)R?+ou7`nq+*cyz#xLh}~^oZaxkkK~{i*FMaVD#rQe!zcVb&f{QgtNB3Tl zo&1Tig6#Ue5{IypUt@INJHSAD2NV5ypL0jQJL`P@PxoD3(LM&F5gH#P8SfYWN0qhR z@mZ2Q68&|bm|lv;@$nWg{28xtoZ@1q8L`_KpvMLnpz2Jji{ToF{Z}`~alXD$3KY?M zb{%{RO>$4pF0_kN{B|ub{QCz;GGrHScn16qY2}A6CchcG`A_4h(5_z-Uo1G4ZlV5p zJ*BuCTg1O#ZjA8F$N&C4fP?&(*V-N|N)9*}HS4^>?tP)U2TUS&JOJnKWmC43H0cri zd5eWiY4pvx*fw}F-Q9-E_gE{wF`U*HW=}2yioQfbvbF~g|GZexu>5Wmzz3Uh**DK0 z)M~++lg+5kbRWnf_4ITNvX>N_9UQt@X@IIp=ZAlK2>SVM`@tMuU<*i9r@x}xsu?aS zenO^Nm#vBH{V8+fB)G>TaUN0M#q`z6bLvtj7ni4q1W?6WnU^!?TK~S= zr8#RQfWSPXbKi|Gt62M>NRg9~la(>~0uvR==N580i7)dN)&#6NMA((T;Kjc0 zaI=^oe2X>_VIkV)c(xYM>kePtS(?0e|32&>4+(n1Z~+jWbg@A>&wavqu<0$zqM z^z~&dHJ?A9Z%yp(>^N_X^3-CCn0qYtpN`Z+VzEOb!{^ntAXeb1`>w^p^Kdw^1|-2z zpS_V`DgzF{3?Ppf*_N;`V(cOnv?JD2#Bbvi#}D`}p9%aOWaO@ee+k)s#}JFfGkX)M zR7H4xdbYN9wnhgzSCfYKM@PjGxtMx*b^l z5)uT`^)IuZf-LYG1$Bn7&d8|yEZ>C8%f@lul1z;bqd|#RzgDBk4;!6oyK5?HGuHd& zlO_G^Kt{KlODh$H9RfNcgSY}3O0OGGWBks??Tu%XQIK|EmfP_;BqU()T;r__oXIaN zZ!WCuhda1!q_U0|D!H9E@)V8Vby~{cR98`XyOAWuj&_b;fC_y^ZvuYcOo0HD614^GFeNKgG7AD~wD`6xRsT7Uld@+BhTo|d*yFUA7Xu>v?MvBZyCM*zmMF;=yEG0Y%zxgX*y+)$M0 zsg)tWkIOe~B=O}67+ThcBid&@Ueg;DNRV~iK0r$Ivat~;wRv3Czq5Kz^`!DY zBERIj=H5QKs*nyLja3bh@3Jx--c(9UqoHK*VZQ~ThV8WGX;i;@^-4uSy)3Qv5f{tu zK?_!WmgMBrfa`hVIY-Tm3A+Zbmu#w1#2dv}85&q74s?ITc-6?b9EI}c!LYJtb#*cO zn3tQCV`)k@HmI=dM7ZJ}CCTTsp@$>;UICB^fic;Oj z@M*}{x6K-^tlK1qfZ|VUWaLaj9Jk7Ud>Pc4-n;kGnmSmsc^Lw;ZV)wWUxUMDOjK6$ zes%T$P#lgwWp~i#ab-uqev??pP1N`M1+SBJYkm}da(gUP2SKD>2R_VYaq9YId|&Ae z2e!G1PsEXw!~0)pXdpv=elJNw+H}kOPD*}ac)xF?Xu7Br4d>z?BRembEqho>@E8;b zd&u;{*a)#>KeskEHkN;3kl^Cu=QjE85HWAV@tHU-*?5;Ta1eAm-NikF0kj{tO4#-@ z!`r2YamNyEq9Ql+wTp-*Qr!4aQDEir#=2yp0Qc`s18#O)Ko9{iOn0>?;X|bF@OP0d+G5tWZ4w0zPkszYqyPDJE+?Aw`v=Yh>l` z!sRSPOIDyY7Tt-T&l3gJhSD;@ZKNs( z-S|}VZ+SO}9uBFRWsM*B?0U3q9@~&TASLCtyE=R4<3BOMdtr5I$4h`(L2z}1fyh;C zuQ>T+WohOLkDGOQou)14o~A(q3#mhRJ^$dcGR^{6Mvk1q&Yo9DKfKWg&u@_79a4<& zS|qD$ELqpF@w9c(vDu27J=Z1Q(}6i$_2hY}rYiEowtB6vI6vWkqU&77(Uiy8vINl@ zSkAloeQm@v!e9Sy{|HI?wM1gf`uf$?dy9k^6L~xPL$E~xAj|{HDGOFjey5$Q^HU2Y z2CtgQZLR1;K3IFQi_1eljs13vgtK$)3sC%r4JidafOvUNflaW?U-oNp@t=k_E6A+^ zFfhSg{*z_}Q6F8IJPhyuhJJcPh6l88xcKZ3e!T!;Co_kUMLEHjq0L82io9{#g3jeB z#YbS#1BT8D$K`>Cy(J*t46CUDXf?pagg9X$&S)2Cv2ud1I%!|z5qKJ~$I6jz!Y}JC ze7WmV++{$9{d_fYKFC*KlT|RJlF}Ye`{I>ymh9)LzQW8iFw3I`L`4BTz zR%Hz9ZU%PeNtA6$%8>wj9%GeQv?RS05vA>Uu%4EPXe4<2$na^L*HP2%rMnjNXd4k#X1hP52coU##ch#IB z2KPGIVdMXli3RPA&o~Xb?M6_2eT6S6d{1~+vjLfoo`PQK?#r)osC@KvH4nRXHGAlKJpFqg^(VvdK~CGIj;0<#q)8o8CyT#(xQ(L(XQmSYHS{fCxsa| zHa{*}W&S>peoJ^h4CV6WkJbdLxR^*@3z4z8(7sOxb_@&*sge#$eelu-Rck8h6B4{{ ziBSx7!;9!iVj}e6J3MDB(AI?4R<~i`Pm#|zF^?+lk~p2l3Ly$E8yx#RUrPv5rIqZ7I-c;2N4|LI+@vCQ@&oAw zi=x3KagpCNw3H_16~t&)1)o1x3*uZ}2_mH_Kab1f)AVF}yl*7GN%+kyXk$&tKm9I! zd`D>4&W&u1Pt`V$50LjS%!X34UPny`eyVZgIGK2};Gm$exKro!Bt|+%Hm#-zb`{YT zm8((vYw?gu@22-70j6UmbFA({ESc*9Kv{4!o$s8-;{+5kn zb5}s@VVnr`MAu?$>Eml5%Si#R5fL($kO{Tzw;}A(jWIJ7u#dz$DjmVT0@W3Pa5v9>B;~QnrBu`{;ocr z+r|j}Cu^I6?regO&hyk&d7WCDlU`h?tH-7pF2n4vEQ}llZGFv^YAW3jPq_%v!YDt4 zisRi2KUyhegb)Ifza2&hl=h+#Yt zZ(f-6aV$Y{Y_js2oN$t_AaQ{Eh_nQV#OJTnrpCNN>^ zdyShaoj4v^0`8MnWQlo#>fP7Ixxc}2an)QHW^N?=BG&5quI4CE`c(l8)D;m6^fw_H(tWbN%8i}OvkIm;K8(ekRfQg4Wu+hjS@<)zsOdjuEy1HqVyXO>S zoTr`-wgnM?h{FCoTi&lGpGVP-W^|Um?qUk<# zwlO&D(qIYtyS^1aqNjT?&#U(V*zb@_^%Fk!QEjlA$t19v?IhkdhNL= zZS?f!khf?uh;Pl;hYdn|$CXYPC%A7N9NRk|t2{Ah4e2`HY1?kzdvJTPan?mYKyvsY z0q0YEkv1xevmLG+B{wE`YisW;5&jexC4=?wMBYac!Sf9_y@|W;yeA|5Bkvor{rud; zK<9Z_!@~YBr!Hi5#9GM3wBZO>aB}G3>W^2EwY5O=*u||9el@*{a*0NIep>C_TU1ck z-rh4=s-GyEN5*BQ5~%Wi6zBJhaMeO4_PwZ7qlj!+KEOuzk)~;Jrxj2A0&{aLl>I#u{b4G(bhg)Je{2`lDHvUqj3Ax;}NC%=su4G7`XV#=9*)qI@Lq^^a9>q<~BK5 z>j9c?OVcnL%7|#|)CyI10UnR5wcA!bI3oUGxtv==6@kiNFV|l<3%kTkB)&u1_cKs`PMnkN~NEa_}AmmeHloFsmL%gxdDzA`T=dxC7b1<)ziB z{KitYld+=mZd z2($0^$6)n$X(x5>EC{_LeC^EYzVQA;(W)7L$ma_V3bb@s>c{&=o$u)Q6dFqs8$v%`5M1fU;j*8OnUTDeHod{lg=a;=7H+<3Ww-9ZZji6HClN}839^C&|XVh zmN5E>Om}-mZVs@4Hme3>eaqQ3Tcx{`4{_x)*NxaWa;&MsW^%)pFwr6=E)w;&jpIJx zl5jgednIl&dsAOjL{mluu`TC(PVRf{T{*9`%{{vzfPzi+BCV^7!Ms^7BczPzsUm8G z@Xf8og@_&FA2ko76yIp_F;YdF zB)-wwB8#z5B%uBthYP`w z)rB_5mN0+{`gsT)ZP6iSiQ4uKN?U+WwL8Zn4occxB}WJ9vhQQssp1j%Rtv6=3p!}U*2FUv)m(!hhu-FtZFygM>xtUD@s|w$g;jXEb6V0q(yoqrYuhYTc=yD(cPGDZtjRQ}w7$<;Jl|1g=}i>i;SjiNa+saA&+<(f+Vz~u zeU-7&^Nrhn;!I(cIn8*bF^8E67&n=;K|v2h5SNzv*=Pc#%#W4QTOkSDUQF;0;mOlm z>vwpIi@+)%^MFrBjBP&hxnxr34H15X*!34;(GJ*!i>oz%0VX76c;osmy@JjP6yZ4t z^vks0Yc7fQMn?l5sy$MY|5KyJuT515*I#@9W%nkF6hq7 zpsmjCun^5b=4H>uvDhI0U7qeIO{+trERC|!)0n%Ms`TMboHS^GA~b+ewk=%qXR9cy z--73)Ah^S))PbrpitrAl$Q95B3=`?+sjpCxJ@v!aYD@9=Tnt!Mho;_-{m#ds7Z$^}8j{x7djZo=N0ig?2548T6CNU!WG5Ikl0>qsZ;&BTo- zESGVVeT6H8&^8mrF+%%m-@XB2@p!J1hO75=X#U!we1Es)@9+Ko`0pzpp@NLV@5fyK zg$yzvzqhpCQxaqq{=Z%23jrX~@9F%1-Rr+xCG3ra^FKcEf4}Mx$UyvQ*MGfAj+@>H zNm#DxyJti6&A%H`fB!#C`fJ1xNmywi`hNxnZm&-xjbzdA?tkv9jyKAm4hjFi9JlMi z|I@zzeRLZX2@|#YsVa ze&v0Sew`;zqJJe(wi+0w3@N@Twrp9kLAgLXbaszdQdg5#`I?9Y$ujSd&eU3N-d$O} zPq1`C@?`8+BR=$%{-u7+6I!;21_PX1MD~=Aax)5mx6vjP+O$a9qUm5~TUO%qvBvHu zl&%;X;`Kcsh9^SU(#(vG<*^yw2+}k4_r57-=0AR-GvfVeD;|F@5{|IN+Z46rQYV{} zgKY(Ebp`ooYvWxLLw#+9H#=)vKVP+*XEIFY?XJw{yvd^MjW5nG-nlbWm-|zV{x*uY zG<^-Jlb?!M+Td-LOa_Jn`=WCG1TP&g0;jyj>Mf(!;i*BlZqJd2iAO4N`nm8p5#t5i zW!E8(5tgY4OMjg~tf>J*zSIn?O&>OazGwd67ozo1d7V70XZp{a22&FHK5W8a=Af_d zLj;9B%TWa7xx5vXH#g07i42OD%u>S`Ol(<(fsA|F;##@sY>aMhfoeHirf#e!?R zQjR=l#@B`Wx8s_Sykj#lm2vaF{bGMYDBb<*v7(u!%$rLYKn+q5pbCaTng-3gIvYDi zx>K)!>ftSj@Tjut^!-1R!MO*8SkU7=HkD67n1rWnqm}+jt=8(YLB>~1y`+MG$8tIbdU^?Q@i2x`&Iz>&Y}4qm^c@VqQ&0SIkKC zf0mq0=xfNtESq3tn3IcZd~94HLlJtF5fNcXjr`8m_PL;UQqzT=t^HPn)Om%fXzNcO zVKJL>4HL`kBx_Ss8u(FJWjf)5n4_By=av_>m6R0Uyheu}mQ-du2Qxs7BAhWh+svGv zHzkjYP@L*ZL*IFS=CGL_!Iu>yM$CU^k&d^|EA=;T-e|=-9`eRDad23ZG%BcQV?m9T z6IG*SCH8YRdK^q%_km`El4tQ=?@ zn3$T1m8KXSb)51mPmPgG-AB6`v6iCXt0+G_Lte;HoD$yp@uM0w5cyw=l>F5?JFkzf z`KmZgIEUGAJelJ_aARvve^(i9gs6T2&s|KvwNJ?p)wf7uQTOKD|!-`$NG2JIQ=)*N837vHIqWiev1Aq-bNFr zV!ZWF=jRBCAv{1Z0MRWS{CHp8`r(5c`mI7Xg)0;c-yqVw(alY>OfZC#KSOSju^~;! z+`%d%3Q(+cap9{hUo}ic@s>@yH!`X=KDJ``)2TABI4(fY;{v!+KVPMH|7iVHY_Og4 z?xp26iN!Vvlos%pMF9^_u%p7*4Mkj$rz>X4=CQ5a3OS0Cr~6tJ=S+UI*D4)t=X|Oi z;*y5$gH->-yk8zFx4Ga>K>KUj^o8%)phEtRmKfw=q;5htH^M{F)VB3M@)3dr(W_Hr zAP;0It?+UHoC#hBjbaJQJ&k{!*H6Tb?xUEj@BmwdiQLz<$jD|yn&i9q<0K_^`G?eZ zf2sH;ESNpF?pqUo$Rr+dHzLya+U)frqX!fZbQ|UREc-v8c9BOjx*;sbhZ!K91l{qL zN-Z{d+x?J93F}6ZR{DeV4`mcohac!?X1jZ{e&|M091SUB8Q}Y2OFy(xow)y?LRA)^ zbcNT}S6cL~Z`qXSJ{9b2ZX@(f;GiOZ(4TIBDUm*4=6dCGeLvl98!l`0Zd@sKi|%4` zCoIshJ~kC58*GaYN^~^lZw=~ILF?o)ZkXROW|qqCHwrL}Cb}UIzGi^wFWF#*^yugb zM^iJBBmqObifjjCTcY@FSJ5mqdK*IYdQ-jI;G4CgQ&I6bNOK|%K0V&&;O~wTVuURIrflpu&fi#Pjd*3h!BP z2`mrNT@Ng2wox?atLHS~5P20cUmE#QwlWsu^;hOhNxXfW`%^}AtjLcnl25jr)Uxm6 zHO3YYNs+Hj$NIPEg>@{^UZEmg`$%j3<5z7X-ChO3xi=o#^Gs`?V3Gw)y5%X-|8#~MD z9BEgM@ldi?XQ&R4VrHIkpbmA!iF2o+j{^|0lx|UjH<4nUo zX_-7$*K1Q9*iHClIzku_dq1FFlk>T zuA;=tPF_u}e1|{pCrIv;>THz@INQsTgJ=0LCf9;XfQmqFyz#ZJQJX`ji_ zM`Glf@!oTzJ~`?S7tk1Q9YKd=iO;#X*f3af)8cD*QQ6M)C@|wj`oLF$E&-&-*`o@D9@}mcTq6>P|=U&BxE0 zcTv5A;ygF*^hGtzw;SNPbt@@-tpn=dA?pL4pD!!bhnBI@Q#WgME%6HWTIEd1A#Q~Ij{zwzzvPX=C{qd?NH(nsT4W5 z(tEb-C4^MJ_gWWlZIldiC~=P1WEEUw``Ld8!DM57O3%PNU8V2j3N(e>_gee`DjF`i z)u^mhjsHMXOMU{5WI8dmPSE>J$Z?J^KqR)#pus!zosp3dPt5qG=-aB67TVyr-Q&m)z z2&05VWd$rvXb6PC0K|$wnQ{BhT}Vg#lN7J*l8B}QU}bWJw(lr*-h<}Wmc%K-u+f{+ zvV?y2o7lw=L!1`VbY^!gFBXXOx`Tu~CSTEB&0feftK(|-Ith97_Vm}1bL}S9_y<_% z7DTh;x#!G&hpXjqQa^SX-Q}ZZ($j;D2d?6f@-`3sVyAw5-nf1klkvdGSbrnvtCOIb zhjVXII#yI#Z`^H8qorW&QWmX~AE^r$w|`mtk&h%;zSYqrAYN zZlPW=TxC?f#mNJc3>4!*D z;?+mq3@a5r2wr;oVkDoJ#DGgDc4pI6{`nvlmaCH?hL7Z~r;$y2bVci{HQ zlVX|?m7)241T=Csw)P!eJvELzD+3knrLE*rN{qMG2+~J42g3&)uL?D3!W`{Wog6x( z6Zt6hTB#tFi;J#9t#7BW(KswSD=t66yS$-I%U8RB)*nGEM^RbPYDq-SzG9ftWQ;#npb#j(6+qsrrX;jo90fbdc$5BW+gDkTxZOzta zCLUZR3jTJ(-RC5NycSc*_swP&Z39f9%qr0B5Wp5k4 zhc?*7Y)u6ewc(JqWL-Y;^9w=qCaXgj!9H})Q??c3+F(B<<~85ZBO>C{WAyoSQ0S1D zospMELdxkng>@(X+q9$zTv4QFiQctcO4$=9o2QhGZPp1y?6-xGz5-|AdV(9k z!}zvF7nTrN2n$Ixl<$BgP;xo-mU=iu^g4+Yi-ja|>hH8*r3I7ljLF=0xjgHQEvoOD z%&V>4SrfY4bs-#AU59jZO^03OSP?DHef(o$V~vcBcV-8lu2yx-2bX0#aFjZpBsDeW zifSW!KPb8%+Oae-@zDNogw#<8QOY2&y;7=OhFo8~Zr}Pju6-42U{C>vY)U~f8UymU zyrprr&^0pR=!aIZ+LJ(a!YZg|*4%8WorB2FEJS9puV<#ek(8#XYxP|I>KNE6&Y~x@ zVd88AzpU^$HMkw-9rNAizqv@=2fN4C*|{92f05OotGyH!P?jioc$e3?yAn4AUqW+x z+tCB;3^n^R>V_?;ZMdWu-lL=0-wJdb?G}Pye5Yz4$b1e%XHeg4{m{B;JBswZ^e5+z zq=lg>T7Yz+lby=hMqsX0t{5&c6T{;~e)G-^xf!3}Cb6e==jUFLBloM|V-K7-9Iw89 zR931*hp=h%VUc-apE0ZMI~5X@`_q$hzEh}vYM^msCU|W0U^uVW!_-qkcYpsyTl}m_=d~bJE zb%6ag9z5%!TRSE?X6pjB`|VdY4@(bakFpNpdz2Dmw{-8B;bAYJT(tJc|0GRQr1C3- z)BT4$z1NjvmLi46rO%rcCmc)=mbnS3n#ODsw2Ep@!d7!*Ge@|)@?SS?6K}~8^XAHD z64X?dBj%8tgJxN9t$P<5Df~40OGO4KX28XVw7vML?H$9WO_4$TNOjre#c>BC>m_~b z8M`Yw*_JsqSJnDI^bU#+>AUFtXX%5czgFrdf2cbh$56yv-b+Bai+Q|_JG;)6Pxjio z?#i<%e{WuySyZ!%m`zV{ENa&JJKNf{#=52^EA`7%7u5h)rxM;#ncbD>4icW!f$FjqMbe1ozd!xCMe`c+ew$N%wU_$j6Jz$aXL!=C|`T-sDkZd-Q1%FOR+Qfs(Dr?LoYF( zp{{PhNmmFDzttO;d$&_$D-xueC8{#wdB0}m_E?Wa?+ugHO-@l=Y(@#ap&yQwo26{! zdL-{`xSSPc%xv(}5Sx_u>=b1ZxDmmm+}ZLOQPps}K5tKF2ceYP^T|@50zZ8^(9e5$ zes)q&Tv#zI+qUBqGBP?ma&>X&B;w{zR^~Z5Gz4HVj>oYfaW7@OVCR97sTzmyv=_o3 zP`sb%Y%MI5Uetu#S%uc-5&!1GcKg|xg5 zr@_WUH7h<=x68u7Fv(Ikqvv3Z2>$Wo{bqnI_{Nn-8{98Y`{`4T@D4R=^vZJz*&b#h zPOIg8G{e-Eb<+-T&T0}XcHAarV{RP!#m@lZ%sLZ%+y`g;P`;DRmD!>afpVF?816j+ z0%n!sw>?);A5paG<}Z;@&=a{m&jwnGP%u7Z&*oP&Io}cJ_XIVdhucJ@&y%dHOMYe- zubuV3m^KIt58tdjj+>g|2kvZSLhRK=r`zW=eKRvbj};B5U0M#sd)YcWfe(@TWubAg z4Tqc|8Xw9U&8kNr z!w?c2-1LekI-U4eF-^4_nPj-{>zR5w>mTik&U$$9J>LgR6(7b+rcNuv(nn1>9_A=z zUB^K=B2!lz6NDU($=G!+rq)#-j5`K{9en4?s+kvt54 z2aoF2MuwO}s*KJzrm~44aw~fe6qslT83^aEdudy-5@IuQn*Z`GD0uyp76*X^l?<08 zdK|j6?}buc!q1IolQQgo-d|bT9j}cee1s4AIyjimx@zahqts6vllgt{gYWxf2tTTW zCB}7J*$(2iocqb#k^umBXB(S2Z*pjFdl3ZkPcCum;;&XwA%m0@w+ojz^=K)oFS$71 zJ#exSI+}Z-b01B^fA+>d)rbE|#t7cIvTPGLv~273O5n3ahjL%GU7d}x=u@=bUs|$v zA;u37d89B9K6qa)Uhe0sk8K~G-dYk!NQTYH=NQQJZe zQ(e7ro?D@AB&4rfKa&wTQJ-AinnijB>=4tW7d8=_-6>g4JQn=IL2N2Q1o&c>u)5J|_fZJE`T))Zqc zX_U#Pj*!{a8cE$%!?JBaWGhF+@Gi6V%hY~sbd>OxAN}d<^fL637BE+~7|A!&JSiW; z0-i#}>|9Rv@|g^obr*YBJ`JI9@t51Zh{NqgH%h^qdHa`Vvkl+v%fH=!Ep?hjBJ}nO zoCYdctmCz?;uBmUXRm1t_SWs!C`5jZ+FS@^NLODB`Pq?Q7lcRhphRa~xb7L^*U)FH z+zbgen!s3*#9X*|&d4`jJF|mq5UBD_r`DL(oW!n711PqzKm3)~T;`h6dpM{IbZVB0clugTX+hvOpiH(amy&hAn zJsFA0fYCFQ%{zUgQ&R^+bz%@X@5Vy;emEeWf5b~(?&kcO?rTjIB0HOoHk=L|T+>ru zrVN|W$|j7AjqP1p3n3E@3|e_27Ehio(i9(~oo)7N2aJ}Mp3Dfs-|`Ba8&L#yW8Nh3 zWTK&8>7<5kZ16!)Y}`vtlHq2F!MNCmg0M9bP&B!*R3L=l<+dGQ*Hee+=-OcmMYv$( z0$WJgI4L-3Hk$XnAm9*P6tUFa0(V>5tL3voAMwEBw-Ik{ULQ2>iF;}e@2C8KsC&z> zD!Z<0_ynX&xCFS?ihogcH4<>JXA~f37brhe@N!zIl4?v)t*25y|Tq6(7hu1Tu zSv4doH5D08GwE$7x1mjZ>7iS#PcT_M;cd~l&u#WI?&%-EVJqhj6@0C2-tJe#-zF@YxcC&wPoL(Y%| za5aI%xPM?kaPvY$xTK1f^mcn}xXGD07W}dBY+VRh(X9!W<lWpo#gAHD{?1jlSq}jG{2>>YS&1G#zg1uLSWt zq1|m2grI(a2C$g4atxC!n=mXDT=<3>W}IczEf#)2vRIZ|c(#ug_96IHcaAzWTXK4-)O=<=xtN#__4*ec22+ex_(savnXfX|{!3l=CJJ z{J;b#P^^%X|GKO{0FSH5iODU`xAR2jW+3!nmS-;9^RDICBROsSE?LP^v7o-8YpMes zaC>e@{%!J)<6_?d^NiZe;gj>sR4+Z4-{C^uJWsDpsZEj2yZ&TMZK^s=^WGCbXmvVY zn9s9dC#LkbW3)WVP}cc)NU%FXfJFQS-N75pQ>N{`KcI2bZv=puuVIB|U@-dk)|XSN zG~W03E|*7OyntC8DY9wU%Lw-r}nvN;-?ZS5^c@x%#lAy0(*zfDNqgb`j&v8jNL%eQAKz=^F z&zpG1{mtH71q&cdCSI{Wnyk=qb@NMIOtEC2xA*q5U+C|@bIWS}k*P$fP}pDO0ZTpx zA8LX9x#qVh3I#{pF3jopIG)%-O9itmH7sevoTgRH-In@_WMdkO+hS*M@LkeA1O%5i z55=>_{O+Akj$%wr7h1c-tUu8~F3vGG&*9P0+cEeU-}Zvqo?#|CUG(a`_5HNyG?1zb z^S(q48i#*-ciG@OrK9kwl-QgAM5=Ll8Jg{%g-f{LoEjo*X-70?a5hS5yAu-=+n(2U z*vy7yq{9dLhIgOBsA)Q@TfR4YY_TkQGdULWM=j>Ui}eS}EH=FV0vS-5zXqx1Ey19{VkVSN==PpoAX z0h3?Xct0=izQ_kp&Ag(nZn2Y^1;MMJP%4R*S6E>qsR9+|GwGCy6I}ZKU=Yi^Bx#+o zn4G~e^1pYrmYG>&Lvy%bwG=YXX}S!wE&5Z#HCoV2^2Wm}O;na9tb>4m7I)M=YizGO zcUws+O!^bdu=!#dSrZ~ACRm?&JRXoE3-0v4j^V(CTteq$h)Ia4aus|)(A}1T?&OZS z$@ZWOOdj;k=e#M3b(HnMhVpubEQH?=`I?;w^&PBkQ zDC@JizJ>zenL-_Qb^&EGg-7oNeK1Rg4_rH;@&?ZdfJ$r}TtG{pz$x0{?)vWjTACYG zPBNSYo8|UqK~WBc{Eo*yRNo;trU-%3c| z()9x#kf5#gC*lPcHYfm(u2@|ie$;MzTJBnM1+$=*+vSDO8Ei;D1mw<^7+Vuyw_>$D z|6HwHS2DVQF|FgGPd(0=SfqM+?*z68wFhWjZ?iryz+FMhYb=z2EZ#4q2UTk8e$m4DeWR#tXUcFcUt}d z4+0DFEzwFk8cM2qx4%iO^Vzj-X8**mc+_MzS3Zs`@g(x_ruvN!(jkLIBk4B)h;^U~ z*|<15>$ce7ow5{gRr~S586-TznC6+wCvZCM_8QvS;(QKy(RROg58hYneWfcvd|9%M zycAm}Uj|Q}?tfjNpdkNjxDnSB*;yA!0gfu33!3%u+b-N$*X5Lscb8sP!UwEnb(kpa zMcibcjXMDj4olnnJ7>m6Hq~^nLtZnHy$sBukxFFU;_xj z=lGk&Q2NE<@!7=fabw|%9lWm=iLy$ZIuMY2e^mcIgsx>loo*=)*+Pxfc2sB0g_R-&D#f1Wo(nc*R&q@-Q*)m0c2DXn zv#}jLHTR;T)_T5^<`=)UPo8vs_|nJs^su#7)?qTcY4_xwbL;)pz+m`fFv42bd0tENqm9jBWz~4oGo`K2 zAh>1ro}&`9vHEmc*i)>4_~2s7_qJG-*m(F$G6Oq1sqi4Imy;`#ofpzBCZ->V0H3?D zCc3^En1C)LwnT=CdLqE@#&1J3wVA2^83eSxle75^A*TD4Z%3R}j@wn{S7tJ>|)=9qydYoefS_=vVyoi>8iO&Iw$WJ_f<1-}kcne$gM}W_>u>TBm**8!+ zD>#z${;Y_e9@2k(H1~<%W&_E=!gH`RlO#~CBna{$qq^Z9H}-hCxS6<6EYy7W_U^jF z==_CvOEOKO>^5q6*Lx+p&4i9;JZqXEAX_WvZtN(tu-R&-_9#wG4TL#X$T+e-_PSxX z9WRqt;SU}QlGP|(PK6wBJy)16)#(>&wl;z&`t9A26k9GkC;PP8%y0tN#K6q`B|*F@ zR9&hITQSSx*H4&4MT?SOC#H1hegKQ)^Pyoq6OPPB(apm{Of7pC3{iFsT3m zsP@IKA=kxhf*0Me>odIYT*H9~CBD z^zAFB(k`5HQ8s={8NC;nAuwxk*Qlx=rb?&FU{=2}M2 z=X1;uGzudlt9dyZ_sb)rOrvf&@-`5wktcncS?=>YEs`k}6ZdahYx?vWF1|#|(PQMd zb-eM{WWpRJQzNT~4gI#ouL|=`#+aw)-U}^s8Jd$19bDSWdQDavBgyNforS7}tFPgF z?{B(vBZ}TKn!5@Vovxe8Jiz)0>0PcB*)y`$m21>($AI8kVN~C9-II2)-f`{yh_2p~ zpnaJx*{o3htGr)hbB18$0vBa#b4=b$b~m@#)r--^YrhGjE(qpVk#l@)LS?=Y^C#a)eo#1zT9vJ3!O7FQ*G5g$WVEzm_AfJJr!lu zn8Y~85&9P8Ez>Q4#qo|hEr7sz4>GnC{*uJ^2rOd|T8bP@vRv0AARp@;cSwZPkRa0L zhI}a6slll*%iH0)Ti*gFkLT8qDc5>Ta5y2W-8!m}&7#xkU=TSu+%y8F*=SS-@Mj~= zo+(8Ly>8q2@wQGEEG2Aio3ysvi2~ein+AS1n~^sTQyvuo8x$FVnhUb4aXFl+0gab zmACI)=2f7yS#BPa=j|obzGSY=K2N+PiQlzWJWEPJrnQWj5}RYWIhxxEWI`}qpB%L< zx3oidd%-$*$>U9!KgLm2d9_ac4K#m%fJvV>JuPi~_N`9ES!$d61IW0GYi<@PQ7ZAU z#acA3MxD4)-lx%x47s-`%e&hTi{yMRw_UoEvsNpyu)%eMet4&z)g6)kaGFQ*olKz9 zVAOm_Z`QY8J(Fr@(Epz+r+s>qfMC(mbOuL|PKM80(-k1SIxDlh9d7N`9!?cVe| z*GDh{1u%->%usv~6$ZoN1HS9wuL}8i`-Qs$5Rkuf8kliP^yy(oru@uAr={2P1)2rI{eOtz2z@~C@E8lwi>r7i6Zr4 zKheCIyk*I`I%BReT<{DQpe^7sU2_Ee`fti(IjJF-uIS}VR=sC_~Kz~l`)@g}ny_YcBXO+hX{rQU;3Jzy{pJS3ym{P0Mj z?aJ%xBl|Gt&$qm&BS?UZ(2)>oyu*+tlQjm0vI;nfYnzp+$Lq?<%JRzE+_62i>FMpb zZFb(F`EKa~k8l2PKcikvs;~?V4`V8wc;azkdc4CVL*8O_fS7g?2oT?}dX1 zS5O3cSwZ3Q^K~m&9{GB5xu$Ks@_4f}v#f=IAZq6}?0)bp5uP(Y1jW!*sPb~yc>=*h zJZ4no{fw>7W1sgL zb2vGdrw{mrP=9&Zq<019v=QWa$iUW{EigrdG1#nEr0R*V@=o@76hx@q^*oxKx)rEA zp`Z!7ZO=Z9F_Ts5#cT3gnLFR@X4538-Z3sqe5XOQpJVkyaocAmS=Xsu;=5|m)KQPv zTV{GjCMGm8{HLB;3WaojL5GjKlY3Pp#QR_bD}>MsK3afX>yM&4?h|CEQ8#Gil2}DE zqE7DauaC1xItlSXq6R6Lp3|4LB*rH*Vsn70VadJ8(BK@ZL}co(EhkVy;G;9B@Bbt+ z$l|nqBP2^>y`H_7Au91zEW+RZxyH5?ioxl3xwlXxr1db)N)t0T`s(5AyoM}y@GTRQ z&UK&nfWE&sScZW4*;sgXuCP*6Rt6t%e@6*MTx4=?vAhZ0R+pz^h4b@DuHt8lJ$n1% zM~{~JoUMJRjKA%3ghkQW7@~cd-uY?LwNTc_x3`{iE4FuM$Dy0Nf6lJ%cPG$o?ak## zy!G>HDim+Fb|`EYFFHU>Ur^)ROIGO zPrdur!iik6p!v*7oBjOFt#*-M0=p?qOkeR^=KHgA%ur;x`KB_`={=XW2k`J#=5{>T z#>wdxlRKEg@xc*9(F^AsWkX0zb)nw#iZu zCN3_veIed$1??a2zZ(-U6iAfBSbp7-W-(C@q@Es03Pnn5ukMPzjyZdiiCR-a7NJ%T z|Dcqx{cFAD7_0Y{^0NFM;dAa+6PlfI@<+)y7oa}N@fE+r23PL#&zbzG0CEs1o`Z{Q z8p8p((hUV`irM`CRk6&OvJe7jRrrkX0jTcNcGqwGbsP@r>gNZdbrBM)$5y)3f9;j? zXMJd-DbaXNu;#_?YabV(#;&ms@$~;~0D&^UWar>?tAPz0;&nOh&2f&_=Cs*9^VF&l zFE~8=9@DYKk~r8MEU#o-kpT8fJFvS)wln)a@MM!HL3-`X!~Htl z-vbOwTr0!9vyx0Pu7pFevNXv_$s8yoywx^b9Bj~9lB|lbH9{hO^0JDIijatrg+@Uv z#>9m?=EX9lhBKjJe58({7tBo>+RMbq^)qm!M~R8aec4JMFv*`AA^)IAx~X@Fp_eYY z`{8ooe4S+Tke4m;?$`1A+tU7j{D->5wNj6dwQ`b|T$S6FeDTV8NEMAI1ZECBlLXoj zDE5ml>)rOZACeN2FPjlOaBF@)PNRKjtCk<(Ib)m98&M*VIog*}Vs4tI$oyjDbb`R$ zSm!vQpaO9n;u}Cm2y6_coglf`oRf4!(^$w_8l<=}{y z)FMA@h!n|i@O<#b@E8l@S-flOo@}mAoIU02nACybx$`DTX+Jt#huxRrf0+#N3=BhH}9Ss9x9{ZgmS04xVPPTa&WI~7IU-bi;%YyYVqe_f zm>g>f#4zU6nb-pi3#wcLux9jsU9MMDy*cY4#Vjl;@lL?4*0LQ*AK~*Q4B+!OJT8Q~ zsw)@?@Bo$smTt}jrDGPnWOg4*l-wJ2@+PiX8plA17#Db(yd}qqVqA@Vn|7_b&gK%C zGY3Jgm!q0gKfTEVr3)I%^2%zPaMo-03XWrhetj|T^O3EZa}`Q5Q|Q;un-NjZdlI%w zY-Dmx73cbjvgucLfjGVBnxuOKat4k*m3>ajn>)AulQFCnX`N>`Y(Ij!!=^)0?N~Kl z`+EqYw_SqCWV=noYzei;qt8K!tTL+f3mVPg~lYRD(Oh(u`LR;+y=FGd}2?quyCOi2FRosA<{YG;(FAL^KKmZm=y$Q4*cB!qIwbN1zrB8 ztxz!wKHzc76-HbK__J9-?hGoPE;f7Pdj~cPiG%i)^=Svuzq|yHx;A~)6Z^WVG0i3A z>Ld9~s?N(+R(wx3PHG>-`O)=2bKA2VXAh;9?SMpl0xk-Xq$-LfRD^df*LBoJ8DT=- z00l5ZGcy|q46!+|vUYN=gn1>v=z7~-TR?*MF+3D?cyD-N-)p z_~Ml5V2~d$Pg&K-LfGoq2{=L{JEmUTuj%t1R+@7mWerA98todo4PjTV}FfB_A>g2vgDTyf1Wq|Sth0i^L zAu4`)SJuoUTx?aVsNsc>fyO<e zt*aSOSTtG3OEot?he?cWWNl50&0%V4LcJpUdD04VGU^@?v%0#v ze`tt^lb?Z^mXC=uxXUOclGyfSH-BbNM&=un{jXKof_wFa<(K1v1$_@}=vQf)JPy=*ByjiqEMS_-UiN2`2=4vY#1gu|nkwodrPoKd zOdx6Z;%A=X-Y^prZz?C!^3VI*=0QDZn zDQbCS+!o~}CBBNFQAjzD4gr_DjCFEK@!*dil*Flm=1(H2^4`Z6bSOc@f>sxUbI#W% zbLa+yTz;RMLUusYP*Ww%w$;_X3A3lm9eXXg0|#Ln4D;b;_{`kgdTaFxk0lA=?2G)j zSI9^|$9D@X3v$hJj~esKIfyTBtKx}?zrZ1)qadO64h)@4S&=>)KF zaKHl@Vt{B#YD9^hV1(E27M%U$zpK!MCa@m;O4FVF3>-Tjzd;Eaf8@={ z$;s6IP3PC&79FyT_lGKz>ot!9rQO3dGV9%e{tR(8@z6RkMRJLJFvn zc8$}(0563sKR?~b+N}L2JQBC}yRg5?Lj}cv4H4TpTx~A>Pl?E>iDQerRHu?Mh*ZQ` zzNi>72=`PgpR`(@CI-0+uAa*yQb;bU@gPM3_ zP|nn*C7Yd|LU>pN9X%a*S24N6^`xGPMXDiRFw9v%?zWwwb zw_?9Wa{z=JHYcgC7i3&?)C>z9QA5gll(WV;y^ag9uIhTA6dVnsC*_$L?FU9e*ub z{AFT8#Myf~*(dZtBo*l#@ju~svZ*)HoXZBKMvYEL zTO0Coti_|-7M03IhjzA}r4Khz-nnfoA}vblO)5sy&yT$e5?qZLDiFS-8L-hP=p;2N zs#K&J+4%fbElaUT1)MZ;snS)fIe)Btt5g=e&^Zg(;}1TZ&w-Rb_QH8=?VY&2Byx}o&5dMR^__Sgl&C7|7b3Mvq7wpu&#ZhU+$X5CKkLg9)Ot-5vO{Bh~p$}Q+ZWvBOCRUkD5wO8Vso)L`_ zV@JX`G&E^^OXIJ60#cn`d>;KuXYOv>!xlE$k#L@RnkADWn<1O@tmh`};wSD?MlESv z?n3OkFltYOUkhTBmE1mozhA|(@0fPZs1t1PeAv}Qa$qS;-aLXO#V*<2X=j(<^e+uG z7cm~vu%^|<=PGP%zE7hI->2ah_~V1#kpY$NN?!pm&5wm&cv9TN(uhB!xov+MTcz}=Enl6`zOc*0? z9sY2$q4sp&eT%(eW0hhHF$Wt;h$;I*)eZ8sa_Whk3oBYFT?YA`t@DHp**L7Wx{TX+ zJYQ_*^k9KozeRD`*QWY(>8zqyR+_K{E|bp<(3t!RUdB@q8D%oyi=57nG>;1V-Y=gA zzl?uYac>hYU4E3Jb~2p4{9OEkUlZv!4hI6FW`Uu(s>|KjW$t|Kt~eLBrK!oA?})ej zU^OmNJVUEwza&E-i6n?{$s<_tEiQ?ivpvkM5f+Wf!CvxXd z3K3+1I%KdBkV;`tgtD%wp{Z1DOBhAP=#)1Q)*A7 z3h{qA4aFqlNZwsA+Su)4V-4f4Ey?8eHkfq*BtwO$Y%OIKzJ<5B5Q0mqI5~NL{-i=m zgE8i-B(>7+Yy+d*<<8S>MJ6|&$%PJaDh#00YMH(|Hb!HFdjaVs(*-# zF^`G}BuHcal2$J)K9>lkzJ$9%dPP53oC4wJ`a}A>Jv}}-tD#S8iBE^;R3h)4uB+>U z(x5ZWV1+wf$Ih`&@q4vqR|>`93(INJ%f)pgyDWRoPns)%it}jdd+m9Sv2Le5Kx)EGovsLrXM- zmC5k_pXU0J%5=DIH23DDkUKZfq1{M{?2L>wjRhDBNv|(DD_mSEov+K?&sBP}rGrQT zQUTxbQr+m#uFSi}&zmIR8wOT4kCMr~!B{IkJ^lmN^SgAG=mB@ z8uX>iB=Ey5x*>uL;P$*_OMQ7gjrw4AYU;S4cH15_Xa z0;ivqUJuAb8do;3BgoKLPVZGa6-YwtUH~*&wrywn-X4mJQrC8~=yze4XYPFi&k5 z%f-^4{FXIk9~SHvq71>~Rz?5p%`x8Kx5jYlwHr&s^aL~YA&3Ek)~K(j#5zif)iF#y z&(`ib(8@V*^lX~Blu<6C#GS`%o3Y(%y++tR>Z_QKG8;zZ%2WJoVf!?UpiPSITNNu) ztnb&KMq}PmT@_{*AOp>Jm}tcBSl0%nw7J|#)VZLt2mk`M)Z*J0Kx?9=vkzMJRdg)9 zsndFm4kbvr7OQz>XJH{zo1^%ah0VUOj4eR#jlFI|MI#E}K|^B$lWuP0WOdIu=>H|{ zy&cFeV?>XuEv3dLOx8LLAEX{aACjwa8*b&;x{Y(QbFvK6%iAE))R^a0NP0dlG3UXsCqjpk~lA{SyA!t8$n^>?V(H#xAm}SVYgvR$I={H~5hr zkM`-I`2t-k>B&Ez7CCI4j96oVU_Ai(Z%XM3=3E zAMf3ywd$ZvOgxDKA0+Z7S`svb03FrFi>cHdeO9q7M$v#;HLy z&aRqz3)m;W4BL~Gf@Is*tDBk(&b90=O)Q(>3d)$In*0>0I}r|%e#b0)08?}FgBH|4 z!;|f?@mG@vu0tXjf$;>VovcQ8;2UtPDo-=Fv9Yp+1K4RM`WCK_arf!z4+Z!`$=`C8 z9`lxnzs3sNKX_rb4Xexs{H)S2CTNw+nfQ7cLph>7%fo$pW4KLq@nv~EithWe;827J z@KQ~+{tn^g09;5AkJmlyd*2U15+8+(GPK{nOdLPWm834-ASO!G(1HOZ3`{I{MnCEn z%p4@`TZPsmhsqKQy2gbDaa8yzifcI=i?&4@vz%jjWzKSYspFb=r>u|=c(O2^t#%nN z9Hu-12D`JjL32{^@-}TgPKa3U7Iww&SZmfv65#-K17iG&FO!$O*H$?xL$;|iwXf)x zr~3xxms35gO?UR!r_?7uGFlaHpUKG%+5!O`Y_-*ncKM7aQQymJC#Q;Pm{3UBhsOi} z1tO6@CjZ!tWk`JcZ4{wf{Q`JvBJC=rXy^q2s8jgBQ^61K_d+xw%1O}ISfRix&{uM` zVxtDa0TpH*8CXk9aBFVKFMKO2N6z7%p;bT~)Az0?5;j0B>$||^$uCDNV(1Ssnmqj` z5q2F!AXN>={chz?;(4cBgj~(6JbDIg@2J#-s}~tm+S>Bv@>hODU~Xn3ut%0q!2ey4 zEPhxL>v}27dwC_FKeMMB`d+GKQ(wQdH!+)(Xpy<^i-G@13{4s~Sq%RcTT>0ZZ=X{Z zrKI8UxQ*(~Zmb;dp0`R1MXr$Q-wIo++G#?(vQEy2fBiz?*8|-f&pumwFr49{$bl0~y%nKY z6wSjfI2gDdcnm)nG=u`NSeHxvRC!e1uVMUz{6sZJaoH`QYk zamu~8j#Vrh-Ea6!kpx(N1iB+_!-`-U4}PHwaeux{aJTxOdQV=YkOS}S#%Jxet|=Ff z?RggqjwFohH)#0UIUlP}TAbWVB#l|wrA>P#69$_IKz|cDD1G{l)hCgx9|4QttYw8t zzgA{n8eZ-)s8B)aT7rg)=N#7x3h&Mp5PkErJkodvRyfSJc`W)fujMIbMRcC1Xqpq! z6F=%s^P=$t_9@btVsbw4M7_^D;uaSS>{FxLS{gYQf&HcyW{j0do2B(qiDG*V3BWj- z$9PW}E%~nj+3uPpXd$!nx^>1aSRRguaOwRn(a#ANR>pX}qN%_uJ>>*?FO5FXvxFQW zNN0a_UtROZz#8(b&Zq3HtDo(d_)7qwOEB^5O0fjIGNRPtr$_qNRO8>QeYaIdplN~r zl}l7rnFvz@mb1wCVu0u8|78G@#)Oi{{pJ{L8%`vk3bb4Mui4W7i~$bxzir9>ALb+f z-`^VTcnO*6M8$x9Zum4>C1=iJ@E;G9jG##^HkOM7OC*7fsn6t~vq?sta;cbnbGgYV z3)f4p+JXx&&|5_WQ;ls?rA7@&O`La-{Y%=Zm2lX{<@`n zl(H=$3P<}pXz-VRzNx(Dkn^!*2JU@8Kp=PtY_gaL1!`eaup+y^t%5}z8EWu>SEHJN zx51-TI*f#9N_hYJSmd!b?1y}Y0ECv7vab#OUR?}Ysae+`{ChHUANQFiE0&j&X% zc-3E=XqVmMq(}l;Q=j9g)uJ5n@xHv|9~x3Nl=rzh`7mYQxZriBk?$x}f~aYu;4hoQZsPUZ`}|$7AC{krw%)F^d|l2sKblRl#uiwcp@IU)VIe z-1A2ba*S-LNs*9Passk%T zl3V2b{F`jXANX!|-bZ1sJl3}=2rMw~v(&=0#k|Od&8MjfhQ=q&=)ehzR0RL!qdSKv zGGon)`!djjDUS&a6--4E&$vBam15Zm+yEu_N8+pgU)5#{3QN3s%A&j?j-m5+=aX&8}nU$PH>X;5v^H z>X0@MfF-~jrF`ieY#EJ_Q~2)ew3?-#ik4cb(+0cTvZxW_6BfJ_6UkyU=kVP_a_9*o z|H0_~F(cf4o%$}X<43&igV4w~|GBPok7Qb`8ef;{%F*v#kDczL^B2}jwBwefuNi!* zvtn?9M2ZRvzkX|e71QT+pq-Gc-Td-h1t@B~nxEoJ?|@g%9RhjN^|+oHMYbS1d3|>F z^f;3a)=;>q#SUB+(aFnb}t$;+cR(KH7Ezy*4M{r zUyaVrYCvN2nuwK^mC;ipdW3Vvs)ILL6lj6C-cxtn^dKK4fqgx^ ze5I?Y5;^rGtKqr|7v@Mpk$NVxesyg{YLkH?GdWv?cvWRB5jXdjfwfwFL5n{x>8(kq zaBvs|Mw4N_4@=;=IyxFwX{r!Mc<@nEPa3d1+@G8#(5v$c2#}?wfOOAAewW?y=H^Aw z5R5qd_%D&9Qd#52*35q&<`)oAYkAj)iywpnwBhE;)jHZLt&BN}7ON6SB})OatRD*6 zB41;JzHBj7<QCdh(ng**TbQ!W?`6oE#ii>%W!rV^@ERGObt@|K2!%goQmhCI!uq zI;2uV$j6nGJ$+iUvT#m0ujV;wv~tvnGA_}gfL~oxB^ep7Y59_+bEv`UN2{mu%m?Aj zv0dpXLp!R!)6yVd!|#%zeCnLWiJB_-7aYar}ML6!x5Trs82Jd0~o5e9`%I^i)*0X4t?5Cb@;BB{Vsi&BjARPu@+(X7F6&8mri?zm+U#ovea&8Q>#>^;}Z=_{yxbgHS3`scy^q_IAbQ z)K*~dmoxa!wZV899l?kfM+A7DYpbmSprgW73jFANjwyD?5RZ?+3RwS#c}34gMa2;z zpEr_J7a*KRA>_nO!`naC^~UIIvQ~FdQg+m0@^@e`0L1s4qasOuZOTLH7sA`#xw}U8aJ@ZP%j&`Q#YZ_iyE>WI)Y4&yk)BXiejyG^Wo!)AqiXy5 z`}0dm`bGvyN(+rxiL4^}m&f`B7a!VhtA;2QJvHYdI>p>E6=-6l4n<1TXgj+Q5H3xt z=HL)R-kO|EZYCe?Y;%Kpzgy?LH`r2|j?o`Ac6K)x@s|_WT^pe_Q=fdBaA zUp?EKC~W2!!LE2J*B_CJ0?-BiS2G;qL8@ z!J{r>)qrSEC1u7K+0*T08jdNy^mH_Uekm|~H~e{vTHyU1YvQ4m%jDEOrNE5IB5{;vHCGFK_Bs=7KI9*Uz3 zYDf=!K%CjT2x&N$m%l+6`D5>hRN7lSCt|r@8>qxVml`5}&xg;i$ybnoSd=+7J_N*f zcKPCY&slGEOD9@4=E`(v$n7_Lsw>NFQ`tDW()eTIQyv#@yUhz_yb>yFB91l-CL*7l z%Ueq^fN`ZC9qkez?`Ko^>gH>oDiqIL-VP41r)UdR)@n)t15c~pQ=q8m7VBIeP7he* zhxwUNA)Ga3vvP%s)c|f;DkyR#igUBG*xHt^^YsY{jyRM_#3Zb&;|mmlA$1DxKdz9q zJ&T9i+?`nuEC^az+O;|y4_;_G7ZpL+#+6`xR%E~c7>7%~O--F8Jq|7M&nf!Iys6(s zGF;lei)Us0p!2=Ig3_D#r2U#4tj?|`1ipo#E-fxSJUoIeXkcMKgN>fSws=;|BO0wW zU&Z)a1A03CYp%O1)V*^K^Rq$f#fS+3)GR`}bV|O?8S`D;7ONSnY!W$qo2k(T`0;#TvPIbB0fPpeP~(i0K6>flL}n|qGm%I&&cjB(%JD=8z_ zisiZ1EL?Unni~KbUd-A+B6zt?-i~4A%2`S|ZU$8u>l2>rAHx6*b911C_YvU*TcRwY zMBbKtD;X(2VHwP4wXD59tFbXfb_C!3$vrUY#DWO#_9pCm(0$a%=yRL@ugQW5MutJ= z4|*yq#ME2Aug-7_$_fyG*7pJbwa$E@@E-O1-Tc0J?SJcuuF`Ypin?DSoP%V2$|?N= zLh(-bker(?;(}>v#*^)n#>QV#6@wOVL;fSBWLPnIOnPTvJuFU=+FT*Mn1LBFp!a;I z`-7~H`H)tQG!dTXX%I3F%+JEgOigO1>x=9$%kAwr7n;ZR#0kwrB9x$q)u$F58hO2n zGe+PoJtL3rnOKM~(ZwC=&hWA?8c$;4F**4;J`)Y6tb)wOsmGDJq>L0ND{C6R>D})~ zZwRCxY|0_XV6)jfW?aK->m@C1BtohOS7NSQ1Y-cUixXpbvhH#Fr>W0G1(n1uTCiHy zR9!MECm%gMAAQ(wlfu}3@1w0mC2ehZz$|XshEts>-bncG3H6aygY z2WhjYmw@8h;_IUo?6vUhTrK@p%eeYz4c5i>Qa!rsO(OG9l56NzZOMe6==r07*Hhld z0tN(S$iW{MiFMQ)rvllc3G5TyB>@_R#HVx2WK{?r5KhWAJT>%qt?y^E5b)cGxEjGV zGC68-ISQOwyQ~G-AqUR&{5c{|hpzDfA;b~EbS#{oB$hL>q)L>oyedJnXP)MJkPTp5 zw~fY%M#3@N->pW8MXM9Wx{Iz6_cuI5@>Ra4LB~MfIJ@D1Lf^%Y-~@()9ed1e@$uHB z22;&n0GjLK7(v@zYzP7Lm(V8Zs*$NU>_EHv^YD2Z&!GFKQ+;oB(0dncJua?x7ombU zQ3O0tQ6bE)md{o4)hW@%V!j0PUa0icIVhp*&BhM5d*9Qbr~+2Q$Ze^xO0-J6+^nLe z`#-y|y;jScI`#0uWENtO{LjHIqi3XJA$?%Onq!^>`Q5WB_&aZ5okR2#RMsrfk8&&W z)%uGyQsBQY%c7X3#kl*3*1U<4qly{WTnFpgUw(T{P?f)*_bFNX{zOMz6PKzy6(%u7 zX}9L&nbp(saWO^>!JmDpk|e`k-My5`I2!+?oI+n-RbgAzr4cZ z$eCQp52;SK@5AEVG%hq%1&TMnDn$OCT^idGV1xFLW_o^)5drIEdUjSeH<)mwk=bG2 zxI1;X43-UFgCyF+L+!HI^L&>aJsAY-KoO`V2S2f`zGmq~>2EB;EfGH(;W7%6R4@oGkKv!TT2u*AjhtnSc;%Zi{;xvz7afr>Q0pOYcMC{|Adt~9I#9{ zFFMXJzQWURQU&gYOIDr2g$0G&?hlgBzh6(gT}{{i^U+B8?_^eS{V*4CqmiRDhQD-E zmSq1cE14!PUZuEV^Pr&^aW;-Y^-n2*v9PDzo@--Vt~hI=NZtfk5rN9*Ddk_YCFIMO zs98=yYQ(c<1V9njd=EG1m_N9Mx{a^4tu{?#w#`o-*=IIk;liNuH}lxd`Hh3;)SyC% z#ermPT}Tq-+S$?TPrei&L9qIY2rZXZ*@ZN?|F_tdK`zJI(*4II>hLoJaZj8Nx$Po> z7hb7K1s@?5uSXucxPkW?`t-$ZQ<$hdB!2_&0+l)oIN$$^RpTH0!u$k(7L``t-9>2+!F-^a4MmM)z3@*ns6BEr9O z)@widA4|#qNk;##i}?TVo$*okspNEf4D(54RWQu7aF$yzbEMke+8e}jDVjj|-{nWZ z1PGghCfJY&`J8dkIQ9DAz*Q?kylBd*+Nwsngwha$^6x_ebGJ_v(o(O^>(p=NuYGVz zkQJ=kW8itKDk0oNc+_xdWG_rugUn6D^4N}zaZsSb8LR=w0656_V)4uY3+;beh5Tct ze+pzjra+IUF>6cOXO`dRo!P~%?s*QsOJu;%e@`RiApzk{HMB8ff>!6_e%qm4K|=`t z?^Tc^VuxOYBXU>so2idQ{LY;gfo6W3U-bP46;abeSIz8PKU*{^p9L4pg$T(@R(%5o zgdftc{pCeSR3JmkeSOo*(LDq#b2i`x(S`h%TtW|?hD4ZRzI8#jOrbeo7chjh1eP8u zWQYHES(IBk5=RTH%*c7D>}zMw2R+#+FfLC@g9kAi2`)m}xH^3b0(S*S#J8NklWOt+ zbZU?@=p-PVo8`MeCs&D0kB>>rRVzsQLfDgq>@b^9?LUw;j?Z%&C7I1HrEH>0RN)Y$ z{YwCrl#_-OWbVd;z9I?+KFv3Mz1g%j?@43s+jXQKs3n#&mzD zu>kpZyJOoj)T*jgB2Ir8}G!dz~tYvnoSXnoe6c#o*Jdpw~ULb(- zl#DS8r2=YRh}PTU69!F$2>BT+_5doozliK;mM8x$roRe}P}*Ur)ME*>(ThNmP4TEUjuP^_dv1mw$RL*$548ef3 zw9n(i&Y-qr-b4laH43C;AZ615?8D2!dbYl&47QQy^?dY#1wb3+tD}XJ?FbTy$cKq> zN(^*#-++MIE{a@%cJlAJb1y5612Ux_W1TYsCfT2uvOb~d4Tis|4{bUQB|~k+wc&AfPf%K zgLHSdDAFa}ozmTG6cG?9=@#kkj!j5+mxOe8*Z#)q()+ppc%OH@-&)|(wYD>R&N<^3 zN6gg1wxePCLJ%53M#_`+`pR5IkY8~72+{cMr^W5@Ni+Np!<*n@N>nwsc?VCWT$x7z zB)$0#!657F?X|PA8nv7laczo}@J0$yx?9BmjQjWOB8?vovanB@;Zd&8Ds7E5z}+o+{qAec|rHPjPdO|1o(RdczOB3op;vQtE+u7vVh@AjFlQL zE<7bAE15yDdU9NnkFW@sR50nEe2$7Ludfem4lr?3mw2UHlpC-3)=13APk%lf_4HIB zosT6}#%_O_l`StlKhaaqc7HJI$M<%4P==|NOwjHwWVO3pGHi6$6-NAXc-;Z?|6E_* z${NiJ4gFlA8$Pk^;vo!%MGCv-MM~I-LXIa?sS1jj%Jz$OiD_vC>fiuYCpR|M)?%g) zL%r7f5VD>q+L})AvgKun1$QF-J7#C;U~NJsxc42x&1a}q@5OB#g7$WW`P#g4{PqM@F^wRUyoG!ztc7@3-x$Hd0L z`=>+FkFlaZqoPF+|1{9h;WWEpve4iKzKs)@Z#-AY9WE*@l$VtTUt8q{v*E~gcLZ^G zNVt=mBUo#}W&Je8h8Q^KiiZobT1A|9&K4IMot!EV;1TA$kVY+CK$!}Ps05}dgsi(5 zV>T@}3mBqMd@eW)Y=i$5FA>)v632sn+W0ltE}c*xrhf zc?2My@1`dvs;g?wjE#MLipLlg+-z?<_H)98dPmvSb#lEwN+uB0@rG+v(gk4|`Cv7v z^G#sbEAqfsMr;I5^-YDZQFnM>faNK6k(!2v9gq|J`DCoMwZ%5QOTQ7@m%rkL==A?m znF*PGeW|RXjB&8UiUW4qKQ;Z-1sy|8ZRC7nqEpWgk4?0+v|b}&<|tbo`MB6rx;uH% zYzF=XN``^u(dOt=2sd^&B~0x0rKf&P9edA=Zk9T(OrNBdfcRAGvvSP7V$YZ7NX=~k z6>#rs{=P6-FuHT)_^K@c2>}Rbd%QExO3zLTFfjIM4wPqf1Wl`|VdC@U6%;5Jj((M* zl4WEBfAFT~$7jm4Y*yX`lvUpcicytLHb zesYp61>}_$QX?Z(%rJ#$A`HLrnIMq;V;i&;;w44jHymhT{{*9>n1+I$A_LmWq(RXa z8w~ir$x&s@QnArfRK<;Y&o$h8Te>nJ5KDZ}2$3NJzP-%{A;Z9n=d~cxSw~YFTsvSv z1~qo96!tR8TE*6Na&pU(;?u+noQ-wUZv93tYi;x-u~J(7UHj&`T^;;6n1sI8+h6PZ zB<}m#^WTU-zQa_CCvS;?qM|GoH+ND(QcbbVyLSvYiwExGHKCunkiyg}edk$!)Df9- zB+6vub2BvI121#O-_C`J&yz+E5({}e1|}va&-bSl8Dgudg2TehFfcIE($cuOtJ4-2 z8DeE9;#^`+IO8-VXmT_S|1JZJ_vI);(E(rdi+YG!8H;KP*I9pow!Lj?!H zl5(svznzb`%Y+$HfQX23g+wNQojtGqliwCN4X6${Ya7Y<$!C}tIdAig%lW|5x^y}= zCMF><5uA^~64^4;V|o4Yz!SafyD#gw`}|v90{$Htug^;P6BcgIV^`GzI|ghS*S}h$ zPm1_NJD>%Pb9aIpC`f<|=6(kk211!gUx4(iMUfV-krXOS#%O5$I|Y52L6{&(?qi*`3lgRAiR$yvY$dv(bp8cjFsa2}F`=Z9Pvv&k z_tDken*^JE_rvdfjVL9-qS5B@HK3%X<+(D0RjhypgrGQbA=$2Nu`}`LP&}8^=ZlX{ zb#+hrKh;VQ^-&O0)e%On9jLs(A!1=67fEX~1VzhgPW|q^jFrb+1p+b}s>^m`{syYT z40`vv_xO?jRm{L(D~I<-t>^3MS+TLD|0h6W4YWGYr7RX(nw%)xxLqZ^!hg=}SzlGR z_09zcWMMRE#6kUj?adZ_sj6WeT6fIG?tSg2LYiI*MlJ8o7swpzgc8pdw>dTC0;c>^ zRpv4|6C(27s)XkKciDpV3KNNddqBGi2T-=t?>7GPa&CqnoueWB%LF8a`8;0ht|Y<> z|Mm|?x-S>RNY|$8p=Ax~z2RNX=yqgd=cdegv|h%K!*M<25b*04XhjC9E(wN#_U?+` zi2%?XjlE$MWXt;C_)1r44`v4c4dR}9VGDuXM4Tu&ivcU|WJbFu+?86Zlh9Wzj_aro zOnrMs6qwFWz>^JpZCdp=da=sA#ufH7)Uk0f%h!Ga_%DAlad2?bUh20h+Ot)0g|b=y z9b&fDQD+by?AZtei5Fgrh|We0rtdBjEGcnL&Gp80h83_vEq-4c3`*wx9;9D9WlQ*y z^GU+k{|Tbvpg4neqWHinnir#3qIl7?F~Q%gtrh6@HC&(W^W7I@Vu}vs-Jp4ttl7z} ziYJro{k7*cS#U;nHi7mLlW1&=Q(~Lp^2wDc$2GYiqcpW~weowd&wn-rf4K15SL*L( zv~b;t{&24)<|66>fsw#rgdtBPOluGeSNT#5Iqi zXRlL1r|)$qTTs}CBl9hPv-c5Z3QfGpYx40%QN!QfY+L+4j4G#mucq=L4?GOe0Il9{r{qngh3KESsSbi!DCyBCc1_2VD*W+~bO29=LIg z|Kyun)nt(y-rfT?&>su773sqiJo8SLJp!nK$7~_D9)sIUm(0&hA{0c;DhH6yywL!k zCUYIlGtaBTSDB8|R6E6bqJ~NLw=HeIv|S;s|2(U+<#}Ix5ITVa^Fi08C`?UDjnlJz z3$$?-{&b(l=S(j^lTlXp#iQ|jUJ-I*N0RohJ>7(unrl<_VC#jfO);{%T6h1ts|9OQ z&baUd6|T9tpB2G;p*1$?u=_Sqo$d>Vc4t(@)fbtMGiVKz{1s(GuL@!J@WAo33da7O z(Mzbv{KFh9@6!8WZ1Oa|q1(WhMeQ|`Yt3)hjK%1;3J7L!oW%es!(8a0;w9m_Z6 zga9Nz2WC4GpiI-;uLVv1%fg%Q?O%%Y1X3FyBfE|v1_=J~w;V4aa6agIw_nM0WH45I2~FEDJkO{8e*!x zh=NldrKd&Yw5S*h$9`#n}tf`_N4+^VDPZs0aSqF}WEHNeLo?&L}^Yy=8(Xe!4VT$KhULf+jR{-9wQ zV%<91si=_sU9%C6Rei^u-p$E_9h?Nh6O(BMJ&W&iJ6;ELM-YG}F50Tfqy)I$7c00d z@u$$zDRuQJpZaYJAo+9-x9Jv>=@t8<>!0x(iidbxikWYt$15J@oU<~@Q2_Pk z@*h)kC-a98$o*s>Xb;-I_+UEw)zde?XWH*V6wP^D&A!RhhHBY~9}2rtGs)aKErtB{ zRhNnN8tf)I_Yxj`zus6XViP4LqI(G?^($?RXewqM=$n3iez>cctNaMw&(SJSjs>#Y zd=4xhtnhhzi5rp~=4{06N?Sn=g}+a32M5&FaNXM8KCH72UphFmFtLCtvdxcb=h8g9 z8wS%v$VY}7)o02Mm!X>9|JkR!^jy_a!qnKXmdnZsRP}H%K{}Xo{S?Slc#CxAU0B7$ z!Mu-&98?B(zu4fl|BR;pOE1@3hUB6m^09F%lf3!AX&}+Km|6q?s#9=zN(}+pW zX?^MMXOD-IYJ(Mz9a2}XAf<3EpBa0B=CiQqX6d<(OLoX_Q}ae{Z_}p66WU@=7ZWx( z_(om*UQe%UN$x?qIPU6(#k7(c@E51R+=96^vk5bs1jVXB;qKM3#Gci0w@O04O>=U% z^Msr<3*{g`YKe1kW{j}j+z=oqKi1($6fvHO=T-5G>)*Y(Vln3U5>sFfe61Ycy82NH z_m3f`a@44!9MXLR8B|-yKB+o3P?aHC#>|%egW{rh#~i4M!P46`XFRA=D*gp6UdGI+ zp2BA4TaB3X@0qn`7$227{M*F6L0}~?Dv)};GaJ`L0^|N7^s-(T1DMg&LcH;|*StI! zA-@MD0RT@&0&iq3l z>hJwO&t0u%H`~}mxU52;Z9{083W@005h32iFib>kb z<%wu=-vh1StFwnzy6^@*jb+LZBVf9AowJ83~N zE{h(Q^Kp|E+NNAc2(9P0Y+A;H!d>Y%1_8mG9jE@J3a44pR z?)-}1+35lCDy?vEZ`o0n?5;@wrU7|GpT+Bbc7P4CVJeb-xsyzW8ykbrs*zqo`v1rE zJ$G0V?&XiVBhY6V^f@cn{U<0mr^qjoC{%lV748-A{E1gcRmFX-P+DYXLqlvyluk++S&^>{=DlLnR{r^%C~_7M3%&u>QgbX zr5~kljyxB@I@;5rTK{2XP?Zo?cn>M9Hk=Eh}+ zjSZ}?j_m|Zh#BKqNqMNQW_m+2UL%3!*Pc90;ONBVkv}=Yt!G^W00i|TfzIrh6s>Ro zv~45*Nz$BG;43S;cc7v$ooPi# z2uPLvG?hjJG779VVvc|4P{O72dHlYbhH-Q-UayrF!Y#7E%&h4;4!Ftp;P!FieGiEk z(hb&sI1&2OTxl+;U|8((`X*MoKjMP`#PsDf+*JL@61?FU-}d31M!`WXE)YC(WCQ%QnKP6Ua5z#e&D#wL z>2c*j)C3RvmIQVl1j}FBv$KWW5d04cE*a7%E=LtfZqg91~`kiAg?UDPB$DHksDT>EmPcr9bI>_FbsO6 z3oYm|F%Q%U4HbLTf4K^kl@jqyr3jM2@hAYNp#R5BkCL0V5L= zazzFjv_f7hKIRI3^9MU0!-Pd^GHHhpT4PW$DY`(Ry>b;iubb=!5hsApm%PE=|1cv} z^se&O0*!N=l6DA-@w6`GB6)2MmsHrXrKSbW4!JXXgwQ|(00LjZ0neke)$`GjI*MVT zUfeuO|0EG!hy{huz@SER{z*{-V=MXd_*2gd-EhzuY9@|6K$HeftN3}e6qU0xl;-Vw z8S3w2nlxRcgM)f*o^djT*FxS%9r(bW&1=#VOAu8LC|Oh4#A!_*W7t;ajkFmdV)Zzb zk&)XBAb~3H;i0FR#w4`eqc|Lo0BvoVdSXV(_n-;O>;^cT6r=k@hg~_kI=fQV%@i%)%LB{>uTjl0i2Ut)g|?P9PGyxjN_6YElgf!rpwsuJ=*3gaqkw>bCtj~p%isWtOk*%WW;+f% z0z^xD^7yi4&;kDIK*~=TO-{`0JnRI3jV)6u$$kha**@iXs&e6k+!Tq?i8TuE?hcVe z5GH8E?fIya-}8;|o$>-Pf2_>8gDbp$(a-jqo35+fUi$6XAL_H7fo=CUdm;`^ZHRl}J1=9K0QBpX8-!nQS z35$jJZRf#o;~ke1(l{NZbv)b|0Pg<%tFznZ+JL3az^aq&8IoRnZ6=|W(P;0{uO+Fh z$*{25&&Y(at7$>1`lS1Zm)}EA`HWBE8yDoRt0Btnch+D&4*&^X)`bw|6HJnkC#MHcozE9%WHB9&G`hiS$IJN zcC`N^OO;n6=$nX0Ahp>fw=3YVqdSqZ{Y*sX)?BxJ5Ip)b+h2vJ@ufRZ;sV(ASu$A_ z*Oj0G)>_Y&CPj6^43TrLqR-`Ed@*MF$hM2Kh1{A`eW<=~Ev=-osx~PY7(`z#_At_k zxa@&ELa;ooXy9|6T@N_ynYs`1N(2T;Wjk4-$H|ub&_CSiq3jC0#5_UvAFJp~O1jB$ z^VL^Kk09iGag=<1n9hf5Wo0DbK9x0gB4dmgX_q48ZDk1aXBF|<9SCFu*!=b$zn&H& z{wIq&V_U)Ise%+v_6_TK>`$HgxJ^uAZn?B*Gu!Eqb9yT_PB#k5a| )J)f3!*Fm? zffw5@1u0Fhffuop;(DH#fL+d=j|SDs#n-9<65CQ|CrmeIscKhV>s`CW)K~I)%JO>H zK;Fb)`SEVPYK=l6l`#c)0&GRAKr$n@sW{XMV{2_Esro`2PDoR`RII5Stjn-h{NcW3 zox%1N+%<8g=YS)3??64T!{*O)&sA}-l*$alXlNwDlAKiRz9#$B*Eer0Ca*1?;Wu_I z3Ni%eX}-+5Tr`S*RCBp-7%}Q9zu zZkfwCOL2W@p5h?9lsbYJO(zh?nw@_Xa#IkD#rRJ`(-`f~2>Wehd_>Ni zwod!Vlqku5ur>(7HM+Eyo^6lN6Uc+?V5I_ayAqS^uRPd^Hr<$edkub!N54c1TYg<} zjsQ}NM$t!HFSm@cvMlzN${&&54txW;s9B4V{J*!~NjfmUh|*0V_I~3l&>U;$%`z0; z-0bVsAr-XdIKxDk%ENY4X26DW>;b#ira;MqUOgL-Jf3NAR}hYA0s^RvW+OK zt7gUnVT=lvTPqbO#Sx}>psNCczwbORT%;5gwjm~1K)545RNj96#cf|D=yU5bTqXDPHc(A!W9;nsdUvWNK#IVBR6~@Fzj>dNcEH zJ!&Lc&VFQKisVzx*hMt${I3zv}iDFJCpay;y@39{DaskvP8*{{akMZbHq z-`WdrFUdp}=B7fj!~QL5{o|nPhssfZR||Ql%CEo2%AvsSM=T^3ubt%74pxATK7&>tYRy>Cs10BngziHN=0$;h&iX{_)TA{khHWs?Xm$ zlK=A@|EEuZc!a-w;m7}vpE?8bG!Y*Q?@L4w1O@v4dkgrzw*R>d;!FUjrNzm>Fwp(# z&$n-5ZFJ|q01Fs@zr*rVkUaAja`L}^yZ_rWtY-W+s>4>N{d<+OesNz_l;bNmP(G6S zL7i@`SRTE2FpL~)bZDp~o;8J&FzgA9b6-`==Zfzo;XLE&<&MwPWZsy0hD^Eu-xMdj zSLe)(jnuTHb*!HOGczYN3erspz96Bag8%1RlP(ahy5rigk#qBD?p=}Uf4)43=U_Ww zF}129WVMHm1Y3%^YpD1Z=f+1AHfm@{7DgC+Q_kPou_3b(Amj#l1`^}#tz{1Hzv&b! zCzTT56X%RuR&YcJHrBm~Ae|qdq>q*<)BpQw$y>=8Fy(S5LF=TbJUqZ3k+8a;xq6oO zMWjror`Ijl)U^L7-ktxs@BTqem3`q-!^=Izi0kxUqfv(3-Ldry<)iQd0)p>B zn!YNCT$~_O^Ok)UVKJ?#fo4c-B%qux&P4h&6gl`k17etro{k;?A^T^E+~nsnR0y8+ zv(=NhK7v6g(YcOwy8m_M-{agMC?KGnEQ@+NOI#8VjaIHi2f_%A6fb+mt?cdISryq^ z6~)W^aA&r+Qt!zY%lMT;O`5hyj8U6eeXYItD06gcZ6!SRZ+-jsG9(4jUYVTuq-i3i z99q^>*YLony%w>S4j~eTFp2C@&=?+RG*U`QOTE3ioSWJ4@(d*`IA_d~i6`h)#*?HE zIDcpJD}QH)pQX|&p!80@64%6Ju$Q-Vmbd-N_WJ7f`s=$?*P8@S0f$@e@{Qeov$2g& zH~!zAuB6AVzj@2<7}9Hn6p)cynAuoJ!uS^e@$@E}+%rht3kf4YCVL0nE3++_`!gvt z=IqP8V2#j5Dq)xeu=+J#9pU9$Batcif0w|P1+UitA23tv`wR%-`pSZNgoyd}x_-+= z;I}kG!tBg)O3UL6!5Jo+=OCA^R}$=s%YB-R$iqQRmFRG)qs2%LL`P|3H3E0mt$4$e zkL-sJV6oAjF{-C!v5bEfhh`wB&2UeV$d-i}sX{j5xKNvA6yK|){W{(~ov z8wsD^o$5t6nTW6#$89pYAh4`qZIB{teRHC*xQlyk#GPTGGgZFNP;I{5S8G1BHS9qpuE1?; z4HntN+E=;L79{g6wwJ$18Zj{|F#skVAzE(ww)yemLdi%-=GuIiV6`^M6xORP_7^1z zU}wmBhcKz-;a7LVO-^2LBrE73FfI@_Xj^)>LkTQ9%^bE|%k1Sj@Puk9>-(-<%{J}w zhPVp-)LZmBU++0GL=9Bdn=kY0PwU$eP`UZ{7#1xzw~<@Rh1^2HNa7H3r)Vs>9$Rhi zdxW>5!V+KUeG1c*>-tj9s?{v`RmxPWyJniVrs?5;3?1yOrwG(tFOQBV*BtVa$Qr<2 zy4tSxa`J;A3edXqE8#gqOhHmZ*Y2avTa5GyZE-;!pN(G|#(ttas{F)DwMI&7#v6CB z!_0ED2S0+ThglN^ttCDLHCjiMT`Dhz9r7Mhgd67tw9|b4eK35W6gDb2bN8@o;8R;% zQBY(5l4569G}V=z*>xwp86@d2o6UucZ-OwUWxR0{l5b|-_vSKUjblC6z;?p23T-3D?__hS>GYQYQSy9n)x zLd=}k?YT$=I^*_Tkgc~R~ovWk0%+2oJqXZYR__vI*lJY8Qnksm#w3{L#g03YI5Wc>LLt&3B&8+OM+AnGD zHm9LB&7viOlQJDUK%gxPA7TCYDqow8)(rLw)MWIUUEy~M9J`C>EzF(ySclIN1a2-1 z*82K8D|<7PTaPL=Qj7KK&rVBuF)JktcbQUnIXQPJMniYB#T-4~Fvs_I&51p3Gf7D( zYN~h+`1lAJcv_*vJMUsoOwHQ*5u9C~fByXV`V`vI*X%+96j&4CnGc+upU{y;%7sKY zySZpyB)cOvQvh{Zx-HJ*5S6dkElXA7XH(t$m0vH2g|LXXcxh<92D>B}gryq@zkMOq-iLTvty%gWT`axP(^G5pPho}n1g|Fm8MdcCK3x|x*#PYk|2 zrKK5VZT(dDdm7NuO_bJiyr$W!at0Lur|rxvbDd))7rPNW)-rw$aj<{5ZU%@Fi@SyQ zf8?yJkk&g}=gRt4#uU}_JTw$KUl;w@2h&yQ@h@VKicK58XgE`TDJADJvsi3U;(5)F znrM8JNMUxf27#S-{Qh-ijK`9#VAVaoJU_W`LGb_B>lj~xlORxne0BSj5q8T;mV~`I zJJ%Hvq1WKxrfMqnYw#p$Emv|TIWe};!*6coixw@Xv$*fQrsNjh%Fk@?bL=Z9o|Z~x@^u}rsna5B-t+PN|d z9w6SkVr5FiBO%y1+#TGUHwJmP%Z}&FVPs^{R$v=(lN zI4TM%{x31|e<I(YWeO2}%uxIi8{eg$27hb9U$_O-}nc zGT90VTr5mfBb~kMf|m?Guj^k+7wM|0KsFo47uMa$?%wV9Wt**Y6V>jM82P#F3o7J- z)^QAOOD~~xz6f7AweawU6?Ix%{G4UGCqGcs?c#N|<>Cho$^=I=`eovO>8ki#u(lmN zI1TkFJ{p@OI=p|!ovJ|gE+TF>VK{uqkb|NWc&Fo?Kj9zyZhJPXcY$k0o=bqv_q5bCr625WoJ2AgM4v=P+HOE8y9l zuz-xbWTV>;o&7mh?z4T@c{)Cn(m2EWf*m$-a_|^%K>`(=?1*u3Mscs`dR- zuZkm&8s~8f{IIUlDSOy7Y)Vj2Ks*rn8Q2q0x105J=pPD5)WQp)mWkbY=Qlbby_%~) zx->1Sq^oTulUpeJvZ%>yQ*6AwV5i~iO(B@wCCYVuW3|Gsc_yhQ@B2oLGy z{pJeJN-AZ7(cH|+!p&O9O;tud?k*_F5#b)(2c88IJ%-bT+MKDtp$x(6t6&doOUwb*#88zmj+ zOAVEfo=B`NzNXFn5#j3OGGom?p1Zz)l~Gc@-ui2NSDiIenci^Umt_>o$TdvIw(avBH@AkYedT_1chIH-neSZdlF4@=z*1{+U3;>t~Q@Uan_YpZ9(;LT>LH z6%;PC_&qnA?aKLW#`{S0gmZYsz&D1_&9UUUzYYdd6`zx^Hu?;?2qlQ0iftv1&Q3ZX z+^t8xfPokIWhAyirj=$a9r7$pVzm(ZfB-mX4h+Mt9mgg-PU#Qc_}+ud!h7>PK4>;` zU7%ah0$OI8=J8TlSDo9>M$Wh$u?X+u$g2C%*7jM9)u{#T;f(V~&6WM_5_Rj}j%Hld zRlK!sKbi79O!h-52w3?1if1Y&E}<^mdILDF>P1d*BZ5kBa-Te;g9FtNaPZTEu0%^nE{W zFCZY7$~DzLzCS-7?XO9SQO+hrHPSmOB0ym}RFuUmh?%q*rjXegL8PaueSN>N0I>1U zI1Tm>hlPjJF%;t$5Fc1AWki>j_=!=(uH(gh3`Atn;o6+ZXUdi_YYAWfyX(jnkKUbw zUhX$xu|&{^T)C2&CKIR?VZkhC?r<7E38;^N1Y8GZW9JV{eM(OC?i5OmdzRXjw6D1 zU<8=N&Mb1`R?Ad~R9tCw>qi(HCt%WdD!XxUj=3l7;&knNTBZ+TZ?v3cCEEtEjd#q9 zL##L+uQV5c@|TLRtCi+jeXa8q3YzG*>Tgd=VSY=zYyeqS}RqJzky~CauUgE?Z+G$62Ly zwy$;pIH=sht~+=9^snA7wPjkgEHzn=2&iMCf<>@35*`#;xQw8vuW99w?<R&FpYr zWc5Mm<2QlVqW$mZ=bW;YufORZKh7{<5?NAbid*4^10yTY)kqFWFGE$!Pdr;WAE!d5 z_&PAYL)fvNSY=7)BNBnIIWe#|--6hhJ#a_+_~TQ;I&Xd9k59cg2%db( zNZWA*u~R|o4)&npjDPf(zx0$>ph)0M040l3C6zwb@^_8xWf|^fH7Q%HubrqV9C*Sc zXGodqieo!3^T`>x@b_N-Da2fLKH|g2=?FqI?SF=YgKBlJHPs@-^PJjiN2!Mjl^}s@ zx#G;Y-Vrcy{tL^3W&x5h@i(CwR3ZvUz?k)}t+k+)X82aV1Uz=Si7BVcD-^B5?h@kv zd_I_;kE5&5H{}UXMjskDihefmP33(@YcK3?nZpkYF8o+*Cq9QB_?8n;v5OrpCpL^j z+Wj&Uzl`{AjVSFJ=>8re!;y#xNS1JxUp*CaHc_+D`dvc)HwpK+Kp@UI@LGwO(oc!P z5)Q~yWkUEC2pzRlB{+igDe zbv$}z_46Ah{?LcVUq2sB*?RacC#&p@zhPq1{4;)_ApB1}g5fEr49fUq!sk)=IK~}@ z*s}WWNf#@1DEzM676lAmW*q(Ed){v}UqiVnyBQ$DlE;sqnU4OtfAT00p4QIr%O7Ui zZ&j5`v9|Rj80SzoEj^!2Rc@_S@8E?x5PW`CW5l*85uQZEU+}G(zcHsEuX#`i>xn}v ztG#JoVgBcIiggVY+(2{};=&JqUJM9Qj2a&~9N61B+`4)=Q(dvI*G|>b@U1COri%v6 zo2F^_nS|)+Vmb_ec;0q--uij$8CFV}CiXlFl*okhzaStK=`gRv1zm*G(6M{3M&W0B zByuAC+u@pRj$Sd~xhUg*C+mhWM>bc^PFeog{x9U_@v_@OonKYa51){iGz(e|z7}og z*O?NmVPPPISE#2WH#BrUhzypUm1j5~M@HK5{_b?iAgXuGeM#TjK&M!<-fd#54gy=n zTv*V{34~qWHD*d)=(Qx6w9o{!X`c7(f@Z#BTU7<0PvnVO4h|1*w=shH*X`y#*M5}0 z*5UEJJ+0|f!c3jidLw;zY+9;D6(p{==rM8;eZNTUT>_vI;h;C17`*>Z3iOEBM>bCb zfd~Z{zUzV#(&c6XQHu>qn0ji0`?G>!n>mNA)&zemNYhjIlf!lHCnobM(vpHd(@f8x zXmNKY7k5(b5%XjVgo(yngk&$)t;SV8e0Vjs$z;gp_f>(+daC*SX9aE!gjCdRc`NGv zG8R6dO)9zh1s$E~JLAvSC;qL5q{DV2eTNSl?yIy4plNc~AQ2QD1r4?dh0I-$NB3SF zE;wE*hffChrnCzcyMHEc6vb540kDC{y=Og()@N#mJ0-M4uGlg?OMw3mBH0V??vbl} z7SYK(o1Bjir+)5#>(5(Ol73$(p8|l-K8b!h$6#tVri0Us@4E)U2#flm`=qp(q*T`= z1q-=g#VdM_1G1-<_V)HS7Iq5ic0={IGDfd_;KL*Y(^L6{>CZ{e#b~;}gbOHWp4!V`aY!jw?i`+x}OySck+9@V&S;e?Xe zn4*$%F|{vroEpHc0*aYMtt1LOw~V}$-*tV+Ru~%6EdljPc6atXcEe%?Qdy|EeI;a) z;%n{oY|q;e8f8D*0jjmKU#rSC$<~;tDuci)~Ka{PxEZ&D1!jc z=3U~wH^k@s++B)l%zfz&53uoUiY+uC!sV36R$bpT;P-Ke@c6dG5iQNBjApMZ>UXw$ zmX(-cgf*##`R6cLGr^$REho)Evz_CX<2h7Kaeu0|es1*J1V>LUmz92|eHl;d zfb&-fnYkN}6Tt#z%4ciU)vcEw8tp+}dv2bo%@k20;dft}n<>kM*yz@#4`qLT|?!^ zKI*7#fa;r|$k+d#*v1sfx-iIz*BjCXuPi0Ozk&$vI?^%0gF1f#XIt z12ZXAiex*VqDf8N*WvZm&{Hc1hY%!VQoM^9wQPFpAfKW1*sH+~N7vfcif75&RP{?b zq*WAl5w!CC!`-gN!$o|A-SdrcX8i{aX2(yjGU$4sr~v=wutFL~stifV>cI6LCzw7p z`t6T>S<@1=S!}+TtOXYd8-Kd6yOEpvM%%q0XnNspGk*n6+{9kvg~~0r!?_yI)mn`c zmZUgM;hERSZrzG$8+&`GfHUXw%ky)LBQpEM2O~t4Vl87KJJd^Py0C@TjY?y*4tR`^mfL1FfjI>sv=t zcUGW@zDM`~(tzaAPFeKuSE!5J!w?9~6TZ}=@ms`~Y6@E{es6B9rOD0Ne{d|+FNGz} zGYLjwH;>Y_80EnP%l-GNKm7=ujE5otUGL$KJV~|`zS*>m6a87pU~7m@&-UF>wfkdN zNBJkH!s`0pN4HD3x#9hvb$^n`mczt2cXxpIZ|b_amG`{)q6&QDOd!=40Y>H-9h^^( zE-`IvisGd~zhc*+rcRTUxgG1mTKjnb0Q)k<)$3!OdkccK*z_R$fBadazCFINs07EX zj7EITlzB-QdXP0`yfj>ET=(TAW$HDlXk@xtt~IT%^4I3U=1-9h9r>9x{%)-! zciavi-~b$S30J&X_K>}ni4jQHUOBM~wo(m7HJZ@of6cLg-jZVVT^E3jneNKebGy6( z+xU94Vr4wmEJTbPc%f0~ylZ{HsHH;+8JIyaxIbJ1e+_;>3N@Iv5AmpJ1`+)YpfGm8 zX6dG*ge3WL|N1RMRO>zq3OM1r!wH6e%?-#UHy(~8E=L~ya-WzT#UkJq@KP;GO%1p{ zSy@T;^=&?Ex{ZpC4g~|ITe3U9w(r>+qv#ZI3Lz@Ru>z;Xu7L_>r_g}u?nAVaxY3q`rW2A%QO=3&KgAd z>u#7cRn)qtK#%whpsi6c1?z3*X(Hxagz-$i$2J=%^|}w^)zP2Qyo2U@4u;_dNoO8n zW_%~gCG$-p;QNQ^_{=PqWH9a$1RjWcY2*wZZc^)Q4zUD}?mZOtw&;&E- z%H(OP!e#R1;)`f{*zLRVl4e?t=R%k35K(d`KGh*ilAq33%Lm}?|ynmX>%e$wNDHlzKqjFC&iA$y%Lx?c|61-gL-VO#*)Y!-DawVnZktR5gp? zJgC>MjP!!qznX)Z^qYvdhDlKRJNC*J!Y%LhQhG4|$*kL=kCSHp0mC54Bcdp76BE0H zX`38#M3J4aIBlJwv^*RLJKYP z@UX_NOxytrSF%+ z{G2uyA-eiS!1bOeWIS&&!oolveg|_?(|$l%6Ur; zl3EtvPxlf1%;kl$>rGI4*0;t+wB0N6ME#ei9>fh@Q(ID{ISiT+mRuonkCswaQkad5 z)&3Ssz_GYBn`WdSAZ2?cHoEKK>#NBN)ugp6Q-^f0+Ib<4)~?X(6qN3>{YNvwUzm^d z2})~eiaUEkj#(T@>Y=!&Xw#f8J?$BX$HnmWGeb{CC2lSC z_PC zYLX!0U|$~}>e+KyhP{~DiSa_1`a@a%2N&}J`LkUeo8M6Up|X@IDoVl=uL$h`_CKH> zU~?J2USzu%&vwr7NDE##;E3S5<;YTX0Oe0Y!rKl)n^C60;UT6wu(yI(UJ^_)pTHnVkg-8!W zgnjFHc$j#IfUAoO&_OrK0NF!`H2T_E|0(_xnsj@215Y;>CmvDjv{s40k=MTLkx~i@ zLzmvJUR8LlVip9yM)d4Y!>@oBUPx9|R7@XlJ&574 zH`dykDh{fvOYh%J&Q0rU*9&ml)--n%U%sQ2OBZq5yF!Lil1FPXU91W{ZAo1?iPv~* z#kHdTMZrW!4mAKV=u@X+(j8C_sthDVm$#lNf(m??ez)FucpBqhC$y{>)r$$LCckgS zF>6*#*f6@&;%Q|5+CG?aHHd9rJ>6v0y%S#->msq zr1H)?vN-kin|bWo5pA@$X43;qF3mR3P-F;k%_Gzf>j%29#fPy2M(I?d%ZW!;9SxTb zM52OaGQ4hYSad7)W-<_jg%@(e$&lGZ9Fj^(?4on1h-Vsa%Sk$4LST65_dz|U3G9v% z*lPyOC$02%;_dB}4ULVj+9|!f8syPPNK)_M;gbn>&e*IzXQ~v2^*a5NPl#xh9$cCUZ^aWeRzwY64ZkOzfrI0P#UkO-OsB# zYYj+O;W%aeMbe@1WW#jJ-JK|9Jt}%;cK-HO2Evb}_if}@QE%^keP^6TScO~PF3H0V zm^O>K>XTEAT)+CL@F1gM33DQ?;iQ71)LZ3a+pb~g=QY!%;e^6BHXGZH&uIIyD*8^w zti~;>YHQzge~FXM1~ur;j?dF$B3n1-xhEz~Q-#4Z49-whZZDzE@g+rUd@T6Lu|2NHgMR??%Xg2i>mt2A<|J?mh{t0cb!9w3e273QBDA1|!T6yCMT(PTmb zSb~yc1jfhv8;gHC1oyuZ8%`*96ll)K%8Lws{6jI#X|E?E^2mWDsDJag*~i!2cD`oq z8qe=%4Zq)5%uF3$CL9H2W;mHJ2er|=#r1ySg;cO#F%HHmMxd0Q*Ftd#WJA)OoH11D z{i_VBVL3EZjO~M+CI=B6x-ItgrH+2C+ju5)5Z6u0kUt+v;2-br&uwgEq!ldGpj$rOU&*C%adr6;5uuT< z3aSI_Y*~`2(qDvQ^3*;{Cq z%~quvlEOeoi|;j!cV?ZKo;7jsf$axl*?WZd7|ph{wfhMc9JX4I0t<{ zb$~+p47(!>3rjV(nuS6-5}OlW%2_=DxFqDB%QD2q#o~ZAZf!BoFs9AbZ)`xd(~Or6 zH*4kZAN&f#$Uu0(J*bRQ=IoGHT*9&Fmy%FxIJ*8bC31xA6rNY@|Ksc}qpEJdwb6wr zNFyz&bayUFItA%&>F!1p5E1F_?(QxDk(Tc6Zjkic_&j^>@!#(`W4z;hq<^e+$DCKq zjbrSUl^qT;<6MTYsrhNU-F5pGIa4UQ(q(hAcchZ($j*7?Xk@cYgX(Qm-as-o7Dk_m zBP6|{z#asxFqP>x8LxR52CR=)@AiGIt;Ojl;}FcMv$^Yt?U6~0*xfl;SeVdI(=u`& zN(Hl6PP5Agsv3UgZzG&UeS?T`A=%=rgKH%)Kq6JZ{o8M+{rVGVOKE*MdfSU%ok|7D zgKtBIh8R`L+F!4%xOjPTak<*+E#-c`aWrKeGZ_XdH;eo-Uhh-x5o0D!oB8c&7IKV& z{PObhWhf-PcRhQ3JUtveK{nQPhjjjMNmM(98mli|W;I<&mwLNGHmcpEYU@4ye3KW9#K9v1e#uI+--+1Uj#;K|u2*&&@7`wdE!?5H_t%&YG1 zfnlb5kl?zT>v3{80t%X7{f9C)eFy}HzivREop`p+bYQxEy8eXRx9_XN84|tlF*%w7 zjBlBog9VfZa_seqwo4>9;7jUb0(xfGHr$;olL!p-8ke72k{XMtYtoz^R_BZk?^>s=hp5HMG*vI3cB}|9%z9n=&|w9vKflK?@yZpf(dplxV-*YYkAIr4}##c zzlq8C^YbTt_}vN?#pFH@q}|YQ+UoKEwNAM;g$Tm@vKY)6+(W)$%af1%N$x2D520pk z1#3b}L&0Tz`J+!nepMBlg);m6;rqEIDpoNrIHDAqfc9{7fwZ=jCR>Zb!dzJy_L70M zlg)vY4=3NRK{eqU7w7t+O_F*$qCflakT`ea;NSrCC)>aFmY28J_m$PujBcXA;~wlc zLZLbf3si4YJIRa0x$)x#RpZO=2gT7sPOV(N_LlXGp=%$If>R0#fnNv5=Le5jy zw;Fd|K}#sD54DSOwzjv~eGKnD@;BAm+`vFWNqFevqLWu-FZeQ}*k4Bdc4WTT3F#5HZWn@?~AMoy{!O98{)Aawi097kf zvAS5^SgqCkD~zDXNYf{fl#W-M1{Jb>4nfyDQQY1?a^{oyn|#iXPZ7etJ@EzGU})&_ zV(Ej9ipI#og!@IG@mVrxbs4Y_CqJC2c3FpzsBd^zSYx%UGel{19M*>;BFOhJAZ$!0xez#UvyY-EW z_B&4QN*N@WR-L8b;uC{PAQikEKSBsdz=^)Nh>u0+)zr^VgW8YOgDz zGh!s`iQgv}eN9Eyr6HTG%aSctdHELa7*3rOdZr*hIrk!S3@pTFVLfEIjn5GfF3_H5 zzoQ2K?knc}I<+^C8PY_89_qHgz&2U#+t6Bxsjy!QBZ9i!bXD{!VP0Qe<`#ud96gaK zwXp%`^QNFb#P`FSH+{wIIKd1U2zhczHktxPCKl>$Zr(a6a(QnP5;j*hCPwGix7P`= ziA22K{)T_*;#|$k%|nqhu#Xv}nMklkC4YkSyle7HY9b`CLo)G?{B6mWhDXcETumfJ z6xJi9Y4UW<_tW@H;7EuB{lI5$&eyZ4K1F%znV3gi*^&^qp?>qTX>`L3_~4Ua$u^Ob zh(Jp5JGMTiMAssv=^&|yAh|lq$;v#XVM@`!8NPm_)o6!jacpk1Wr@3et4RU(_nGbK z;a^81LoYcCM7>zH_)fO*UUKZNb|>p*qyzkOb=x3Bvt*<&hqXYwXlDYFC;&FS(4Ol=H%o6jA%I&-Lx^Re|E7cqq^75hzL`*k$=QA%Sh*BR%dT(E^Zi@ zaABdHZ>0_&?rzsR#!<%6#Yi^@FHTW`Vrj#e;&sMKm%r&qmN@PLJ>l;5;d+!bkVRwB z)_|YhFNmtc8GU(%D;Vb}P}Ed}bcjzZ8%9K6dNbTJ<(gmo`LhIiimF9nkw_=mfFNzX zkF)UIdk7v0iC%n~E&Ke={NCEu((EX*zA{bp?bRXZ#%ZxmXJ;+Y(9j@Xz7jico=YXj z&W>mrkMVUKiOgPl?$ri!Om21+VqK2|V$&M5mE6UsC*LOC+Y$IBJE?ybNxGlZ5 zzM2&fq#+bzsB8c6W5-1ehcgEUV!-PB4BKLBEAr=(}mVQ{Hh^m_zt}bL-0a{X;+ZY+& z+BG#?CO^*0{Of3W+ssEX2}HM;`I`(6x|vVV*|yv!2}I;)Z|6?XF+-eOYNwRdf<#+t zCR7{}ii@+|(%ae!E9WOBP$1vQG8wghg2BIl#0|Gje9aw%hL5gL6u!t9pD62$w>hPBso0kc#8Y3zqz}FXHQU;1ju)G zxjQxh-sRJsZL=e6MAED*7|D#47jS;9#o1k-0it&Aoe3@`pWlajhoy2>QO{GqzNURz zlX^D=Tbs~5KymUFL1-3F@Fd2fDsj~SH;G|K%0;k{UAalF*)4tR!>6C*}HlDR#)dZzTU6vBwO9=s-b#;7-D z6B7%9q(H0H>H}lSCV&0=cM|9M*_o|{74Qjbvlwe;#?{ry6&W!nfb)W|G^E3f{h%VN z1qD*fh#dB%lHRnxv)W_1E>$xnnSri*Sg?GmSP2+3>>OMUk8nY>(CUgt*_ads25PVo z@fNro(F5Y30Y&&6d8yOPk;AomN{4k+)R9nry@jj(WmIRWmh;YKbIJE@y zi4zvsCtSCOH0ShD_yQ*nty&7ct&5B8>8~K@POcK-VT}`)L>a}P)w(MFzyZmc zu!TaH2caWVQ&USHZjT;(^!`9V>J0({GHPtUao5f$9hRN76*64QoeKeuX7WXBT$d1? zdanCbGhRrl?&AAbb=B-wK_1@T_kioL1k?vSU8DEVWsvBmA05nc>e4eOC_g=YW@Djr z)(CQA>%~`p5Izm2fbR}mQY1%)bCWq!COmq^lb%5+y2Ye=3&6YvgOwK{7Z0F#9qmY`#rdnzj0XcnoPeQeGf+a^|JC;y`x??@Tp>GR(R)@)xNM` zboeQNUq?r=AUmV=VYzj|6>a0#pi+I4$#r}W1)4H6E|X?yWSLNB5FLXhCMte)brmz; zjG*dMN0R(Ww@lD+SM)Mrz&CvPTR?E@&5xFe)lQPy##tL}gJZL)g{#V5a_!Q&7-;(Yot;*$c9H#khcrEv3Po!Attl-dX3UloaQ%)4!g4OIrg=a;C!Uow zTfU)TdlAX)mFOox#Kn>-oujG}9W0vJz*6DRP+b1%5Ajs^oU8N?1ExaN015Gtm*+xj zN{_iDP@bmn-uHeT?Q17*aerPT#Ys}Ek_Dn3yL*jk>CpD|VPND@$;nq%)d5~9G`{f9 z_(>MeR@J9ZetB~8iLB1FEVf|u<2o9MddP^lwe&yIBlCK|UpY$(@33V;TB+Q9PfOa! zGSb1hFxcTIb@hJfW@oMB4VqzRoA_^m&JB^Qu}-oq*iWAjOVN0iJhdz>-9*VxNGHmV zzq~A9gGtY6;Gw)!O$+re2r~K+0uRX%wz2Go4VJs;k1cx@A(@gwB>XXa&;ZG!F-1ok z%=>}ywYB|ocZyBU+K|^Y*E`caGJ*h6x4HyX`?iy2TK?4BR2-f;2Js7?yNdj1#MF|V z*ys4Wd-L=B!ouHa>G~xUvBpfZWfKzf$M$v$i!MB1LtN;5eQw4PNJy4`ZYvzWI+73K zOLE_R1mr&O%xGj7xP~awFfiaaU14G4v@c-FQ>#d?8l-lveC@u6h*L(r#37b@YS;+n z%`y_l3=1A+@a!0z7~B;udW4Teh`1r@CDEy=jJ&*_hSSf|Y`50-=0+Bw-=$faa%>P# zkf_98KZ6V0uGTCNwaQV9jBILZa`{v5eLML!2HQ9{&%-bgs>a1dN+6n+2=KCcepB+3 zv$d}(mLMTnh1U43GxiJm<+-`BZM4&|FUE?oGM_uvPE4|g`0USr)(#Sc67n&dH7Y?v z#4{AhS79J{{2s_bqE8@2A#F7c6r{9Yzc4hqyTuRhvU+_)t4Z#xP@u-PsKNKeGO|v@ zfB;0?w)KoSxEluz8K^@rytR@K52IV{PDV4oe@~gKJAANDGItpBQAkT`6NGR#)pJ9+ zQJu3lpYkubT%r;ar$XBGS;(?7i#OblrR>8z2b<=^WzI@mv14Mfa)t-^&Y+24GN2DC6>=x0U@EIN%=f1n7E73*LO%DeZo4|1td zW07Ob3=g+uwY+7F8hwc@&r~MVAppRq=w4kgdqFQ&N>oUh9gjO%;>;#cA*<&cF+fya z#Bp%&Eg`C@+>h@7M$&M!c{|Xh|0_W@S3FCB7Hjh;TBRWRf`cPeZb-2pdi(GN2FA@{ zAW6XIfV$dhGY)*jfUhMlI+Uh>?brXX!0gRr-UtlDPZ)v3gBZn?av`mg(A3sbg`5UI z9Og}ptOollc!(#IV_PHH*Jvct7}}znH+JdddbCs}!{Q`AG#R`3_4G7OwKa3XO!7Sj z%k#_Gn0~gg&F1P|>=N;!cRz#D-UK}PC`#&cU!s>L=n9gABd41SG6cBEoi-BHI4nS9 zzm1K>s0BM!7*Rr0{r2Khw~XHH#9Wh$6=pE}xrev86iZU~=;8u`3-$F>nF+o6{@R{| zDRZCnR~1@{3hlfJVu9*E0UJ!g9-c>g@VbZr7%z9bT(3qf6Bkx>``VWJ$0$FkBL%)0jRLfup3fSo)4Aqa- z6(Pt%dXrV7NCUB3|MdWXN{g7pUc=P>0W36RWDbLm?m6?$m`jt2>gva<{Y7A8NP?_D zxog3AIMg)n4)SdvIsp6(z8$5(aJ*dVJRsK z>8=s^6T7S5zk@q~7Rw>x9XB)3ajO!1(9)7I5PAR`GnzJFL_fcfmgIrH-c$_q0wF|P zKHa-Dak2`GK;-aDxer$6<$#NVSnpK!Nzt~|9gxm68 z4bGihd3kusG|y-Qqz?}FnFk})6;$yBc`~xI@!F_I$jCvrWLfm%M@XBUK>sPC*YIH3 zx{h2Ln=N=oEY^myvMWOyR7f(P2e;A6>d$;L+7MlB(-zNnapb%TaLGm2MmL# za&n?eEwz(45)u;q0%lxDHqCc^jX=d2ajr}FIjJcyI9Nt*l80{TyIL6(%Kh0t5CEcB zOU>rCTW_>6ZE)7Zh=VLZ=+-P4{+t&J=ABL;|1} zE&63M?i<7IJUNZiWsM4K!wUupac45uDxy@V#37ZIUg|Ex?OV@0hSIK z$MKh&4qR}7LIKIL+9a-?Zi@Tq@ASG~C}ACjyVZ?Cm~RA3WMW(F4y1K0W!U0dic~U` zksH_EGvis*n7o5GC_-ZBpE+d?6twG?232RUwXyJc+?6qZ$nu%xG|57ODAg)%g z_hLGU0G1?agt`?c%W(g+{hErjv3tT!N^y3b&;8S6$r&D`EzSW)oqu@=~uwDJ;0>;0P|5HOPqwin#7j;mwewY*TQi=JMBwq zKi!4y_pHvEDc5%$n|XQH6!z=p0w2Mb0%R#Z*Dg4Zq>sQ47O>cluJw#o=UC%oJd(6z&+q*+w z<-iM>D${k3-`51O)Mtq)U&^TjYo2D(Bxj1 zVo(an^*cD)vo&Y=P*$iw83n+m@d@R*Q@7gM=GHk(bo>z2!s*?J(DhZj;V8p;&SK)^ zkcu@*zW1JQ%tWU`ZUwcRHHmzOR{2y=96eA;7Vu~Xslw%o#x&N)PBVov-hm8@xzYLe z#0#&)?G2q^VNgLmch7oZ;nY@U=1$grKQ|(T#kvz|_o__oTleWed7W#$!_MkhyrUti z`%?(0gD@$(@&;t5_5g|3)-@%SED#yApzazRQL2f(hC1nH+d5RR0Pu9@9Ct3n(XdnW?s4 zpSbZ+MqP^@q;%*5Vs2ALoxV1t3v4m;TQYs5l#$VMEH?>bM;x=2-YDY3Nt98 znk;lK^S-|Rkh<6s7Z)2H7i(zb6KVMpykIvu8OO=Z6|X|H}mdFxs-qfmZ$Zqy^MUl9+WQAjwaX{s`)G~PqdIcR_MOqBr+ zo1DE^o_rS@(b~Padgd(Bbm;WtB1W3Ri??aFP1IIOcn8_KpBG$76L}pns3kn5lM!DfgEEgII*=+xvUT8 z*T*#kT75pH5(fy|`1quR2r+sM@f+7 z6ckTUO-hEcaag<9NyaOazQo(^DWU*t9o~)miSO4)QV2$nsK-Tf%G^deA%g5J-bX9L7=t7=FtnLVed>g;F7J=hIjLW3CUeI}}}imOZkzvp#f zk(yo1c8l&z23q_`C5zt-St@f!%pc4Nw%AN#_yVu?X(D-U zW)7@GH?u#wR8(6HXSkePoL{98%PeuUq+=EKAJ~uO{Ri2+w zVUS*CJ9|zJ1WKVLNp5@(&Cig!G3)`N0VW@ecV!p3$IZ@ZF7UT}ahC$aJCGoeIUk4%b?3umBydHiQMJcqzPQ*vle{`N`^wp{hud&C*RSK)Gb zX#(!Tj4=sfq{V87>ED-HjONlEYKw`K5>?SMDl&Xd$GgC!A4+n$vZ8{?Jtx&+?JO{q z{2nM#n%q{r)J(TBDP;EccAtK-ftQdNBer(0b%IMNuHVDMG$khp$z~w%0S9DqjKEgU zfmSvKf-W;SqWQ)0P34I@9&1_sXmtJ%zyuf4(m|FD53k#oUs0J(ee@X_>4euxOv=Zy z5Yw0er5B7Z$mn^Aj2NS-sW?9U&emB<|DB|mIl_qZs^QSJalalk%{f*)FOuecif)=S zWfaI5I?|*k{bR{Z(2~nN;a0bAT7}^^=)GYrhziHI$pNE4B93NL+qFq7a`Ph-M83ZiR ztpYDjK0FHQGe=&!$2q{HS7%dmvyYGU2X6PWHWOT{Q5aT;(jOk~f~hyy!SM8sh7A+x zEtsW$=@JsW?W4bR$;<7%;BVg+n^!y=v>BtMk_w8PeMj6jzn)b_k>^ zj|vNW0sZ_OU=#T&yQ7hYzj3GJl9J2gV>5G` zZ(oUP%sa0D08bf3%4rFQuT(=Z$$ES)CM9C1aL>5ZXP8XSB>Rr;jS!dlu??D z_D&A?*lbXffq1PYIxNr`wnQiK(s^H&Eqc`DRng#XTJD;u7fc?OYu z-`A%$sYs*j*YPGp(M)+aJ#c`x0^u*KlS^g2Y5>r;>(iWhEeTpIZYU2-_-F5sFHvt^ zG2bh_LjQfEfoAtK!2c;6eE&w*(KR_~xnY8q1QnH#Yn^$KZdF$a(I=#cP?}EQ@B#za z&Mz(&7~6F@1Fboz$gI#v6^=^S#Yk}i2UlkCI;h+Dzlcy{eY+s|u&3_f$-s4m_T0|i zk-uq!90I1`069kM!z6E)1Qu(+aNU|6PiI^?s2W%qM*8Qp@+Mf~2Tm(7P^W(AvnRqu zqQ9svKmMuPk&>&WrGx@`fD!upJ`%Me-rR~|6m(Utpr|y&29$BlW2@ois%SB=pR~76 zfc}8T5e#gyMGR0+ZSY80w73ORS*O26Cm;lk717Z#t-nW8xyUtIcd)M4K5XP#Y+fh| zpvOU5&Ut*(;6SbVoPURVo;NIxlarIRV0>bbfsfS!s4*;RW|>~u^^KcD(x>)@lc5pb zlx(laLF1iS_Hdi9fsvpL_yN_2nxf4e8H!c!CRf&k;**mTnyS&ugGC-$6XZIQ#c$$d zEc)c$;9B9Wy+C}XjDG-3TigS+tOY>9l0f{L2CGuH446K&LqjB~$ro2?VkBX{ff>Ti zo^Kh!t8#e^KG9(E?EA_ra!nI}q>y-KMD^gtj&b_u`?4{HbPyZ@1)r7Ym+% zqN$w{lh&FX_p{GO?p{8-#pm_*Ye1gFiHCv=r&OYvzy&wPLK}k^qbQ{eqx%{h$}p{z zIA9FM7%3m=*KR{tUw~g^MJcJdQUw}iy`vqs;DFFjQpT!V15A=e3Dem_N5{EF*EW4* zJ62{^Q>&AVw16ES;vXO}APGj119|Pq#hF?`G#Dh73vY#)qiE2-))DT#X^urJMoJ9v z9m(p6&&{iBRFQFXl-(}@J3tAu=NkbUq{IZt$f&2bmL1ktlKk`xjhy%=>=VBM%opcQ zb2GedZf+P%Ss~xP;?vrKnl@_yk&2IX*1|?BNsBZy^UKfRq`<(Yrk-@Cb7;zl{<0ki zRUR8NHZ?uk-Gqa9wWfrX*-CiQ%}=x#{!Ct~n!gck0s4WiJ?Bo_w!v|)Bh{UYo1xIq z`1lb~^w&@mCrg>JcXU)kk_FUE2Rl2Q*tu1~!G3;ZkmG}cG`-eOqLfQj{yc=G>hoy& z?^zSTJ0ME@FA6^LaVxfEd2@GiY~f&ie|3BNDTJQWb0g8&2|Bn-EHUb|BB%DnQ@KM& zh|w~}vgUZO-#uTIUp6Da|Fc5DxCs2^-1O|tv!|%eo0@}s!QDP*DOaHVa?=O0!H7Xa z*f)Sk9bO`VBm+i(h>(F!=hZe)D!roh-a%rTo#Xvy*Zs}q6qc`_oh{tb)6AH#cQ`1!TN>`E<`z*pNP;(u$O&`zcBo2C+9bm`c3F zibleJX0HXJ!M0x)S5=K}N#-aLXwA)^Y4~00Dr!fwI;v{V`;*jJ*A66UmM}8XYgc%b z2*1Wf2moTMPAlhwzKsNPM_tW}uc}!p)az8C#BjdABRZVOZwkcSfWuU#7w}kr1;N_X z)2rMMnAp=*DjKihnAnt$x2U<9Uhy+`+$`X*fJ;$OQLwQ+`7Kc&>B#VIA0-jxi)u&L1CGM9|SUAsGko1g8*T+~#MeG_py9DZid|Fb5YC!`1 zX2XE&NxO~+?C0KV{{E7RRspEVIXJnZrE)k_RJ;V19FA0#c z>pD?pWt0v@2Y!1NOh%d|`QE|NNW|0>9zw`d4~WJmG15|`QI3w4K`Yq*T&f2;StIJI zA6xt`dOV9_c$Kp_m`sc4;&*L+z5bOyZZ5?J^bjced~xm;hj#&5nu#T;4G{gBd+pw) zyV1f4jEeYfLlS;32!v6WJ57MeXuiv>Ky>t%zA-W==OtKi7{3y+g?6sQ#^EFlk3RbA z`LQ3p2q;U!`YRw;WVPLf+PIRg9kncN4So!bSCt z5}eOAZ4rT%7+MmFSHe7wff3a8z7j6y$EIC0;xm@6WgmsVxZ2%1k*jL%yN}4wk|D#_ zQh5`JOz$gZq`Sk-D<6R}_hH5x0KXw)g{XR$%|}jK#R_NOt-RJ!?fK~_;3bDgpDUi@ zxAY`|^l^A0;{D?TX~lMfG6A0OakcHW(mxM-adHqgC{_}d?pX6-zL>Jin61vZ> ziswB!XFW@qzrz`Eq{SkIm{e6K#?Du<NB_=-3qJRsiLC#VlL5YhZ1-QLp#My){fqs8AN>m#{eOPfKPb-s z&3CCP{0(Sj{xA6HT;|RHzkpVR3itn)SXRoxWRZ+_=Ws2uz=^n5QdYu>hYVpB@F|oe zFD@&13WoKh#z(r`_fgoleHmN{#b+D(@k6z2jDu@}Yg`o^rE zEt53?F6;ntQKZJE#9d4N7BB6EmPV+i_Z`^6Vrr(h%t`Q{1CX9BSj0H|IxRdM)inqM zjkvxfcc7(~)7q|G(9^&j_Qc|WwIN0ua0OmEIfHq0$yHP^`lr?FpBr~UR&7hio8tMI zMO7`Gj+%;~uP^sVur&3QW)>$`3DCzEC#AE-_?o?F`=$TKu=Kox$>PgbfOJ~0lPWMl zAPDRhDxQ{Awr^g=h@YKbnirS76i|PK84OrxhB!+OiyUFb?L*oYjpg;#$C4-N%ZS-4 zB^vTq&aSnlrm5k**${D%GCN@rqCdWOp;0D{3XIdgObpBUA(MS0;CI``flDpIg{8-yqYyjc6ZH4 ze9m_JSX*2Cf|G9F(Sh0UEpoQ~Yba5YGDff=;_{NxC}D(Rrp%ww3IH$3>j`h$2J!Ty zig*WsfK=S98Xju$@BLF{6|HcPCfomB-pBojcIQD)zo#C4{3zfm&jgAah($h6(um@c|*FZ0e5{hd_;l;kqzl zA|Ruk7#;mJGAT@NRageZQ1~G?sV`psyBk3GOBENqgsViLX4bBSZAvP1uA?_6uLu_6 z|H+2r&l?a`E2(H^YwmJ&jEsl^zo(RNN`v)PloSqq@i>JXw7qZIMEQIdxPB?Urr?J~g86r4 zg4~$s-Vt*U^4r~=B1>t>vD+j_s8H@J`l+un54`{d;!bs2wXBQ@D;(8^? z@wRcFJq_f6I#aKI^<72}&@NRifV3}+^$dLkME4VBIKnH`z=Nvlj1H0EEw2Fb|EvEd=}>kuvI9FT3hjS}PG zZ?2IjD=B=jh5G(iT<(8I zQ1eUib6;97J$*yUf2r_dJg@ccn|MD+6IR#x^3N{@zrDRK|G!t#|7B?R|6Kt1e*|s+ z1;zhs0sS@h{d>Y>NPPM#=8KMxfV0qUL|~>&79i?z>R7~uUjvO)7gDug{ucbtqyDYw zolbm2Km+>6fFucF}bB&G)AR$U0 z?$Qo6-MJeXg}ze{0kKZ(H9i;t(#Bw{7EaH{j`Hp&FX2Kgx{?Jyx_Jr2S)RFFZY(eV zZl42#UjbSc2vsBw>wUkP@Y`%J0C)>zNuxeoTJgy_K^I1PUqZ~BpzZS0bRo93@)_@l zt+aqqO8?%MMdTMPA&L(N6*(alh^_%4eU26_96rDHGS`)TYIv zE<2{9CTtj)_5qR_1R&!_A0k-+?)OMzCOaFd-&O2kJ>Hr2*1GN&7Xa6V(eE9_H8eCL zvA)?nxNIDIMV&GBpRR@rb$$rG} zgb(bNN&B$3u+)4#bc+;6zjk);S?c}#?;v0~lF1t@U&%0KYkz?kZ)LfM3Nbc@zkyFI zM;~E3MV8MU+jfil>?4O5;BbbvWc{$x)Cqq{8}l`%KMrlox?^fs@N7H?NSS-WfkEnl zN#Hh24rG4iu$UftnX0K-Vf)oLHs%bcT(M2|V~+9>H$xWYJsO+jiFuzu;4hCDX&7&I zW)A@IYGZBgQ|=^3B$(<-bG2omDR`j@lrV8j8#Z?jb0JF~09$A}n0j@lyGPvHpx+wI zVzg@bBh>wOQJ4Sk-^=0Q#g3*x+_SvC9?i}F63h`ijLcyIXh_O1G$|?SV0W|DZRbpu z5{Ur&lOCv=N=sP`R?cA3%i0PWZ@6P$dBpyD$*CFgU4Ps_Aw4ZlI;XGAWnyAtVQRPy zh)jUjjw0_VTp$p+0fa6o2_Gm=o$Z~y0l6U-5U@3ryn5m`7Nx|`-vZ^Gtr{}<+P(VM zKuWx|d z9++|Yyif5W03ERg00c*owe^BA0DuE~hC@3#a|~iZyCw3uAYhk#+i{B8D(QAdL0v(5^8dickh`2k4OrQK`IbJ{J`cM0H0> z=NMCT1Jr$lC5ufy<&~K2bPqY*JfO z1MvmAae&&@^65GnbrwYRfFU9Sb+il(m<*b=Uftcv`!5Ts5RppNR8-YBpJqsiJz}uR z65?Vg&KjxF%qpZfJzb$dO2q5(dwHA1K4N6Vn{)(BoP4iXFu_C#`9eg1i^&TbxOKfI z=ys7EIIT9WDrq`_@fe8D02pM2Y6{dv^2CCRV+%W*hcDPXWG`pfx)@if-UfvPv*EvD zW!?QfLI%-)syO;By8Nf4g6$EI`D{2e?9j3R?CJ8d_CJiA^=H@`3Yxk~8WdQFW=@TZ zppyLwStdZ&?_VRDZYrwC0Ldt{-Ob+u1blorOxh9wdD>f0u(;R?#8%SXDMvTJm(i<) zVP)kGD8U4(FrdQ?2u=fr7?84r3i#Pr~!3S^7GC9K_wxrB@$$L0Bk~&&-~`b{?7ZA+o|Os65XUTs(jz zA4=p8{5jws6y*$epD;!>H>c(I$*+NMbyegm5pQWjMuhBZ_-BDn;hr7MRvfIKWC5}p zgzp@fS+*s*O8px12Ik1bSz4u*>HpJT2q{lY$WVXVF*0I)*Yz6~#hg=%xp4@-vtE;hF9q(w|JAl@A%`Tk6^YW4?QjTSJ121vvBnvX^Oc5&gY zwdoUZ<)oni_Z1NY#1F0gkmsxZ00IHV#sFwB;36UFrB0taacSP*KfI-6Ha=%`p+Sh+ zV{r?jQBI=r_Geo!&U=l5q@Sf8 ze<_cWQfIK~k%CLWY;MkyxMmii1jmD`ixaZ51}YL7mC{e3A}7Jab2I3sg{IURufat~ zMo05G<}>A{FaNS%qe>O9w^}+Rf%W^e|J!9#FW`y~x7dftPlF5P(cy4>dATw>eRF*a z>suFA25eFXnf1R-bgZq7#bzS>;BUl8A8TiDMSJb>s7FbiX z8A{a=^l-cOmk>`lDs9sv$3l!W$p*m-&RHF92Ytp6U{QgCWd4GrSGD-XNA})*Pp;5c z0F?ThU!7}bWSN;Om#-25Mkh(`@YXq|>`}1+W{7Q@U7cQ@oLs>A{`zGnL6x_;nY*n3 zq|QC6YAP1&yFeVz9gD)>0E5cwDY%MOP>mFf#viN~#f{SAtp(LcxHlcCeqLiPUrL8Ue zZ}v$%jv8>?I3sKCu@c(qYLC}d`IIjrTssqOHkanOAhY%kQ0t_19 zVwL@ak{CO{ssX6ovx@^FLdYvt+MDs9wbhRwffES~lYB7;2N$3m9qUwGCq=Ou%(LYu zA{?{<;8T?tY}ST-!$Wu4fYtSVS{yJ6%_B&Ceu;^6@*gG^69LSc!De(t)3JB3FDNNc zq{gBUN&M9>R-7EpIF~7N?=H{>7P@wDD*#&kSorac*U0V<9UwITn~kg`d=| z_|w?a#fIvTtfRQCms!j}g9&6Oj5=0Ttvk3sToh>&F#2^n**Rsh;enJkni$}}%(Qfm z3yP3f{rE6{HUktve?4-nkGUQ|O%CV)U_S@HVuV#b70|3lhx^UpDcC%;;#n#(#)=`T zV^dU$bSfqy5`KG@mb(@fScu&XRi@3}-XN}bVxT?TPrf7@2w6ubXGf=~FwW1}IXLa= z=QE@U4rTXv-NIBcVS=SD%$&p*bF?$R+}w($f?%>Yc_W}S9vz*}A6wc{$Hl|aR#TdL zr$!go4^oYQ4Ic789P~;18<)wMpL18Meu+i8c~R2Y_#wH#+6Szi=C(Rs$vQgyGSU;$ zDh3bEoJmWE}kw&Ro#ir+(0vW#kBuZbUIk2CBird&>Cgg69o-(-GM5$mr zD-dl`S#77f@oOckE81`dKKTl`E&y_m81Q{J0plgMHMHtGS=LDs7QZjp`t-oubpPje zx^s?q&ua5soN*QmAyN# zKM}(H3<&7{kHbg+g5A=cF`8FYnvpj!ud%rt60Z*N4qp1mXA zXP}`4Xg-%MR=wu8rQ*V3kZFgG=mGqzU&=Ox+%7MXDV2&Qe&sts^s9K_{B&~~ok2tW zW8GoeB+eKfO@0_?{P}rZtrmWZl)ZDioi@j1N?vMnothb=va~1!N=B*o4jSeK9qD2C z*p77QWLPfMbzpSVlQ*uWJtJiBbv85U6Xq4&q;9N%`O~u=^EaV!)kY^7rf315&Zzj! z;*GwZ3U`;xl&8wSOZ;#?qcGGheUlQ(3Q6%^cdeU-o*+jFv;R?Nyxx}3wZ}YoeRaAI zYHlz(r2#DLxTeDpF55qoZ*hX*2h<#$oGwo;yzfg~ZH6gDUPCF*FBUvbUj&JE?OXnD z+nf?DHs~%sc62!KydWn9d?}=T#cqI#fGp||F+ht_CXa1kDsKc&n}EPi$o3{fml}QE z#~^SlKYoP8$OeTrS24fK_UHFh;;~JBetx+jIgnW5CoMwW=M1H2@aC5!APh)jj2&aoX}@}myd;Cku}Ey0}*l!%d5kMfLqi`yl=q2YiA-R z2G^l-P>DE~x_D9s-dCBF(nkCOnxag)QqB$HKUzNV!mDd3dGF0=jazD}D=P9is(OGc z6%@hUT(&4G?`W|q=ZwMlkc3U{^&~UGl$5u|X6$%3V&1^bAf5A_l`U32qci&z`lamK zWS|=ciD^0u^8vyc6Qj9`N6F2xp4EvzUjZkv=p5UHj>A88#%zobaii;5+>hx=zX6%9 zs-lYCCa&Ac-~5;t0p)oShu^cE*Z=!l%?jgCS{faa$S1Hc&LW6Le6= z^}n4V*yDP*oEdlJ^=z>Uz1Y{N9X8P1KR$5OPZwmm`u?4wf81hX@H+t)(rF-%VvxG< zQx8yTsMDKN&15d>{)ZQFy;H9PEQ7#41jzL4X*_-Gbtks)RZ(STabcyQ$?QJR?&S!x ztQ%|4zHY_6xw*wcYycBIA55yIK_C+klm~%vv5~wF)YSW>lclOffr5`0aMF*N7q~7s z!3QflDJjm3F0zC%;?DN=2m5ARZONz)82i|Xr3CbxroZy;>&l$HTUtH}3B@Ln%+>{V z=r@-ePJA0rc)a+x_sF7XKu|%DIx@tIm;`bo>bTm{AkhwCH^@EfvBR%0v{CJ{Eckk}wI}Qg_pZdxR5Zg24m~6%3Eog= zJg126<4g?n^RY>`AcqNExjG%-5R0q}Lpw>Tl`gmg%=-KGmzP&xaW#-10A^b6XD{$G6FT*)Ybcns`ghcy^|u*Ug0ilwY}>UZ zG*mnfY>}$c9SP6B;)PgqzN#6_75}HVW{xXTnYZye3nCA3^5PaY`It3Sc#eN%$N?Nzo6?MZEZ?CkJTZj$E={wY`Pq(d4cHf z_w^@V5q(v{G4-RgA?m-x6s$}!l0hC7R;8-{+j#h>uvf3M4C&BM^l9TTHqYlY0kNCE z%$!Kmx<;hPBee>4j#BvhL5V7wHUgMc_6+@T%iqmfL7-^7pW-pcTj(T(II3gKIwJq-GVb%f!5UJ5(LrZG2TAau8 zM>2I+(%nv$G5fgJ{;w~@ug4liRN z`MUoUF5rb4n0FU)fHXnc|EI0<4u@-P+x{SlC?O(2lp%=Tf(X$fi0C1D7rpmh6TK4| z-4MM5(K|^*4-?Vr=)HFa^WDkb`~9BxefAvwVAh&h>$qoGbKUoKp1%`Tk=GD@`nVA| z&QyMsj2bIs#O)V64d3`9gaCHC`3$hCFx`-AWpgVglwQxDlmz++tbmjY0htI{`UapC ztS$}>PfH7t0*DLU`1H4S*$7-bV0>yob=o`^BZU04;KhZ}5)neatPU8xtVNP+F0XIT z%}F=)@(8gsiI7%wtBtRW$j&B)d>-3`S&eA= z4C+}(E1ge8hF2&L_OT|*J%Y`Fg(U6NRE%eZv6B<~Z1A_*&)dF*#c={_`_mFN7NWM> zc61C3=48^igYo}iE6jTqV`4#wu%z|&@;cx^3JdGHx*ki^T8be1J4b85Wl(TUTPqc` z%R*}zf%c5pj>pEvHae{N2+P`fa}4F_h7;478u#=7*sCV_?7&P8^60Fzpmwx-Jh`nJ z!#}hUyQ-~Z?M6xMqh43pG=fKuvcvN3Q1LWWo8;JKR$6DMX@B~oZMg=hvqZPacvVpN z_yn3Y-q*t<);B?g5*TnEsbQn#=4M{;j~USk)!=|AdEuK!b7%m{A6{}7dyTPx$9%>5 zawUCzMs|KqQBaPkoSGJOryBGd#rD`|T^9E;^8@SCrxS{l0&={w3sN!0Y&v%ZO({d#*g4txjv7KH zeM~^<&29IUwpy!i&ao0H?W2{pV6-1N*mX6^0rGUznI^ zUgTV(fS1I_zjjj}?Ou=?wsdhYoC_bex`$i;l8Lfz`cYj=3&(>;VK4H_lQ!p5pM=&H z{2!r*!D6SmCg=AHx&VNIqr*NybZcZPGlS~XR-tD2E&e@|+`V{W8JX}og~SCBL9Y;4 z*(YF@n$}JKj^YmdPkUwI-pC}=#Do?u9-f}JN3~2YSfIi_-oDR*04u00EKLs*34OoR zq&$~*QI*>q3tW@-hUym&!}&dPTJ?=JC)yIkwjH{g->`p*4GCgSx1|Sl!_mdyEqN%_I+ux!1)wZ zs->0E5lzwh=1A)f8O8dBjeAW%4f%S>Fetljd%A;ZQw+6ed0vHMVB(TkdJbD_QmI~j z8lTzB#3*veq8d{Sk*OC>CqNpE)&nh$Imi0%@qSiLJQ01i$;5z0s#BSlChCofCQV=L7C($dDZU&!N|Q2f)9t2G?#;F;yfx=agY;J=bM? zV8ElhV(EJo9k>+6UJV#|zC0vIb=If&q~~K*wQ_aI8mu^u*WnTShMGo^sw34VR#e5z z8i1GD9LS&8re_=7o-%^i>-t`K*6XPp6#i=oB?mtVI; zyH|e<6eYG+pzK?mUsN>|gdKl%oylkYUef%5Q_)cot#Fu;opxX%*LyT~Je8&VaBT{Y zNVmJ8Kt3~~6}zpJ&V2K7NIy{x!F|BVFxdS(_Z7CT z+4hDG87Pa5p5-br8{;~xL93?B0}Wf=u4(%l$^1X4svyx#_n}mnCDr zS8_tD;~%QXN+TeDrGd){Q_fjXXU*fihO#waK%hAq`bm-OShvO-F7g-{(OYl;Gq!ie zmr=M%E!(-vR@G^=W0D{tJ>wJh`1E5C0UsOI9&&5twteMb`>6#|CSKCRicr6GV~HTQ zZzzZu_O^7wz-_C^q3FHo#LMIT9{_OJhAfTR<&Xh4riRx87A~Ta&H-HqnV`E56kElF zfrL*7GXL@tejc|56aj5*J>-@J4RBiy^A5`lXOcAxn0tR-?RdGqw0%inu~~ zT6!I#P}Yb9M}L`nM;nTm>`ZJo1?p@-;2KQ5?mXc|&#yv3!P3@&?b%fOrw;fvaqmlo z4+xvajt(XVX30zSpGMb$!)+sXb=;q4QG9Rj;cgIPqrPJ8 z*oR|4j2*`_SA*l@E6XzcEToAv4h;d(@ST}KC@!&kX-;T}^jFy3aT_+(w`5i~Z_V#y z@SFbVrPI%NVbsyy{G8!61%=b+Lto3j=j-46Cbc>I+)6K|>ua~$z`e6a{nQCvExN3Hn9Qxw$2JUJ^j>0$h0!%NZyS+#POTu>McDU^ zH*l@VG4u(!WZ8w1nh_jE9C}g-6}CP(J~<*1H?0|w<#^38!2EUYL^AgkzfKK^P!`(RcTdB< zIvt-x5kB7OutS=@vU^h6LDCk3T{Uvve|>Tib#nB0)*|L_B?|~iLM>6rQ^CH?*5jYZ ze)8fP7EXHl(}qbn-aO?$QNl)A7#7m zt8dgP;eFhV!h@q+Vs=ZFdbVx*TRm+wH3~B1is~Gjjob3D8XEK0Js^BK$K_c1RQ%rC zsYhP$0f?0U@KO!mv)pfRI<25zHzAfs_RRm^g$l$kgf!fH(1BaTEvy2xaSr+z(Xlj0 zo^kbkyq?*9! zr-3oo>cxZ zfBE@eV+7QWLQPiKFy4-r84-Y*>wCAb#HPEy-l`~iJtYtPbiVc`tSQTUM(yP_BjtCR z)l>n6GzshGD^i^7Vh}(86~BvTN@FVo-#(VzOXw=cDU0>wwglE|PMG>_#;gtOFj^#KRgh)yvJwhhA z$zE)qwd^Vma4jz9?DTybS&g<2lL}&O#dZi&kM*1Na3P=yg2C{>>6o?6sf_aZ9xs8w zPPpL+w*QCwdk3bB=O|B-#9?E2{Rgl5pWgbASp$S0DvI=t(KlW#8$%_K^JA@EG$h`X zBW}w}j)m0}2I)k%TrO_L=ev6$t}btI^!1 z)W+jl!gD=0jE zc!`gXzWT;7bimn}!b~AwA^90Q(}*@Z>Z9_r6MD7SWTCd#DNdh64i5mkoboo|s!Ic- zXt4@;RGVo;`)Rc6?|(gE7<912&zYOf9CP{*v0He!Tj=IXKmdOhqhKne(SvaX$BBOv zhEAi}!tn20IQOi_f+WlBA330>L#*~o@A_P7dT90rj_ zZAoLhCo}i=9|MxlJ8`MX885H)#EeVi)OZ*rU#~&ku*=c{;Ru6V_~m@6uHWg#6E>2C zUWCZvXHD=4><(z%`I0~-wdkno6=E>6De)#g6S5PwAa!r%(=`Yur#hTHged{-bN*3| z0ln*n7IZkDFS>WYvkbb^_L&H?j3#~L&+`#4w2;U0FDt7AwjVEV_^%esj*hZV*KO@i zww?tdYJC=lO%#>r`kS**n}RN0i38?=-|h&*a1{tnvoGoLhGMtzU58{~YcyQhtcmt)&$<&0xTwDPLGmFPr!Ft6`> z(hw5j1h7Z1HaPWSz0WsusogRl{^3Qz4Z&(85f&|^+{slI8*_Piu0hJ(23#C^ENLlR zu1VH@S4+|H`JC)sFFm(l4_iH5)>iaE(1zQ1aIb=VGp@G9ShteZc*Q5gsTuq}bE0T>#Po1sr8Ym0iKCOOnWkjA$2m_tV+1z6A8Pc*Z<)T* z=*)nTnHd(Ousgn?A<*mC4D-tw-Wic0##&__CAi2H@-h62BaDW9PFv~w zUQx4o|Gut4e)lm{$co(9Q1!Kw;GUHDYYNEN{heB-cs$HNC*zuMhmT1-k z60q4uj1-6s-p?7XmU(E(?O|Xti^I$wCPOPG+xWnNTb1qYjL5<(=2?N5+n)GuIy>6G zN9Vo*RG!j1vQyK-Sw_FxT4EOmxv*ll%R2e|VGnl?`9DgbSGuY$OTQ#xGC04Rnelh- z0MSoyLkh4eADWhpXT4(T<{1Rbat)17Inxj%xSqjUe*c>Yj|uq~oy{;Xn(O@NhQ~cE z{yf_tL5o9x)AuyB9`wrfW<)Ai`bP_f>jlOQ=i-2tijJGhb;>+L%OZqX`a|y7wJqU?hAGVfMz4*;)lBnV6hl9F6iV#>FJiU{+|%P|f}LWN zxErJWfpkI1r#YX{f!?0oj)|{*6(@)q2Rv&$G^c!jO~5lXVufQ zes$jM33;iIa+)8bPhsj4@O5lrVrg#MTI&uGNv296Me2mStWFx0??HdKqR6!O#n5%g z>FhL&nP)zv=hu7?^MRS7e#<#sz}JESb3$mhjBNV+#=^`PkjJ#1tyX5ew|pbdmkK5$ z7Q8Hw)gK*p6!;y3$%$qRibW+hHPuUSk;EtFqCgJ(M@Zsa*%pIIjw4fLOXsV~`yEy7tLsyjM-`win zA{oyckD3v0%EzohaWFm!|aWo&gn$EwYrlFJ`oV#`negkJpUR%!~W?nJe=iJ~Yed11L<8WyJ5c>@1}{xfoao z9P&_L7<#o#xP$b%Se+wPFMSGRBrl3F?sNko%ZE?wh=l%3!XCr##l zS{HRb5h}D_8A5&+K<;Ty_Cgj(_)kOH-f*w_wm?}E5sfS7`3N1jpx4Auw~@6q|6qO; z>No;9ZZF{Wuqy}4zl1$RCii;`HSGOeQ8~+8lWI7;wDoE@f}@|HKl)gfwC@A!2bk)u z%ggr{6iaq!%lg)g`~YEefSWpW>PR4@uOg)@?1wBI%3;^kz_w$l z3y8Z0SH)dd@$hj=iwkWEiebG=E0vYNuLq&wV#)#VWPnj)A=3XLKuvkavIQsVe_@fu zOQ`<~*9;h~VBJbb`*q1HCOO&f^B6!JNfd!XN&btdAmDYKcYSfTxDc29`S$_9l!DyE z$1er*o#H|zrn@Ws@V(UxP-J0^U+$xeR zEAuJMuKa!H)%SJis*{$tIl!j&yV};~0jz<9IG3|D|!v( zRtRYb6HDP$FXM*3kI9~PS!?F-dUX1a@p2SDAZ+;zAQ1x?}1b zp7#p)Zr2{NsoqZ0AGcIr&`vNK+^9%r%d zg_}XBXiW21-BEp^ov-t$EJB`Fm&4VjTVw}C+3AHwZ584%wl>z$v%DFzc4*W@=t_o} zH|$F|?>5t6BL(k3Nw}?R**{O>J!3P_bi1*E1Y&j zuU{{g)FY#6bkeh}6-1xu>nSlUlDlNqW=T`bAMJ}?p>o`uVc1P&iavg8Lnn#fzP*!r zVNINGww?KB+>f3}&<5X!Kp;Oa>m^L&nhu!a z7vFe9D~L(FeIOUDFn7kN9;YKYgZ8YT5O^x-SU$BPvmC$_9^jch+1GDT7&abNsF6TH zM!7F?aJ15TO}mr9^hwi{t?P2QDZ;wu{D&Huys4e5(YF&*F*~j>!VRZq0y8e#Q`$m^ zvvM|sQ&g1Qt`M{g6LL_RUtFB|x$D5w#P_WV%LCf@0kZq|a!0NaDVeGrBTdmRCdMYL zi!!v~iZ7>>MxRME3k%;**5s~F3;o5zEnAx)uj3(IXgeJ&Pl=dr@J(O2UavD(=?!`o z;Z1u2R2xsMdpKDbK)>KaY?7RWOfEOG$Jr0jMUB$@MnQIA@myshB}W;S&I-O_6UzmUXyWT)CD7LOL2Gh_mvZ!31rKGbh$afV zsRG0@;$Umtl*08Zg+colx?oTlkQ@VqiSMr^5xugz^N=-*LNbW`6LE=Iw9;4Y2#ahx{06iwyQ1X1Gh zHsU(o@17SnfgA$or``#6LQV~znk4v5$ zg5y)pn(8$rpY4aScba7-O4PMRgvwj$>$}Yief-dzzGtlP70m?U{qCKxg4$ZteEWf- za3ylhS%&_-sP{!2qJwxK_ka}carLEoq?oZq#CLs?_}=hi$>PzmPb0_2sjpd|9grdT__XVym^C%)sdO5;(%8jK6 zzp8}cP&hfd^)3~S-*v6;OyNM6=C2%Xj@nfp_Z12^gr~HHT%Cwui`|u^by#V+lyJT{ z$R@i7A*3jjV~Fn&QrC9xUgV|?HeytS9_l4JtnB{aVo~*Pn?vyz;Jr`}aNI>j! z7e>;5FBeTdCAm$u`WbPyn*wU&^v3-`Q7HU8pH%-U2|3fiVDcpN z<=ytR3JM9{qYI>&NA!w$&(`CMF5BBmVgp5$qG`z={h4mQ2HWWsY}S8t<0;)W<9H^~ z!UE0%l2n@-Ig@uV@Zlj{5Or@u_Y5cBM>~TX$B!1e|AtvuR&fO{f5aS4W1X z0VR2ZA@2+q!Sv@S0$Mc)#7#O^Ir%rs;Hmf3(ejZMTjv8A@V3t)9)ErC-d;?oAZPZb zOr*j4;k##*5s?G2($+jmArYTe$&#W520$(NwX{F}CQx==I6O`FJ6n%fyIQYzxe49@ z!oJ=4y`gJDQ9daee1ZIVRLw$(@&5k(8KKj=wl&I+d#sM)w?#C(CE}z&zV`2j`2Zt- zaGx%m^udGP-&^=+qG;>c%npjD@y#-V2{Y1MC`9EnUWc^b*`6W2q%dT zNh^8YckKxY{@TNn9-j4U z=&)scN?KxVP1SHN>?SQ6LDQFp>FiLfzjhG@lQ5;b(NK@_qjl=*VocK)Wz5V=p>#jL zwQx&1*MG|969zz^-;dAFx-YclZcj&<>F;cwb38Vg{FN&Zr(}V3nP^k4W#~&p3jot7bWr{ux8SEct6k0BOhh z`{W^z=kNYL$^U#(>zX1+Bno+3nswvvVfwurN!3CIwd7x8?GN3e)^`ZQ{reqnZ-4#g zFwb7v|8tnzcPRh<^tCwaOCxUna~gm4KW!zBE5yXACd{$Kp@Y55t$3C@ZMzt|@MjMioh(eq zEN2k+O`AV|`(rEQ6&Hxzg?zEQ6NYaCiPCDrP3v{2JuoK=9dQ~(l7xMD5{V?V|Z@$rrvU=c|!w2LIL_`xr zy*CjKL_}Kg-TX)w`4U=s`tM7Q0_h5^qE_7XaA0}{?q-yp*OI82rU<(*ogm{$8{rIk zoTOi8|0_HhMbx3&cye)8X(T+YOIVb@?6n&c9o26U7j`M=u#0MLj+Dq!E}|q5Bm!iR z?E%G;UbWMuqK=Z*cxHEU`WY#c2$zAKC&qPDFr#72bnzpv8MHe0tQ z6w(grjp`F`6;7%X5_rsRLxAk4*$EAghL0{Ut&o;7b)7U_&5xC1JNA25=bp6@67=N- z@g#ctU*IiFmZ3*C5ed}6@Rax!f+qVXbcXY@CthCJ*@&zHL`oVeLdfB$q`ua(BR{z(<8yHQ(=gSGO$YA;!31!_o+Fy;jP~7c zFBfHx3M(uiw==f6>_3d$lqK!I1jBykMMZYa1BT^C_$(UNavsE$hhl!2ekmi3D$iYe ztCF6aDkZU1TPpgcPn{)zI#|!X{!@gt4sdc$HC-H-QG|sq)a5MRUHBR6&_x52skLUG z)Y40SpJH37CH3Nm#0Py1o!6tW$*?VFez_M$x^1Onb*HC+Ih$!y%e{$B8*+VJFJ)x< zd-|EniWKx(rYx&9!K?(sp=Lc+ooSdXQt#ysLhh zSulEtZ!n!Tl0LVgq9VNK@CRFOSJ(cBA*U#_P$qi%oTehrh*InEim|InAN)3vWmC|M*r9=$4u?-Kh*c&(TMaI=PjnT)w@U@&Lz1=HJKigs_**&^mKyhtBy|Gc zVe6J-eIDLI$NOKIv$NpjjwocwXcJsUw+=%gtH~A&7s%)qL4hsU+VcAWe*bXle1MQfWQ-ukrCY*G985ob(|FhdrG3;?bJg>HVQ`vmi-)y8B@04+5x(50Vhjz2n&u?I%4w#gR9}4}awnXU8Qq=}_Dg0ElmRV9|_W zwblzMsl9uc7YXXG+_yT_LfXDM=wxb9-M{a$u^c6hO^^sgq-{TT>kkA@g*T9Dn!2y5 z!dK36A3dtIotmAR+Ri_&=GBLLeow9%{JDX>Fi*@1W&)F+nT3R!iYwbHu?`C+>l@2z zN4FdwKIAMbDs28WMIZh~&v)*9Qf^y^q2j%GSCc}Ewc|%9Vld+vfk{f3Pfpr;y0H<2 z_?*n-myq;E2d4w;sEMY6C_mQ&1vyPglMNUvX@AD!`ytQ8+juG~Q#o|;@l_Jnd-^jj z=MD?w#czm9X=~3Fy%D=D$RIawKxXPxXsd0aYN}S#yA>T3)p%@F>@jv1+-Y>R^|K}$ zgdX-8b5DF40oMlW{(e~vFR@al*5wcn3b2k)b|*H>tenLKGV-8RFv7nPp=jukMoFY( jbznjpY?y@7L7}niSaxnm26z6h=OEIO3KFHy4c`4f8ZUzSCJO2L9 z?|I*6t?&ER`>r+2n%HyB*?Zq{UDtgdzAJo`c!={12LOPFQj+hL0N}xI06?S0LIpq3 z%24tFPyj&cy{L-&?EZp_`<&Voa7^d4-+|9<+^(@1V`!RFWSnEy;5INYU&PGK&HXho zG4UYb;*LgwGpL$q=xAqcOD)b+vq`OR&1sl^9<3Wy%;Hhbux6=wzqk-S7ERzIF)W&M zDx+nZxBvAf@R5N(+J8R(`z1%q=f6Y#8HY}~{C_(N70;gfpWpuf9_xRMLc!qwe?Q~@ z=cqsc?fHLS{r}l0F@F^N|GuvO{fz(PSpQ=bO$&he?@Ih1j`|-<>Bc+?-pdAxL1m>s zb{~HG_eZUMg6})0y19i{ygl3CGPzgWiL#Ae(0VmC?YwI5^E^_Z#+Uo^%~5ou@Y^Ez ziB}1^$k*l)H!Vc%dEnWJy1Ye+-^TvurhS_De)w{Vda*9Q_i4{%!4`h1NS*OuekT%6 z&f#>k{;=5_wi9{O6-n`V;qkwQ5rE`v;dGl+$v3pI5%4s5eQx6&QXMY{=rqUvcAMHy zEGsS^^2DX`u;&qdgtpio-t1Gc+?2S9>gyooVP%yRo!MT%E^>hwBS2Q$y;WAO5KE8g z-H;nB8h=7%7nu|vx!B+x)4gVd`QhJvU0%YoA4q=yTZvh!S&|M%#eDbG*;nv zV`FS+i0v}vrtfR;>ItQQtLIUx@%YcqGxOmj!OX_YwH=a0bpP0X;-O^T9W$NP92>7x zPivq3^)lqu?roOV#jMOQ(2{iItEQ-Vu}6?r$1kWzfLz;RpJ2L}r0@!r?qBjfcmPaS z+FZdyr}DhW@VbVVe5|{;>zy~c^po6-)W!c@eUymSU)*%W!0OZJNJ_|EAFe#sHA3oX zSF(@~iYH64faUww7DUUxVU?9?lj9f!XZp>y@Lc_SEC4k3tHD%!V9K^5oI?1A7LfzC zR8i3ZZB(b1UE{uio!55H&LzHsSFnaxN^M21@990c%G~7So0lzir-5aAl)iCn5^sEF zv)CcNp_B~VtgeW_GP)zbbpa+g?dumULzBETuVNQ}M_0U4F|klq#=X!dG4IanQ3&wg z&O453r$h0lZkcbRW#S?P+=cLgz#w#N*4JeT-%1StewWL(#4~kk>q4P`q3%>G*+b(zKh*%$*#%Z`(JmeNe@p2IA?fGjpPCBqXf46+cVwH&$#KmEqRI_6`O=?c7xoW#D^Pw z5A5IYz8)$V8MclG=che4>vW2f&2{%8p2}}V5;Ld?2_I%}zM~hQM+00BgwcVh6&l|r zz46AgO<6SmjMeh%4#NHJfAnS^C$OBSi6HM>6mhLY>i0b}upB;NytAvi!E zb3tE!0p5|Y&!v*7%frZS-Fh=#7{QdWAdX>WPcrXIy${hOqv#lSTuoq)A#u*T_mh28Tv zp5P)?d&4i-LB}Ld`gLG!a|>e>bfrpo?KApEHFBg~yYi^cQ}^k~Ow(CQPLWr+6E3hk z5~ZAyq6BDEU5fyZj^Sm|T_`Pwcfn;(>HdxF?;b5Da9c3}CR>{_*<2z^ES#JVfobc> zb7-`u`}p)ICt$xO9x&>q$}|yo;DurUU-gg|E=%oRQ&Uk*6Y%o*QLm+-aoUnO%&v7Z zviPNY+>$4F@c!n^?cl%~g_@uL5imcmbAP{9UqtRVUw6_C+OTpux}QEffQ5~X?ms^t zaMLAjY2`&g>2>`b`S-8D&SLvkST$@kHF~bQ)0u>i~_}&+izu zwC4sNAhL0{P+KMsye2F!el%<%0#>g?5WDTeO_%_Fl3Z*{X$36jkVs2I0ja^F1_opY zDS`O@2Y|K}Ghnfk-)(s6Z>cI~S{4?=|H;BS%aQZO>gw^Zrk*IWj7Essz;^ zOlfz)AMwl}`aUO6o&w_j_0zKGtzHvHpvHRxqv2i%;1`@ld#k3VXX4&7Sd%4@>fO6d z%vJ7~N&D`uUfKZgFDP)*kfa858Xr$h&MuCRTbf&uFCV=tSzg;Ptf8nCn>j1apLk)h z**Ad=G2PhA%`yKPj3Mlf#8Fo_2c{d3ur3Y$wGS+ev{p{@O+uh&pf8+K_{%-tryHZ) zMa?lra-Z>O#dZ{GVLBN*%BR9}u7~lx8$hYm(aL92;gRB{5KMqA_-x=QL79duP-8dr zdbfCeTo#ZV>_PQk8C{8H2uq(t!0Y9QD3>nQs;QIqH zA-Bhae0m;gOi`$B4HdD0_aB19gMxt;FvxX>lL`3ivc6)@eRg(~v|?aqZq}7~Gz;5$ z1S3EfHQ8J@HQ6*E5I5j}JPvMea=OyDFck6GeZg!cZt_$Oa;e91g2 zEM$?03`6nHWE}1z!twMlRz8chss@v~fY)YBGw;!B@8xYpPI1O>5AH^v%P~(0xAJi_ zbG+<=%Ds4^_oh+bt9RJXI>QL1^15UEJZyjDN6YOLi*B7ou?|~xB_YaNB}Y$BGhQHB zz-?zWY#K}rh~takjab#H$w@OaA(+LhHnEN5;Ez*?n{bm)w za;`oyNAEVffX{q5nRfY%4+$6Mp|>%02@j1n_KURC^EC|CFk)M7K3!EVX}BH_PVd(*s*c znpz>x$dd@3i=1qau`6GQ#7a*f8*dg<(IocBpUvwe4-U9@(r-ix!MTKUv88_6HJt5C z9^B^VTd@v2u;wjjDm!V6Y+5Y41z>I9GW*`R(8Wf#Z8%=;Lrza}mmV(X^_iSvQu&Cy z5?J79{7|fbxZE-WERG&g3A*6dvu9l2dQl0KZbSu7hLKW!Vq31zDE$2vX)3dMv{+_% z(pKv>f=kBj%AaP30a)`U^<`%qyU(jK#}{hV2IgO%5ok7CH_GVlv>Hfyys2Fl9I5lx_`S?E! z!$-6RGvY2j%@O_wj`X^yot(VH9wWwAT^R8#tALqSB&trpa@6cy9BlV2?5u3~U;&}g znZI6y$C1!rwY4w6%Ja2GwTr?(hl}u6`Bi{k7qNgTa*x2=Z>s*j<3zkaQ+@(@9{tn) ztTH8q73kRrsR?}XGcX~~-qU_8WFk_p`LUnGb15ejWXC84CFS7+5A2M%um}Wrakp@f zG(i{v@Q2%JbH4gC&D|2?%VW1SLY~|w8!166WxBmeB$t)=DOCaZ?FvbI~WFZzEF2LktlIHtis4+!4L($3S~ z^8vr7G7Rh0p#1?U?AOtVb3wJuA`nX1>-i`)5D(P{eU zTT64fa)|)odMW<%EK%0X!s2&mg|dx}kF;fw5_G?ot)v+cbHi-y%cwdw0%Dt$>!oevmgB2I%4Gl8?kbEO|;GdROom-!z zlr1YMxs!f#`a`Hh(xP?69_4p!_6Mj+`OH4(5fYg785w`}=e-ZMa0qZW&)`y0P~ibd z8$&iMd`dGb^XPc>AMxrY&gOZ!nf1ZBx!MN)`kvyhA539Gzv5`|Ll0IqXD{$i^QyIr zRVu40pZQz{Q|i1cL0)>L+0E1?S@v&)?D4IZEPYdls_ad&VfvRDiw`7=z&oI4Dtwu0 zRyJ0#{Y0K0QuwX$L0d1Mth#LSGdYi70&41OuR(imwx9ST-C`LlZ}OkZq~J z2hP|R{bo_Vu#gpM{>jQNlL0r=jJdjee4N?l$Rb|a^t`{Us(g1X_djX@+H;0c{ZfTy z^lLZ>Qk-3--42DrB+y3R2+}*JjIMA-onZfh#y8)tTpjsdFLZPweAt`MW1=(BoaK6x z6Jl<5%$Kss2l|Z-*{=7a-OPp(28=!p5lLq|4mZ*1`<>yY2o0|}JY5@7IM8%bGcnux zL*RG%{bE??f&5!1KDk5m>(A(~YtLzn zCjH_!^>uKVF^(+ux}WLZeu#m8mZ_!yRnhb1q-kxxJiH05v%08bEYWF9Z#>iYy9XM82r#%s*{EPW-XW}8GL8Kx#%i$kzH%GePrz`9) zx?SH9G>xb3_jbxsWmod zg}85DL(Uth8j)QM9^5Df3pcqw4Z?apa7{{ib^lJ7n_(;Pw;2-p^aVh zm52Rt>2{typiyqJ_+5ER>Zg#iK}A96Q^5P~pk&DxnRI!>7pP41CRDrkVnk~N}6agG=H?Dc^DQMupQ5@axiJG?0a10W8CIl|i->v^ZAwFu0r z7j%=;+`aFDj~d0pGszNauGh!M@$&Ds+Y4Yv0$YhUXG_oS1mJXxK|$ z3i2UGqN2x7;b-P##SKn#NBwaFQz8u3yj~X}olAbV*o_@Cy(inPMV>rdMTM+Oo@Yo( zt!5nOT-%wOEBSL(W`HAcptN+^uKDI|$=m%A5%!HDK0WWPqWGO{3;@j3@LM~5yZgOh zo`U#4XAika!}5Ac!<+qbbtg~(5%{%Vq)0>Gs z|B`4ypxO%|d;Jvgh*hNhAcmxnJ8q{s@hL;EEmMLxRCqa$v;{8QZhm*_oMhJCK)@{akFw z558JzvO*3O&xHCel-BO8+7vc7^WD9*OuzcgNubGC z>Lj_GnZbLy=1Se~nPP?E`vo8%^*y*C$U|}C&XIdYyew11YuxpM35bbTue3aPTCr6; zeLTgxTb!Hb{;k!(d4k(@whnG?*|&QgxIU$aT<(ltY;xSdkot*-u~xvoNY3Xv4moM~ z&9j&ex^r$C^5*h(X?K@rjj&A&wL6k(Vdm9BgXxq6m7lJPiZpBFH!RJX--4T`v&_TA zT1{Ah2^W008F6u($&R?WHM68MOcy2hMNS^`vuktdLzQe0Ufs7;zKL;Ba;%kAWuEtm z5<4>I2lbcnaq0@l!9munMO)=oT*mH0kD9T1UW+UcOpl^G$PYde{QaFD9sT=d<)IY_z9yDUFYiQ}>kp!_asTsz;vH7GxH zNxSKV<4)z3Q$#7Q$TCEG?$>bA?Hr&#Jj<1Ee@OLMiib_7Cd6FvFH1wgR}{rsU=Tr` zb|V5Z;`O{ke)%WfJQU!fJ-<)~Wwk*9`IK78l3L3Rqusu(l5oMryJaWKm7Jn_J3RqI z8)H)&V;Vts|da5CDHf2oj&0Pj`ygN^nG>`b5p$^0Sxlb_O=Zm37=l6 zFik{4kRHd!-+%pjQ)dEf%k%r}4AjbisWtL@1mK_lYZlzCw_abLG7iPYsw+t`6BO&q zE!A6gishG?&QTteQwJrdJl}cQl}?unyk&_>7W6YcO#TFv+P6MGcv56&D5{c~k+C}t z#l`tb3q}aO=8?rA44^}IgQ!g`04lB|Jv(8=heA!qeAN~1P8^C22vNo}g>YJJ66U|P zR&t!(b&*$Szq&kxlsmLvDI0ZzK40sUt4KgKyOsTlFa(p*Bcd+=z7yZ9^n`t6hZNKU z1tlU=G5nW!tp$9H2#DTc8qT41l%`kr#_}O0YL7so{;1Ic-gx-090sRGD=`J zLUUrIH|Qc8-%<=e^s~7=+>0b;OLz!~ilY3opP))YS>B?8qcgJK^0wHC(je2 zPI00;)6Y&rVY{6gQ+%%piQ}?z%mRah6{Mb@8x+q}}=B@^alzkCF?QgJ>L`psJkM`Ymv*GxK5(>zac=S+c&#T#+6rue;F{y)3DO#x<7yE z?v}4RT9MG_cU+Ir$f%tMnHc=>Y=71&y5F;t z``MNOcPg|g1PtaAqCf%xP{;OF9nCMD5fif{$lZyg{raV-mXnCOa~$>b9Atx75$og5 z`73*SF8BNQQ~F-MZP%QdGqsE#Qy>nzLO$Us^E~!uo#hWOuWUSbdokPF-wo;3h!u%T zkY!}j<%v5uXj(`~3 z@LL$*N9FlQ+E^L4aZ89To{gMS%<6aG=8oejEc3$_nk49cV_k-9dF&a3 zL*%?{KRs3_u1LW@J$4<_bQSHSyF)tuGWKMR$5=_^{#=_Wh~J@&6!;br^81fRu}zJKngzpS&Z{%!P#P-#bQ}=n7f_R_X zJG%lk7F0R$E~$0_{c{#Qj$Eq<^O~b3GL@w6QFNX_;?1!fxi^mMgcnN<4H;Ju#OdIa zz5!PvrERgikSFqKS^kU1~RM>^jZ7P0JXZcKKIn~{gv4Hgy_Kho0pbd6VYk3@KM%zN8vo&C`OUIgr59eTzb$Nn5* zt70KZ9oo5SKOM~wLC)>Djz%EjbaBH9C@{s!3t!C!h0n#YHQAl#t%!)E0$_cmSg*{z zYh0>~o4ERQH7bw<70>}oP0o*6sck>t!_WS#b0r@Brg52iUht+r*76SV3_sX3VJW@a ze&E~U7<3|EwCMu=wG*VODtJa6$CAn@5eX~5_TcL=&TrK7YM~o#*;Zq@A5s5CHjr9V zEvzZmF*)Py(3g z+~ws-&yup0$Qox7wo5B3WsCHO(7fDnOw&s2c5r3dxe|Z9?aE1s6simwG@F~9McmI# zsklsNJ4hwg?Jyd=@G-V685S`_SZI?c1$BuZFi*2L-^2S${D_a?Yh4l7OXTbz;&kHQ ze}HSI_!;BI@r?jI1+Z^zV?Oxnw5wqF1a4MU#jDIHKV6T+0_LS9Qw4mufWLrG(3N7_ zMLuZP1C#ww?TL>^v*V!gyZPMuHmtD4E(IpS5YYG+n{6KeLYF;tdsAz$NHo*I-R!X( z3p1vfile+s-PETL0z>?wAi=(XxCvE%zk@$DP#n&Sb3-EpbMD>T55)F_*TPXT{* z9CVE@Xf)^g0#iJE>sh^PmF7`d!Ak`y`GM$z8a|#Q_fEq?VkMvK%x}BxmaG@A+c(1@ zct_6?pOByO!$|36u$PloWqY$z0%^)#!`GboCCaRvE1Q*TM+&iZc2=4G z(a^POH29uUWRa3qhHk8Ha(t5FP`VszFC-taFt=YS%i!cYl@K$i?Wzd-uivvh znrpa~TBenrkUdhmF6%*bFXH+OUtYB_xUR^Kvo?i+g?B_1_KwaPO_lXM{U8Y#PeopI zyU|A3``fvF-#nO1I-1Ob+|SQ0(qI6*Nq7Cj`W+uBC3Gjy{72fnH%`A&H57cmiH(V& z5Xw^CUEPQGv$7TekN5|UYIAwGYe85bCa9cwM3tz=^O{%b=_FU;K%|KKmuG1|fBqC5 zRyLMiy8V7>QpSF_H1<1@{t5#CVMh#z%-93pyx(&0#sRk^5a9kBprX0A*cvbUD$qp} zaIXd3toeOz#6%TOIQ*7wH!X{M!SFWvm8jZgNzh|e1LS@tqduSsfP4rnZ6*u4{R*xp z2M7rX8R>IH)qDNVNQ%2YQepy2z85QniORS*Apu`dK^%#x%bovcgO#ho5&B&cEbDr# z?VfxI{s@+mWmDcb7{t=G_L!7uzL0u?-fC8{R-7`>Hxw)RM!m#KY)j0oo%rAsJyvys z(W~Hu^V2G6{(Pob`t@p(KAwz<^=w0QAHGKAb`ylp7Slg4Yn(C7{SgoZzb)6?mr*aC zo7O1NtPj&d_QABBZ9*lwOCI=_K>R>T<<~dJiiM9)DlDyxecBhBq_Wo0>l6v`Y)(nB zS>|X)^Wvj`c&N?Or1IK4;V})e$UfXZNss%Y|T7x#~`O80&~Ig_uXC3d1uoX3Ft5( z(Pvcu#>Q;B^MW)5mvM>6h~emz7`BOU2hUBc@LOybw`kKx(;C76xZDZ zA-y&z4rXL2eO5ccB{N$MEJGIsRW!0X9BtsOqx21O@jmeWNWS@=$EFWmUfvC`cP{lq zjJg0LG;xU2TLw$Z0Z~gEtEJl8<-QGEl$L=o5(*+){#-M)kBjWhcAkhRm+_dFN!5ot zE@s4@-hJ8qe0Z7UeI(q0al`Q%8hICZGY?)Hn2HG(oVM%Pbn2>H!x>&qj*R39|HAvHFlGM@ z^i11OMJ9D(7CpE7wuzu1@f*xbP%E_&yeiUw+Z(@&zU%{;i|_vT_#yoo>0B2O*GHxa z@i|@Ml#$!0Rd~X-4+uE_HP>R>Ry9v=}*QzK)D*#~w^i^zWC7;hurg#h>URQe8$G z&aZ5wwHB>904Nd43tgOgQF$wBX^9hMKOWu8^!z%r`wZBe>wZzmQL)3w z^vL;b5G%79Bwv`*+}C$BgeQ_x$hjfEE~sf+?xU1`&H3j8!7EWW_%MwxxG$iH>xby& zJHhUCtTpSuxOfObUS4IG?p=85HiNTOFZ6cbs}d&DtUZtOa$WC%COWAhU=9+YwzHC| zE`#bz2rj3?5OAJrJ`As5Sy^HCC3-jFeh{w4pVFqY(QIk;_NpcO1+RSe8FfVynP){G zj^sy6Qw`(B7n2nwhWyP|&JuKBXV|LZTMLf=w1#!fnV3JP*k72}IX%VM4&{ud@(sYk zKacO*`1+MzSbz7}T}PgPkD0l@ukTk#9}{fHLv>)l{c}44H&iB^;XPu^)dudrKRd@7_6qIFc{6k+-h%QLrqOhN?yS-q&}%2JN6|bW64&*4UOMo z>)J_;=x3CP30RPF2%?`9F9>YTsi?@*NzcnKgceZs(f$I-BO>!=TK@0F2mb9)tE)hJ zepNWKY}g%PksmUY+$hA%NDztr_iK>-@$la;J6^y1`9k@L?Sf%RD)lr=l^D&Gwvg*8 zVL&l})=%hLVJ^yratqUyOb3b~l?{;V{LHjlP+xC-UxoJpJ*gSUUYBBrquOOXGr% zQ|`MZv*7<~XhJcwCpA4<*U?uVG~qg+NXch}0e znVVyrOm^p2_;_fxYfI;XGDGZXjgFO-plH@trSuw)3))MuK#ZNwF3fqaJ~1xdrnndpPR<-QF=U#mF;zKIA3w{(LQ11bHS)yBi&}l^vp~; z>X&%H^XDlk$-2?Dy7KbU&aMvCPWI?PYNF;_14&<7wYI@MkfwcPvt^Z&`|zOlps47T zl!FQ$YS@e1Qi^09E$v_7hpb717boNl>P)seZ}ioa2#LvT%ou(fk(qhl7g@!ZS8$<< ziG8K*FQ&k<$t!rp%F@#-8!!3h)QM~C=aW)g+Sl&p!}@woNM)--Kg+xJ;d2EvqW`r9 zIPvXkXAcJD-)mR!iGfw;uiNGd9lZQV`h25}5)DItfR+ zE1$ZyxD#0zLOTsOnERyn_AF6a?6Cm=`+Z@Q? zz*`$R(+{7po#k#`9_+_RzWHYfau`tl%kmBVGfVbUQozbic#$xWry`BX7#~u;I`q-O zP|tP!cvL#Op)jkaA*;v!dy9^Ru@#@;E}o?zUVvd2iHdrxw$@x&(rZ{|V-Yoby%YnF z4l1DZiBUCGnT5FDlq*{a1u$~JjBiH)yd)R}F(ndpz?K=Q%Ia!Gc~MNR4vGU6EeQgg z({fX;PXpU0pxpun&UPrj8;ioJUlV+?vx1dZZQ6Uh4bWl8BzCQ=_Lzn{!{*A`|Fd0S zD5*B~Z*Lz<>NTqObO(UoeisLql9$XF{^dV2{;blt=JS56%B@a%9tp9^0BdT zYahsP_u59tfHCc^ConkKt z6Oz#U6W?-pkGoTU^Z%`&k9-T$(p6V3Qj3;l=(m?D@tT;Q-rimL07DB9OVOE^ErR~& zuQ4+d9sslzm8_4p2R2T?YXrW%SBs0A1X_$LQgjx`$)8E_%>4PYzIiA`?^#ph@tS9n zoLQe~D>2a!`R?BfUWN=W+dI2XunkN7H1V-1`V#H*L9^^jW`6>9nRK=oRE2kPsz54s z@ky+7V$@GkVjl1#$J+V%u-DYRKQj==d5`I=4>VX@RXw0e=^Q$38}?p{1#JQIBgc7) zYYb2E#ApwDh6lM|W)j*-g%wVJ#uEiJcVH8-LCihtf9ifo6Ue7EB+G)f?O#{-tl3Z$ zk2t!0GcKN3xgsws_eG#YxV@u`d07H%VqzkeNL-B3l>T%23Z-5X7~_rE-~T%cjPLdY z&u`^zezh8KCgOa}2&M;GHtpBB1ax~*0S)Ua>Fht0BZf6u>UbDms7aY(9WC@@E*I4Z zpuywReso3y@V-0K)V)l0SOi_jluo1luiuDa9c}~Ny7IKP>IJIq&;N5E z@MtYScS-@Y421yoKe-X4s%|$dO#e;>OqTy!U-bXzcz*PM-Io17+QsX>aDH$-bSHfD z437$FsQKv?5^n1bzh=>E;u4@q)jJ(oldpQs2YbzTb)ykL{hT5N3*#MI^v;6m(f02c zW>qFts;O#NH6|*d;|KlAnSp_UKeJl2#N>;nG=w4JfiR4c`3-hCvwL}+J>99j4ed^MR>Ud{qNgin9 zeBbP>*vpu2^ui6Yl*3_zW@BEsfLMA@->f*xW2+mcD(luy0r`@Vq!B zrEz+i{B@wa&|+TMTGz*9(r1*0ugdd_ih1YXMfV=$HtD+1T1%-s{$nTSmu2 zX=VDenbqfJXI#Dsy6aS&nSZ43>>f=IH!YY<(AMBc#7mTI@@PLgI5^0u8Y@XjYc_#q z_x$WNni1qzQCCBKE2?+6^R(Lsf!G?-ZviD!SvB+A^_J8HRiX{>&`@r(Ao2Hy3uVG| ztP{u3+`$B4huxT?W<*0(4hHZ%C3#BZTERRwu-D`ndM#8@@EMoi$)6wJj=SpK z2x4{%&sCY4n*zX+jy>`VL6SDshND2z;NtbIUHHQb@pfU5-#IEOwnhvl<+Y6D-%f#D zvX#|UGt)B%i%qN$#-xzthVxBrFy)VD?(SMu+ssSCp5U4o?~7k_2uGT2 zzOe8n^>2I^47*ZtBN%?gZGLkD_d6fbuBvi%P6928qOhT`a>~`!%xwRBr(GgKT3$-P zcip~uRs#PpGK@^b(2)ho(2U$YOV$5a;^VmRg+LqYt5V{4+k8f2=G}3VkLle$Irr9L zJgM8>EO4{p*_xw3!kbbJK{sZYoL;q2&xuANR|j>k>dt#^GbRebO={ESk^A zgb{5sW8&4N-V?h%f^LMw>re5z+U14Fo)Jg=jN$hl-+r7afxKV4VjUdB!*IH6@VJ6p zA5%e)S!xAg#q8ykT9wut5k*N%{e4&g8ZOA2o`mg=8h(zG&^xq9p}6FP(v|o$6iErj zEwBbvsm#(l)Mvnvz&y2(_A`dm?d}Z_78#zxYc+JgASl;}@I63WHuItS!@>`g*&D9U z+?FiFUa+zCtC!5cY^)4@DS4t?OF8%mB8M0K)M?bw(I2pCl(XF4;QPesxT_D5qR6>@%dpn{+XeOBH1a%dNgb(98H;-^eHxQJ&)OZ?CWK?>la;e-AYu zMs3N0D(4O+o0=af=&R3F-%}|osu5EXIi2h$B6qp@S@`*1vlw-6His`3C>0E)2<_}` zl}wp&VAXxO$d-Ggpr%Fp=ooVZ!~e3XYEPXll2Wi~Dt;_p!~=2MS{Q~0(6Vr?-Um~` z*Bjkpd}Q#_5r_jm;6-ZVKSASfDBphgCXc1$<-joWz_6g-P0XdPUDG-3MBYnwCwu4D zH}(Oo{4NL$Ls1dnhoy^;O-d~6p^KFF`7+8bs$P*Ag|PebMD>!3vtwa#F>jr(#(Q^H zaZgiCvQ~p1mat1$BaOTrRjsTi93imV%rl|7^)W4kQh-*FxxKeDv3*5h^kG12jpMyH z!Q9T#kh-ecGuszJOm8?vB0_9|x0a5pr7bPLe~ehgv-9xr6x0O;3Z0IReXq8qr|(eC z{6Ng6-DG^0Lu55IIv3Szssi>ER#zzb3w=L3A#TfOuvdUF*QLC{%V;j!;l$_kvCykEB5g#rS-u<0W-7D9UAz; zDxXOvBxD;1hN2lcSA*T@+noB|*CJ3gZqk9D85v+)LQw6tfZz_0tnrAhTa{~Yahe^_ z1mlAbwtY=qJveMl0-s&4NldVXljWuRd{(cktE-2=Ogy_@UP)0l{!o~JlaO#jf4{Wd zVoh9pO3`=X&X3=}g>0U<*9y#Z6Hux25aCBefX#N(*K;M~IBN{Dw4@!ep(G6QDT}jz z_BZwftu+*smDkdJyz-ft8D%3Vgndzi+dU4m)s=q!%r9UzA56JgAW0h)RMylRGAYNK z8L_B znAxDK(^X!6KEL0M$|na-V0uPyK)-yvbu?;tt01PY{Li0<&4^0-o$|tg^Z7y+01FR? zjL+j|W23Q@)JiX%1k^eTwntUxyK$NY9Ro>MzqItF^%6s@>*+P(Lw}r?mzTP_s=km{ z(9QBc{rM=wWFN3Tu_=u27KS-{mikAg`DsdVwi-+e@{dn$>ljW>s0h9hAlIb=tgR0O z-@H*1F1;@z5b?Y?aAWNF_?gnLvSf6@-Npr$8O;q$&(83SPYfprZ}}bh9XDS=bm}a5 zLI)}HQ}~*=hla*UpK8h3fFq+9El>DtV`AeJ4&b5j9Sb#jy4g?J1YEb@o*%E^#<6JE zS;DH*mJ*+KqfqlPGSdl%>oHnhe*^m@Ojcu{x30VESp(ondbjjS%c}(3c4J!094Q6N z2Ee_kBw1{54evE7(nKyN!*RD*G)nEJ@JC|)ltz9d6R}-=Pi~d;pJ6+GC}Aoso4fxrll4j@a!iSp$o+56l%HonR)J#Q2E-!5w({QmvVmhC_vn#nouzr;O^j*+#@^$>X*OJwgnGA@Q^qC@ni5IToRr7$BS(IB-(gROB)CG)WcgOX)sRmP2~|$ zXeX+ZQ|2BTm~g_8rG~kYRCBc+72zodvlj%?9TeErwwiOZL4iS^Y_jM$**+TB(mW<# zs)50Z;v?m?z2?9(gStH!ma0G}5T2_hTNpBMZMr?3nAfp0e?jr&bMDtg%U4q0Rp@Bn z1lh6Gc4*~7}zHyJ$uMqceSc&@Zv z6vU$}|A9LVH=R2g%@zQ-6;Q? z8521aOAz)Z=f~h1lJyNGyUEhukMtoBrm0u=o8i0pOiWdzf<71khlVUJE{#5QPj4R! z>nn^Wn6>}hpbFkWy5J%m8tQdF>OK&N-Duk}1u;0UIcY{-Qvj0mKO-((wY3FzQNI{j znWx1iTRZyzKYC4KiHKAPe>YWKo_;+Or7;8zh?5krN(~1iv=hVsrcSHb5T&ldeR^tY z0>xjJ$&`z%n}7n9T9iT1;kpMzJdzxw;?>;CDO0sS3W_RV6~q0#qrb4ahQ_b4n636e zoP2+B7OB;b1%Nkz?u1N$Xg-~7f;PjLm{t3Ja4T(BxPh9znwtG;HaoPW>C9GIOw1;H zlPeWxa(!#PP^aSKt&!v8yoX1vfXZ=zFB_1+W9RFuHnbDnoySzc-f-&qQO(RsCe$@C zHX`Ek&mSXozR0X=er3##aoheZE-<2WM74uz24H_OKLh$Xe|@cLTyPM<3(LcxbL^qGL!e%ZTV6{hUyP#IS!6(VXOahsizGgbd2t`O(o=aS2IDGH*KE4xymZbI@MB z81sxg&?sMCi7f>ZpB63Xwdf6%)lyb|2;hH=c&s>jNU3-JMs*`rI=j5C+;KijN(%dg zt}Bd{oppk_G5yMHVp2s=uvQ5L-_qc*OC1LvAErO9`NzRJyZh+j#+Ss^OEsQERx$sO z=f8&V6_nn>Kc0!=ViN=}<|OEr8*NNBBQtU{@}R}17gxFL-$7B#%M0^HX=M9`x2ozK zBNm4~x)<;ds;hI#y-=RF%Fj2-mD_TxDK8Eo5b?d|QB?)N49=?la;JbgR=O9wzZ)xa zj%<2p4_aJ&esY#e_a0r;{q`mihx9`vsiCROT_18WCtm3GPk;PSYQ4i9&TyEvRtD5V zQAeZ39qx$nMQWIi+pV>2KKZ$2@zX?|$?@@*gx_~9ttdSay%gHK%1`Z8R8>!}&8+d0 zZeo)RIK;!rF@dKHaye;-ne5HJw-f676wkK{>Nj&X!B|YLT|XHYmk>o4ii4B%j6AR2 zU5DFpQX4dd`L?!gTd)_rXTz~}a=w5m_NNp=nGRK2CIsSxT(}ouvb@FujxVmpa6Hh> zOtbiScoUM`7?%^0w4J5t<-$RkIrTRWq)e+QuGeHW0-xC`sklk>TVdg^XU`H?;>gm5 zP0Cf6=m8B)&FZSEx9XkI_51tjBn#A78NnjhT4;Sbe#Cw~*Y9mpF=?iRPJz;Rh18tG;qBZte<@P&0Hba9xC%X47ZW)1Sq$2sGH0$THyKV26JT z$;sh)#nhwTvjK+I@AVET)Zco?a<(>2t~eH~{oEEuimaxL#lxNp`yvLdrV{YP_sOnLsf0v#)+=S{5FA3sul2d{FqoW&2bt7QCYYtz{`%8k0<@NIQJG*EBy@am zm&d1n1KCc+HjOFqYXNC8&;ugf?G?H{8EF$o&9@3a6kZm-WJUwX1#d^b^-v_;$4O@| zHu+xS!IR0`-aj1yQ~O+R%0xN7`yY_H!8Sdo(lP;Y;I zA;rtXy9rL*GM0U`odnApfq?j4**FB7ZOgsWeP=RoTo`t~KM?jkI@io3ON#ypqj`Mn z738>GU7v7$LoS80f3&wYr><{cV1G0>ZK2Ud#zj@tRc&(p)0nI6jO@?#!0BnQGLVxa z9zacsPRGH|4~hyyt*ui_?3^M^!Rn)`uU#a^7O>P<&3|lV@}L`g8b_}9?>b~fiF zfgHD7)oR@lUKdQ65myPTyhkkXfr1EVo{9AaQE#aYI7kI%G#MkF?-<^JGt!-_0z-Jj zi_h(bjPxB>$#0wdwjw~n+jKm;_X4|Ua1hJ}pAMM}kFThjS@j!j|BQc<#mLNP@V=U4 zeFr-;K#=SY*^u)M{et)z?GvJY>pMM7(dHX{8aiS&m_+4v=ZP33_Y}A^neyX9UTlGv z2C|Kh9N+3@pIMp>g3(?BYrxHB$#Y}X1N2$-`>T(+?*|M@!8LyoD+w4ZMNsrl75m(! zT*WYD*EAY;$H~n`awSMdXT>G+J6epM5`hT`yf;v}2fTNA{_UWz?LpEKaQbHQU(RwcFsL5|-KQZX0t`?WX@4nT`?NFfABJK4Ch`%C5 zF3vkE%*l6m@ek(e&FM}l#Sz1_CHXD=wkHdyeE$fvz+3R9xXw)f z5d+z@3WMReaO6ZqiAFuXw+l-yvYcyYg7hgE>az^k1B3KN4paq-Pw+4z`zH#1 zORYH8TK;^E=)Fpt^S}=-V3^1$fIRYx@+f=G)=KS+ ziFu4^A2LXbv~ZYhx#VMr;JZlpsRL52n?L1__CkZu8`kr-k| zN=l@Wh5-?Tp@#1IAMg8qzW@DvYrWt1x@0Y8t>G8v?0xn=dtcXea)QMgd@X|qi>q_} ziH!NEV>(Az%G#c!?)2m7TZf|0R({vnm1!MDH#R<0Qo{GfjfiL5gz`N(``A*vcyiub z$t>#;mCj_a6}8iU5+pqu_);!Un|QY`7C0!u^ZUvY8GgK+thu}Ap~ z5Z1&VykHVgluYThlNqn$I5QZ|{lTg}bOG8LcC@J65)WE4mBUM~JB8oTqIo9ecj-~+ zg%H{q7md}};M)i+$St+f(E^UfsuhssfEDi6yWc;#bH{A?lPQZ9c=FiNj|6@M_4sxC!3h z-ySLub-l~}M{RAbfFOUHO*oAA87Z>;0c!+8bJ?x&`Fo7xlyREoz(Bmr#l4tLYPAmT zc;-R}(!Z+pf38FRlbp)D0)rvDe~4S(ttOwQez@Y=a!%6+6k+)1jgrRBc)Pj~yT4LNw;zi;+$<(3Nv zBhZy-&Hrog|9l}&ihg~+DiqZ7U$ymrc!iJk&!0gei~g_P%fEG1{;L`Aztd>>-+k-9 zIu`%F3R{rN6$-lq#U(z}M){glvRha+!)_)Ds|9Gu^ zttSg?a%cg?1P?lVO>DQZ)(7&K7_%Q!Ctv zA9SdhdTxuk38I_cEsUdc>22Qf+dMiYHx)0Tp=%uWfiLTWL$q)I$^iBBa7I!ZU}5Ca zu}`?$G+$-mN)enw1Fq|}R%iXP7ik;oL%niw?)tTuw92H&qw{^8b7VIzB8G}&<@;FH z_ZjZKKkVI3-|Km8srMb)viTWYBhh#%4%D<1%bPT<){B-=QdfeJ3OcDN8Cmb{r1V6r zkpa?+f|{BjOYnS%99K*_?vy|GE9enM{~nzo#h!x?w1zr=8iOThIHBGwID_ z*B%40URWe;_uFgYsp>GJNy30gRt9Gl5fR?NPs5wVH8qV@Rk?LyQZg<`)$#@@Y)1W? zvpr)jfL6dLh7VbDDgi|TknMvsbLlQ!^Oi3mX$tR66T*kLK-*_-m;eF-c7HDos1f4P z(R`AO{uDpIEo?*Z3Jc;5AKNVFFXx|B`5gK4DHtFhiVcoQm7$gi#j-95{4dbgoKJA% z)D+4KiZskdr;TSnI=;JsE1$rDg{zW~?j!5^l2xvS#M}jfT?;E#TCG)~xX$kK3b(vz ztx;oM_Y8uIuEn~ZYmr|i*5ur@86Q0{x9Eh_*;Oy_h_pnG=a(EWIE-d{|vkwo`laueJl~HMtpbtBKzb-4A z?Z0+twZL0xc2V;AXI~cc&)iG>WBhAM9dB?U(GBb}oK^5by7_gftinQXW!rl>f{>5` zQz)TF4gNVkFc>WPyanO*Kh1Md5z)r-@@r(fS#ydC>^6PJfe_`_NaMGOqTiTDg6Q8x z{Ya$TzW0|E`B0oIyoxxViP|fHY&oz)Eb%!*y6GN6SlbZ*_JU5?1w2!@Y4>0FfVqI-Fry9vTC@(K-zBF-X z$(;G<>Af>D`=o2-MU86KzhkVVWUlAw?sK@X{rNX;=+vmb_&1l+W3paVwG*;@28_jh z;rwoFxra~PJ-+fkb>MCu_Qfi$t*QR@!8YC5yT6>vA~y+|m!UX37QsA|n}oD_3(xa(emf+W z+RS+{otspN)dh={wmTxlA|E<1DnU`j4K;51KVo-rVv*w&RHURDX%3%*#oE0}H8M{` z=J~C|XI?)tMumGMU+bPVb(EPdt|>Fuojhgf631isxqX=ZYg1-tx!-boFCHUKMYUsP z#jC74HEZS(i6;(`yIq}mFNhlQKKbTv+mBW>25DF@#w1eoLQP+N8Xp(-}V|tq8 z9$8_<@yHWe3xiuGz%qn9oS)-*ez`b*?x0A_kbP61wBIwMi6dPEQF?y7TU%>>{8Gucc7GoQrf+K~Yi0L&1tyzA%nk?Lww?FIOWq&U76H7Ex z7B${Azf-J@qe7v76LOtZ<<&+BT&0kGXpv8j*E0W;kKxh>Uf2leWe&)ZPcgXiUQ2b#uV-qjsSu0U z4}39?e9Z|qXGze-U=s5TDQZf8MQ~}o6v{@*gNJL9CM~ZL$xVV|`8P61YL(@55BKuR zoPN~uhPFDQNQUS;tS3Ku-m9I-4N^nb5>!hO=4T+WP@5I(kYBUoajy(su|E5RxH42> z3?+1%oII|peZTOD2{oLaq2}Upff>sB)cmTp_TIwTbHTvU+uXsEhL130#hk`(ScpY)1k4ob8;WN04IS;B80tp} zHH-}|3i*{rvk#rnPuGVTNGpgq5awketx~)5^b~Aby`hL|lYI{;L>)!J@s{a?AM!-1 zlLXU2ObSAA<_&7ps%^D_h)AiF*9t#SZOEl+(VE3E$;g1n+1kZ|)P+nQWHCMzUJeK3 zFIzYvQF|u2^WIReJ#qE%X(0n&oKsz2MQA*Ze;;b75}DV-`7*c=^Joh$_GZZ)y;MW| z7>pXs_n{{u4re%fLbYY_ih%ls_6>w*mGLu(BkWm+qWeVt3u>Dxqkkn!z6NAgX;oNq znW!Q?UmUav!xL%Cb}xpAG7KJi3>9)Yj$*~v^$lfoL&a7kof`S#>^r#-*J1GT41GgM z*}Y>Q4cod2HI_-;1!NB|K-yY*PLA=vTYM9es?Oy@5hn9jLZ&jrG^IFAb?OaO21DG@ zx(*8&MlcMSgI6;0RjkD8)*eL(>4t`~;+gn{o=2|3t zLKqaJyTq=>fIlOAg(&Ql%ptY=h)Igz>z}2Db%O&vfMyG-K;}_xp`B4A?Q~X1H7oKi zXScT|qFls}x>L)L@`o*$h#q>zCh$_=(sF{{&?mRoU?Jne!kHqS4^SjFk(aVkBIid~ zq*780;J>uWKZ*R1InzzHQ*B>G=Z@C~K_nl*Uq&^LqK5jXhl;^v4S>`2qK=i;VQ(e9 zq5h?9c^Q>?GkCOSD3a=K1cM1&IqFLK*NH2>xS2T<_PMmYgRULeg^QRU3Iz)~IN(cP z`_Fw)FIiu144{S{2nM(cK?1d zSv={DXg+lrr{`W#+KzK67q!(CaSW8JD~lCPZ`-Zn!LRG6PZF*`B&0r_z-AT?WIf2a!dt{bi_Xi0{E&6#wn2p_9;RAapq;*<#e=1Ti@OagA!u8|+ z7bby}J@8pvVtS1~_~LhD;1_cZnYCC$mcyNq7AW87)jdWD)q@)Sr=Zi50Uxwx*agY6sj9<5YyQjQ4ZlK^QIPu{Zp;OQM zo_wcuw^QDKhV|78dtj$yif3MG6RAT^I8#9`mB7K6(-bClAzzhEOUEBoZeoP_Q29c& z)A|EZT$OFP8e1l=XFnz;U|-4^wsN~Kz3P!lZC>@OW5~l#NSAYQ+Altm4iA2O+_S_q zLhwOWVi2_3wkHaYt)Y<~X2ak@h&(U#;wzt@oE*5eTrEDSJ8w6vysEbHHSn=|VAR^a zPILCW(Yz&10o!jucNWgT10iRk+W%Fv{>-JUVqX1Zzf?BzB%s_>bg=Ku(Sd_t)A3r$ zbcSxpduYX{E=_v*YvO&^?Au<>K^I5lc=K#9Wzkl7m)EY@&0p3QelEg>P|wmJy@tI+ zL@-s9DXXGEU(79^+h^reD!I5Ux&~uD9^(EpX+JG`enJ*c=s(T~*@CI5#Nh4MWAG&2 zA{drJ)?r@dqrk;-4W0k^!(UFB)*3O&P>+2yey{3f`xkbFitWeR!^MS}`Tkg?g^g0M8L%>UEUjqa1RwrIjr;`I=$`l)uM$f2_ z7m|L_@ikMcL?y|@r6JCw&|Zj+dO6T(_r@9<&d)XLoJ2i!_-~JgFXVZG49yiO#~fXO zfYO)j`h0`Ll!}gSP5P;!(O(M-neP*rq};{5Q)+51ruLvk0Q%TBz~k{5?&0bE#Y^<1 zNow*tEzwLymuuLUmMzU%u622NbXsnIRVzVT9)z2TJX#|Z32FulL^+FqUp^pY_&E5G zUzwmtn&=r(-cU>%J>!fIbN&oAR`9`h31YlF1K*Yx)QPKGTRYvB0lnXyFK4};2n{Bs zXG1xC-rLvkeLVb3ql;=`e}U1R?H#PFEOkW$N>n*_+d))Tcw@bK8RwB)d+?H3lOzhKxkwI zKOm>c4F)6KG)v;~7W@tZpRyjvbK=`&j6>O_J{2`I>=t($=qlw%?rX_b-Id|5%q{w| zHB(i4bK1yM_bN=m)89`)_haEV>$adOYU)>KhJzv^i-(`zX-2ExzBv@|fm?!8iS=i> ziP-u^c*b;ZrI`k!$lb3qy-BQ5jWt}=Mtx-)AJ(CIO7Yh{J-uyfj6EH+a>w7qXw_F$ zXNq`YQ=umJyCZdOy!@B%q_$yQfH9^oM-H2tD^Sv{Hev9ndTB=x3{A6#VEH%)ZljDC z$D=JpVqE~wGWlalCw2=K84o)L#(_xWi{O>mZqRTFT^ePiPNbv%H9s`DkLhlio-!Fb z^26=+wQN?c|1q+c{T!oMQm$Vz7q}AXkZp7@*{)WJQm!Z~OX^MfD3*|IzCF6g8_#m= zH~xzIO(3bt?$^R&;e7VH)r7SvEVAC6y+3|eTF$#VZ=v5STl(#-cYRDIO8NDr$t?J4 zm8np{Z_^$iw>4ba16ZzhM?8;YcYj(Zse12s6qZgT?%+oLJ$VRU+BDfhEpOfX zPHkcgo4122gQzH}HWoKa3`zwpRFsv!gX{n^yW4rja^bP+WIf2Ry74|X*4&{XaQHP1 zq;*d0EVVAt!iizV_fPUHr@(+sS@!OHp`A1&0|T;fV{U zlM}2{j{!jfzy+pKQtnETMtql%*F%DM{n0 z%J37PzV3+@1VVQ=zG)i?$r*GYCvGyXE!16Yty@NKlo8`--7e;{%{1- z;7tIP?zD9}@JZ62Ud1d-jRINKxw({}C)Gw+STBv!Ru#`iFt3_H*d4k=wlD5*P!LSK znb?bLig$R*%gX?=bJ!P|tFXK|S#kA`bc5>1MC}GM0io;04whHwBr8v3Kz%k zeFEr{_HiDjZ^f#``cIXh=Z4_mimiBuVu{~qxYV5DhFMNae9#c^>&yA1IX+JMCxL60u zpqXje(|hUD+*tQ>WIYFhX6m1nRF*QG-%mY#z~CdTM=faDwz6k;w|`9E#bvX2QHfh4 zEj>FSA@luEN|4avuKhezkXIzg(Q-QL#pdafr(odK0gczQ(Yayw%ded+7yF^5r2&I1 zhZch)$>ZZ{$>ndOI-iL}_FHYCnraG*R}W7pBTm2dqim+WkDVQE-02(4r=cM3LL87m zq0mhfJU@OWjZx}%$4)*(s5Yk=Ah9DN9*T*LN{NeeadKK918+o}*5ht6VGiO~nR;ze zBxprcES0CBrB-vgY3dIfuw?{`ATXL#aVOme+WLx~P5I?|f&S-(88pfsAOa}=@P>Yj z&&bY9d;gYME1@9iTXiG+;h*%l<-fA75U?F$_3mn%Rm6&mh)AZfxRe$_zO|@+v57tO z{gbkCU*JO0pcMY;46B!h^KNkE3(=?6eVN9T9($_I7k;I>#a~+(uhX4KwLj@=cAd-4 znsF*ACBU=U8TqX$4{-k@A-lwhkraiGgbM~-UH;zG8N2>J(1--pMEpYHt zSJ@y^(m1OH9flVt#uabVc23BokCm9MP zvknxXVkKZ@++fUqW%FY8yh(u#Dk2i#)k%5M+4va#_*84ENwLcV8f9^~a+KAgr-SGD z@}#|&`OKqz1r+^=;}yy3yDYMz#{zmMguI=XhK`!aP)T}Qc@QOeowQ5l&-+L6mD8Oe zIp4M$$rVn69YzaO3x9buLgY%urd!?u;CLr7%TqhM#|9?;m-{?-oZolaYo&>`&&+(v z&zAwGEeKyyL&{9AhAx|s#Y--RzDGsqg-EiEz1_o|-NUC&PK*-%eZz|QE}I*D{rnZ? zjrW3wDaZr`3l(nMpbNtEt!{t&R@V3Cm2^M6V{(VGP?ra8tg7wkC~sl$D1F&qrBFXx z#_wx;Z${^6rsRhYk=<_?A0{l7uTPBVCa!K06A@Zh8J#pX(hTGjQY@FdJmb>L{WEk!z^5%ISxq?fP%Bk_BK1R-Ze>?;~6Qp&zhGji)EUA z`nzmZ^Xl|9oR5;J;o)w;mjo(cK<)`zY01OSGd%M+e1MUIQ?cuY+?sJz*ZBbb zb09}XV@qAxu_1gYv+ar4=!7NGUjix>@M~!j_?4!LgOi7@?l1EfY#PCn8bQ)nt+TTL z&G$G?a{wUbl}MT2s!Dl_I3#6OyzGKjm=~tZNQuA6p|F8CEBEw^Wc{734dodjq+Xbd+L1DIg&5*Z{Lh%lFjb4=jP^^MfjNu z?tTU5DLmu4ovU~2PqtuAk-+}pSE*bb^Yk)4vlynC-1W#X&R#>zB*K_2 zr9I0eG(R5XY!9KWpHK1J#4}eH9ZvmERqRG;H{P$SOnjOB(vHJUnk6BJEg|XDCp4ei za&)eOy}HHpbBoGt*d1d^2R~$hud*b?2nB@*B|!+4r@^dxqlBdY z8`Z*TZ?BavJbTqK9`998GJB488Zx;JWTqxZo{RimK3-U?XPi}dNQjHQH+EEh8E`f4 z(b#9y+{L;EgE)?{2&anJK|mN0vhZE3D{gB$9+X0;bEWhwJ=au1w-CCUAp@UYe&rN# z81(ku%GRE0|Ka>Ktj9qs`*`oj5-_!>`7P!7Ek8RFB=$_!y0=H$D7CZS3cNT6@aXAe zQYa|y0FoQz=XS%(HZ}}~nLCcTxU}^5-pMjGHN*|mR}2hibZO}#z~`|+a!OKC2QiDh zOmhFigHB?>ZxbgAqdh&*2!XN7Y#pPwN+h~~;y_5>0$GW=bXM?h{U))^|XZ;2S1Rg)8a?s3r+e>wJ zv?1wviVIQCx*ytU?Q(pPqIh-`OD|%945hniWF;josdp82>ju07hz_hNv*j&FGrKNY zwpb!P{KhjSZoT7#ykVBQ&nk3`Zo@GZyX>*A!NCb#<+CjLM9|02)uqYbH#on2CYVI^ zdyj@c&mgtMQ3X)mDrJL$*Skck3Ty@|m>?mpr$0|lPXJz53<{-Q`hD$Mq%M*9?5zDj zcEH8jZ`t6p#=N{217EH|!sb*UkY_F~e|UI(mJO*rwg5vIuZVvX9v0F0hIUGkMQE%I zU_jN>G%hwLSVVs4t?-*!J3D`3KnZ!gfLwG4J0leD(h@_+Uq3JtAcH(G7_ZWE$dnE6 z-|Hgb<8t18U%bz$WaoFn(sCL2`&T&64~OB54;J*HJ#HR81o3ZXkwG4JL`k0NxS2*&VYfEZDDcQjt#wPTxh+N$?u9Q94PX|cV&?kWU*Y! ziH{dN`1pgxM~_7dLMvtUHK~^ddT|hGqS2+9QBgm2d~BMRcS9|?lK48Ywa=K=jqA8X z)PlXrYA2iBEF*e))B+ZFZbmzmlqe{$-wR&;@`V6zcy8RjR*iTpM`+Y?qSB06>cuT@ zDhB!+!;?c`O$GIX#FLn0;EClKV$71C1^J|PZ`Y1q?jLOPbKa3e)aX?&OytB6?$YoZ zQ_BQ)R4~oNGfCd_=rd}PHHsx60XXJ$mKV=v!&LO)GC5?$S0*Y^cq1yz@W9V?u$UV&ql&M_es|;gv*O=*H^(kJ@<0OXm8vY z(>C;td;~>w*?A4deh4Bub!m!m?w95nlF@o?Kk%NjCb`O}OxEWdakZ5Fxiw1XolOZt zN#qIcT{?B_DApEo1~tG;53*v;=O%6)Mp}-r{FM?Cw=I~u*`AfD9pD% zuaxd>{yc`%-wVFA1L>}0@VP=*L9>T$oK^x%oy*+uCj|i@5Z#mRz21Lq8A8rT@4w!4 zfH;*b*7x81&Pha+2gnrR+UVuw7rT=>(MGe{mi58&*_x=FVPYmJkD{{L2WNurN&!fP z3iQT%(3Jv+@4kJn0DL89XNENu-rimlQsf9vBNjBA3op-~|qGGg+~qG}qq~ayG9j-r~5&$IH$HslNN8xYQSNorFZ|O*}6@4*=YP%-^iVKfHT!EejXT zZ*)BzhGG5`#{yU^u?Gh$1DS+G@f&$$scTO_Vs_#uQLXv(k-v$BCN-1G@J2$_UTAh} zE;&N6+S~ap4&d79n!C6-tEoA8e5i>bf;>Mv7K4h;A>7Mr^mHu@{1tgaaS*)mcPlLr zqr<}%#yZ(KDeFtWupy+Rq~YNwz^}@|U_LDdKq8d{pxD}PA5&IllAbPhe(I@YdS?DZ z<(0ypf5pLo2BE)QBsKK(*CGK#C7J+0-vNgJuwn)V2K+P1E6UFI>MeVFzjwvu9Dk$K z(nwg(mk+Cty*R z<0K;YueuIO0XXCL??Qmu2GPf#H%A(%PP7FX7#NUApMNWp*t?F`uD{arO__|C5F?p} zYiC~&4an361``z)$-GNcNxyqk2tdF!pKnX}p{JKlkBnJdyAb9aTN^Ft*e<$#XY=-7 z6h~4__Mh@6YN!})1)67$um#MT-_iz~%BP0rD$MBb#dq>LcZ-4U?s)%He_x+^D~*{} z^V-U)7WV4zHFIr~N$>KCH16Nura}X>FjW-BGKjTkKd|f(bEzmi&>oFeKVT z1}YeK8i^%mqG=Mkj+o*9!j9%nD2kc%WJM`&c1vk z#p5%*s3l`)Y3ciWB)ocrVuQ^ea2((@|-C!rzK%dcRfrQDBhk-LoK9kqgrJv8u zkIa5?Sn<(2athvae)jC=-Ze7;LtCDb(mcHY<$Sv(dItJj=VvvwHHm`c_f$E&;iBzI zvEP-|Vx!_JD#{98;I=`T@XVP9y9Z@u1qGiNu?k%W6*_#SmFe_50ZQHHUoZ>%UR*6Z zFYLA^Cnx1{?yaq_J$okFf}}ru$t;=b<4{ywd~mRrf91S(&N^`+v40Bh^%oWQI(=-T zcqF033V}!k1Z+O2kwg`UwBrLPy)MlHARU3-_KLlO@b!q4`mLS(NUYq?tg>vE{F=S<@ECch)F8T>5`y0Iv`Jh>O|Tn&gP|IH*1O=T zH`r+eEDqbDmQzzR_>o}<$Ii#jrKM6GOh7`Qx%tI4KR-~vq8ZE)8RLvt)1svhSvM5y z*37bJt95)Fj8u%AuLSjUs$4A8Ay|!n4MLy6-el@6Fm^cn!CK^IsC&pr_jh-0%h#5mkESCStO!UR6xs9GgTY)%U`2GGw=nJbop$^utsIJE z(@)nQv1!8e=hVXEt=Gv)kGi#!7J$Zus_rka02Q?~fPG-^_o1}DZ(ReLtU?pn^-1l^ z${ZBo3T))pO-$0U~Jdjwe{|}9CC76eM?i%rPdc~N@RgQ z@Ogy9Z$dINv*gz6$EVXvl9%mY=AL=zvyv+p>gv(N@|X7~f51>ieH$qO5t|V6xx-)hf_Wc z`t@9zIlfmUHL$g#{wAvB##)8eZGuzIKiKwu*6Srgkq!AW+`PSQ!)(HHOD7z%P;OSC zAywP7w0C$AKo^|yQ8KFnmzLY&^m8)ON~VMlzg+i0ky$XiKn=7YHDhF&U<7T&G}O5 z69S3g2$h0-vGkXsqw8ZG?#c-p==V$1D-UrW;y%ZlRgL*^hfop?nk)d+;|5hiKXc&&VP#A2H9yThcf3rRd|i6O_|2Qz`S4+FOh3E33ar(mg_6z~O)$mzqN( zVvQTwe+{A~xOG4#+x0|2YEp$~K3j}ZJ|F7i1w(rR_lq6O%uw&|*r~X) zWpvu#O+6MK)-%!FSjNczo&<>hulXN{cK3k9JLacHN0dV}Q2GEgMALd@0y~y-!KXk_lP^yX2?E zJfmOHsW$-aos;$rV3$Qi;4!BV9jVjNw8uMCE)mjUb!_XTbKC{{#bW(wfRWbKUD^bU zatD0K@-lV&{hfQFZ#kgQ?*4um>07UxH8HL!=!qPmdqOD!nOYi}qXY1J2mJ+kd3iN@ zcdhqn*D`uKda5E!*SG3#3MH@Kpc0u?xQz|riut{;YHVtbQe5fjQzj!M++m?kO-jRp zkdTnzLPX8t+Me(kH{a#p`_dit=!iv6)kER@n~qJ`Egg$FCX1y`<#G}m02KfQe$Y`q zh>gt}8MtvHUm3#H#t5~xhUt(JXg@Z!QL6{XnNyRSXF<5T52^|<0Pz2@Kh=}U=n^LNPd4MA_S%Vyyg zIalDbwqt)){!@?hm|Kg={Z@e{@Upu{J|r6YOvwR1z8y|sJQ7X4^K@tNLzgije+^Mh zbcK=Dk;@TBxgvm@`GejAXzBmKGpvpO9C}?c+f!3?PmJ2gxN%~%U=e5zHuCYyFfb4S zcM*K2e7HIHr!-5Uj2AjJJ>s$S^FHL8vKFPWvF!fjq6g57vt^PBe0z%JaunwRR=K!1 zI#M}(0|O3DE=X&*r$Y*#C7lqTHd_j3S9j#2{oPGAeo?#251oQv_P=AYW{N8X>tSXY zEp96I_VlzF_h47qC_RV1Ky+32<2y+Td3<-iwG^AqnGF^vc5h|0Y*%sTaMBKe=Q#d} z^{0U+?T>E#5+0+k%BiBD>S1l}QtqSrbs_W&6bTTXXUUXGaebDxMz^SmaH(koGYcs# zZ*2A zOYIoKJvd&3z8Xgs*k~Bj(JACPqHxFnoFiP}#c79d2|8jyCFFFvHlVxCkB9~&iaplC zYB4c_sTGkQ3`#Y;KNo~Gh#plM@;rV#Dphj|dh_as8?*O=7k;HKu%{B++duM$w{4VPTqIi;vC0mP ze0SQ!SqJ1WGv<2mnTMw;ascp0?~tcL#l*C!iXq=nQuY0&4bS@;-0khpXJ<13CzCl_ zb1R+)0?g>1*u9%KmyhhmKg}>;g_a_P9d?6$bUAB&?n#TDpb&7CYVaHGvt$3NRAbcl ztNO!_6fFw5x48nvx5a2ud2f19})hhHX!2$K9OsI!suLUW$(J2P{+IB7PK}!vR3woT061%KW~&c*1Z!fada>>h6$(A|reeab3R2dGjxt?D|gv^orpT4)AqA1o{jri!wr!0KDgCf-mC&Bec(Ja z*GtL}*3<0?n{QIlY|V14t2-JFLbO1&!oO>Xt=qOr{F$bMgJrW<1z-VY z9<%@c4w1v)5S0b29eSa;#Ww9g`_xr58lKokMHpT}hJ&l_EA(}C_Dg<#Q_D)E{9T$< zHA&93`@VTV9R39;?T#v!=Dz)$y3h`FJx|OwiR!mLYI2>wmQ}D4?_fD_!pAl9IfDQf zyUGZ=>EeTUs=#o!tkrWax)Q%fvB4t3i^cEnY$7_l{9ira&T+4LPzIeX+scaU7SX$N z6DKM!gQ$-sa3gv?__At?dt|0O@(r>P8$ywiB~*m8vVLTQT4O+XbH17NkT5IME!O8j zrW}2m3zL{vn4KC<0#G{QkWSmXbkBg4W7B9O>vOYg@TJ>S9}kE04+x1~cIr82pTd3| zW$E@j0jufwG_5TvHv6z`^wM$ehmMp3q;*V3>TFWw=ONvPgmi=q-?M8LZ23|q&nI8k z)^0v$EEv&jLgO7kd(ib*Y3feLBrjU$85+zilpT#ctg-hkw!g58_SEFV%o381b^{>p6$n X8Qt|rJ5}%3NqR^?pV`tb9 z!uq1(wE!g-0}FY##_+(G8NXPD{uLr3rN>Scp5TO&=Xn6zp!Ukfiy~FQS5Yu*BG6C> z)h$lwDKrPfQ+fM!@0SfbEy`sboNKc>n8r8aOD?F{`*q?;V)CPnbze~G#gg{M=xTn~o5#gt zaM7_(T8!QCD@;c_9kNzvmUsdo+H8wC?s%3aDQx|w{WmjWpUk35UY25SC(vys?M+uTV10Ow7qFmKb6LGX``je~8$wfJ_Xi@zS(^4ReiYJUPnQBJ1}a+I=I zj2KnTP_eMQWsjnvxw-}b+XKY#yJcR1)VX6*R)_ zfvbX)B>*#9IP22(ObD6HwY$i!!5mq5+h=33m?N>qQ4Ili#pM#a-Kz?goQx(_wJHgO zg`4f|4USJ9x@C~=xHvuID=P0lKii@czkBU(Bfm;Ru%gdY2b z4roA{0!b+A{Q=+~CaS}*3APfcMaVqS&$dGVZ|D3j1lHUow+?e$f&D>79xm0Hw0)4e z---osg5Tx5_Ji*~q}G?w^o$oJ$h-`wa0r5-YhB|U`X@1DR`M;64bB6Y%0QAIE~m7I zX1W?b>Qf5(nV^kR|}CoCnxiIbhj16-fDgeP5jG{V#lIN{33}!jlMw z2bKUkKM!!zFigZMg2Aij-Ia7`=u4J+|KWyS@tszi)N72;p!AWv6yRJ=Lua@OptsEB z^-Mr=*;!3o*tOIlLp4giv8#}*VjWTUu!=e^1^N1DjF?J1XP$Emxp^A>kPI&&`exCP z>yKfqO)7BI?+mcG`nIw3AP$)fe`(g@@ZVeIKRB(LtO+md;0Hbwsedb z)}O<3{-W>#5zs?=M#)9JKb=+D(uO>9-~6-j2LR%D1%`k8CmIg841ZG5VkDNLjxSDa zT=YUF4^9zMUZDlNA}}iRdJcQH{}6g#1#pIjevcmF&?N`(3WSJgE-({h7j70ZZ)_Y{ zm>q)Vu~dZmD%MDaX<{N^8AH8`=l1^8evw|NRho zNF#7}z-`Ixo+Y^eP@=~+*q6YXnt(ebbmxf>eAfm%f;qs>=s_?%a&kj2yVC-MQ2_9F z$4J}1&awFWLZ~MHG9(son_Pfd{q_=k2Oq#3(UyOZP5*CmeZ&H;2SbtQN(tfo+d|fe zNjK>k|3K$T+k|g|3d876)~J_&C33X@oZ*KwPXVkv_CBZtM*v;}dd2+-2~ZXM`$gOa zZQcIbzr;nb?!z>|?awTI+igimHKt#J*9p@EkgGxr9`Qr)Jd#`yo*#*GK`G)7>J*?d z0XX=dDGB?@T;7(Kf*j5&2G$t5Q4WkF1-TOsp22$!wr>!s2(<(zFVuiwuyqA+)kKiF zwV;^xg@DPPf*>4 z=mn8UsL{V>woT@7=s#p9EWqLUnNxur4k#yK_hXby%>Bc5LW5BPv>vMhyhs>xq&%Q& zg#1DBx?TUjX2#YKBO?I}2rCgqaW4kFVTPsXAzD&k!_Bp&{2@U-2jIR-7KmD zEGifvfknk1==flh5v^&e7-v`k77@Vl?Sr=mD*&D&6J_*nb+JNX$4LyWFJ%!DDTgNRJ)4&{pNnN zf$k3eYD!L}#~wjyWL7b>yhL|^9*5zYDTyJi3%l7b>vhhb#-5W?E(uG?aRteTVaue_ zKYeYvt=`q-7kJtfV0=_PnT;p9`YNrNUyC3U`ZpJJ>>0h^R4#kDi)JV$NTO6Yv^yid zwM*YzU?x<N>2|kw>Z6$Wv?cX&-gS3FJS5MI-2;0Gsr)xUo~pmHs{<6R z@gl9V73Ozo?oZyko;7cwUayH}Iv(=#M|&6OqX6+MSCobDEr(IW zj84EU*96tx&gq)MRD4rY;+mV!WBO+Kmq@aHeW;5A=ff@GJ^rLC72p0@V?`BRhxAZE zcybc&a>+SAQ+D-ZoUTNDF88z0b6Gr-TeEja{XT()9W9E_YS1w@zm)g(7Ok$xjqv$0 zFx>M{AVor=5q?h;6yEv!HAn{r^g}{fuY)$!tJ!Bw_z%0@{MzXU#}RN?M>pl`JyCWH zFjaF_6Y;JLjfqjn10}-+H$RWG+NSc0ud6mdEqbK(>v<+P5FiN_hZor!LnjR6A~`W# zRB)5cg-r%gYxVPkUZAs2rA|N^`^9h5!#9sU48zH8b1PW@Q5i{9VTQD${n_ApxPLU~ zAKj0+pNNZh{Pk-iIMYe1W!v7#pBfOrA3X`#N`D;Vpc()B^VI01{+-r^mBlH~!MxhK zx~KT!%t4O*B3jbQR}*7XJd$^aA-hDcS^RbjyFS{3Nxy~HYAVlMief@@3It-@oQWXc zo>9ssyq#g4;IJ`qH|m8OthXgsOA@=yYVaBNS$??4FXyY3>fw-5gNSPzUp;yh{k;Ra zxZ`sR5d_!aZe_C-Zi(NfvvF1tbQfFHbpMPUV*cCP)gk#O4N@v*NWJM~YFRrTGwTxY z?rw)hqg%nVEs{BgnXo&eR=1ehR=k2(8Z(P23EgXSV1XZ}dYjKiTH7tWE#JK1=sEHs zsyF+!ZpkV<#!?BhlvXWi5(1Y9B)@AuVv zRj&%Dp=RdH*?afy-MyxJE#CqFZ;;HU3DGXn1|F2vy#w*{^W(mvqZh~qzI0j|&rC{Y z{{|6kZq&F@6k=q@>hB&VR}Ft>d3qd{ZG*%^@?SgeUdmTH%Cr)GqXe2QWxRZHF3$vI0$QkTKAJpLxhDcz zJmxrwf648o?0YRdcM`@kwEE1X#CH>yl6d*ut0z9l#sbPN$&tMa!;~4zWC!*@+4<-2 zPr#akr)Fogb&(On4HoD4c!7fYCP0b-!14Z4UgW5=Ei4+K!GDreN~q%nu@FYb0hH)( z@KL4Tzb7qGwt20{W!58r_HX_NPZ- zClXZ7oZ7z|b6Z=hhg`$|lp1A-(fR{@nPTEEU;)Ob(<*Ms>|Q_xy!$Z#6x_dAuHSTP zZG=a)C}jM%G8p%5LjDN{JDZUI(f9F|AFp

TB@^QJ$k0^?g^^1a$h;>V$d{pHSip z@~uAl`LLVt_m6i{frLet-k0fJj@-1bC$!gmsV35FPelkeDibxGbP6wwA}32 z1O=xDgZl?}DiX;+wmK}>+B4}3Q_@084p`)%1;U|dRZ^n-fWk)+| zD~{H&!9JA^gy4DAnF9M#)hP>;xs3IceuFMy-tpK8!JQ~e=Rn@q13GVo40bH@kb@Oy z&vl7BTN?~*Z|BZJ(v+e~(IEkb-f(eTCoVO__T`Nm=kxt|J{GLFRuJ@$q8)cJ-?zwysZNl-*{3w;}^t5R3PNEwYve3yy{5`L?7-Y*cMJ=)Rm>i&*C zV*fuetn8t)-lsW(-Z?Ept=Cg!3SJ`(_IE3Ehi~I39H>C9l(&2zC>-LG|0U|@#PS-m zw*;Ch^#x$fI}D=EnFVr3g<^+ho!6(h^Iv8hzwUN4P#x=elxq9IPXpoSUYyYXmD(eZ z1NmBY7SI&f3`DIk9!-4{)tSn*)64IOzO-STmEN91@+#Uz-!Z-F;((&;t2*?i)}ri{ z@%g%@qRy4^x6IsS5hL!66bbSS1p04Dz5s3vl6H~zeiN=?}o3m z3VT+id&y)@r4?l*C1~gvKp$Z*K2Gy4JcThSMf+3J_FPm=Te+C8CC}4`=b7UN(T98H z;x?y#s0TA7Mp_a?LPZIP_Yt5oQmwQ|83%;r<;inJZQhUE9)dSx%f$i~7z8`2JQ}S1 zCpW^=G`Z~S?(=3>+9C9D_pnq9U5L|j((pE@BXZAGc)|Op0%Tb%TP#b{wZ0q)6sHZQ zDsf%{Gf8{gnZM3~r%1{;*PV=sb?y%thK>y;+fx@h{w-e$IZ0Ec(<-tyRrvjxowCes z=T4LJC6 zh05=*a4#rzc@XsCn9mxIc1UsEL2K3KU)mr2k+D~K_e_!Hf&kdE1Z++^pRuWbX{@Lu zNvV*iGFzNpu8R^NoMyoJs-aBey}h22B#EPM|!QCNke) zI(F7xQj|)DgE)L~hJxemTNnBNLO(P9Z`-Dq{|bJ7(FF4Rd7U**vK)92VICu%Tgz%C zjc-(27=BD|bR?C4*NiXTKPtZo9v= z5e>kIYHztW=NIkDS==ws@6W%!{hedw-lWW#qG+`Uq5PFHymdag%ckk_k7(6_8c$FmEathnqkC`^h)*(Cw6v~=Nyrl#hy}P>b1eI7^ ze`E!Z_0wZ}8#rmCDl%#nMGFd!O?$mKsknS2h~Z6YYDH=@eN}qqYWB8}dU3$XO0VSh zWPQNO@4QKySwM4Ip4bvDxH}2cbJ3QW)P?>i`b*(v+QQzp((+NG@(A`7%ql6mu8%22 z!E%*A+oaf`N%~3_55sKSwgG`hh`ednTT`6C5#7{7l6SShP?G|1t4B zT%35yNoM^Sd=~JU>(!$ZNBYNRho_GMwt|U9XmT4~f?F%()(bkqryOAtQ)_!|C!gOt zOX`w;%I0HhQe@Qidhf-g}Ny*!vNbdp8 z;we39GSZB10G-*ek&%crol;aI0th%ILGoW(IGtSpkx+99z-fiwHHpCVj8&3S;!X9o zPD39ZHOsCq&py-$09>F8hXdQytw&$hPFbQ5hi`xTMYfbMNwes(C@K!mJ0_<@0R1zD zUMj{Wf!WGTVE=)KEPtixA3R$}xul;~S7^)M@GT%M>uXNdAggon@i4p**2dposk=eV z;PgJYWIW(9g*Zc3q_)t*A?UBE?u3Sq97xS9AZp}sOoz-ZZ7J<#!pK!iD)@wLGjs3R z6E;HH9Hs^cvTg7HqRBOH(>Ut}g;zl_L>9 zByW@MUIq$>yfpqC%>G>Hs<&oWF~su0HtAvyYS#3kPPhxw zZH7lPCf?RgA2dVbO%+N^nSGG_=7Y6xywq#@?n?)7Gq$%Opdk%tgfWIAi3Y-HOLzCp z&~gY!aGRFa)&Qz!gS~b6&6;_dKs6!1V9S;@31yaKKEo0^R!lUBX!M9hLqi=A@s0q$ zAVTo(7zaN?hYxK#5gCbHp#V`ZMtHK56NkuAk|d{EtCz?d2LGPDGjVZ44<+}d*iqH0 z6??*ME7kH7VeZE>oX$2LQ5pO-7FJf%D#uRlc(H-q^zm)G4Lr>iU)aS$^Sw#K=JB?u z%jjj*Z#nfBk;$Z?kP`_9UCz(txtUK9ag)RQ1FPL?r zYI%a@h85;?qHir#w8pSgVU7;-b?3>N6r8>{o7|-IW#JW&Sha-WDdJc8!I;Eo(#9Si zjAo)OP=EY+lfAQOkgbOfvR3Y6mpcSuh{ktDI@q^NPvvJYhdKuxC!VN>w%4$g2Nwl! z@d5)NsF@&b?XxbDL$VG0(v;Ax!$P_+Pm%I2R*ud>syV2AkR1kP68tvg=a%^+E$KE@ zf1?3nFje;sj;2SY%Khh#i`ILAl0q!znDCJ4H2~`iiYIpqRFb&U9fcO7aUvTuo z0*wc*G?|>&a~V^m4Gk3Is#08CEw!TY_x$Ck&HE$$t`{sQKN}p1=m*=Xc7_=nS8p*5 zxAj(iOXsi3Fm?aN4~=qh_WjAP>VcQi*ptY(SUp|0u#(bp)b@=A?kfv}Z~x;n$#)5Q zxRY|oph%WY)_e+r*_)5My?c@YQ5+@mw2o&LHz?PJ|KgH9ji z67BOHJG{ffO9Q}W#;ceEqu%r@VPUJ-hO`~##>PGmb$V!nMP~^`XRh1e2@g(nH9Pi`ZS$$hTuu|d@P0Q32G z!Ky#w0;J{VGPwLJA{yf9GWga-5y$mnfl(Na7MsAzYQ47fzWG4x_WWf-Oj=_KDk5ZZ zpY?LP0ShQA@TS=wPA5NrUNf5xj%c_sC9FHV%=MT)A2(FGP%ERK^I~W4ch#*5dO@tL zyp~fa1RKEy3A@&6)Yt3zJM)?&9#(1YQSzN7)t8Tt6T^bsrFWAn%&*aN#0Ijs%PrKL z&7mtsC71JdyCgo!afO9s8;;ZA2*Tqk!m+8}i$h$3M-Umz{mt&+T=1}E)ebhkGK zHVRXN0-tW?{5O z>RO8CSIxnGkBXS>$8=r1Z*{M=s`+%WTgt}jSH0|)GcqYMvNbqwtExEm>LNTycjGKn zXs9&IG* z-N@iOjS1utVy}H33|J^kHWa1b07_nTvu=F8OjBQp(!YGm#z3Igq$24UNxdwN!%(~y z`A+n$2%jjSh*XjGP{qq2Y@8?QeA}Yvqu~b;vF5W3*vpul*j+jmcCy$<@w?NA%&53z zKym53d2CE)_i+UlNJSSN|8jp4Uxf|ky_3wBVU3Xmw|4#|_G5zb2{)*IRr+0=6cP0G zCF{i1U};6chW#-cuZOAI%3>Y7Q2cv5 zmId~D+W&W3a@XT`m9F$Q$p~iuN~-rc^`ju`hKC5#S_<1Q^OmT#0||Z3 zJJ{g<6EG*14Z+%NS^rPo@b%!{7+q;Wr6tPIX}5LLCnF+4%A-Ow>EGm7*k{`?R%Hl! zJh7vES5+JgIrnrqa?;^+;fo?m*?Z|QTnSUxb8-=n7ha01<;c-f!V!B#9MQ$n>$IE; zS0W2REE-f<#;?6jZ+OnI+iF%xqi%i#-(DZzI*T(w$sKo~YMhP!B^nh!T5kZ zuID3cD^2AqUmV=1Pt+fogthNcK1aySyp_*kIdFM7SL5+9Ki+#0e!<9~^1!brkc@u3 zNG@J2H}1!J)WW^{%uM2IHy-(PEv~^v^!#vrFGrX3`Gdx*G^eOm>OUzp7&LB1NY5Rpw zY$3$wJ2`#v6lw!4lrm$we_`o6C5T2qfc_aGDXtR;&AScrVjq@Kqsg(L$+^-3SS(!P z_Hl17E?hqbw@XwX%r+1P{X*X8LKxozwPQXq;?6SVkjK?VxsqEP%VVEz5Vz{7)xtaE zs(p;hZDo`=rDGlcfmA6S%F8w!(_6VNuQKs25d(kK`nMeiZXPoEDpT-W8Wja9tG8L~_BJxbW5OW2Dsy<>yG!utF&{iTb(dmLxAHbVV3Z`vQzTOgjU$03~wL3cMW zb82UZ$#{B1>8LQR7IR8#1HT&UFTz((i*<~n;$L6mrz@9fd$J@(okp)XUVZQh1~<@lx5^pEt>4l5_7XXhh)cj#CbjBO4JqlJh$noT?MZ#h2LvTEIj zEPNHR{pbXthmuz{BJ>>c@*T8v&N^G}wMdj6wsczWw!qm1fa}vxP(o?aQ(PV=8zx0+ zD+|-JOj)?NwuPm&MEkAlfcDT>hnIfupv&2y=V|VW+)T&u6 zxQS^VrA$G(d%04R0ocJ$XC{W6%g#0lkw7$g`?BF%JJAR&0a~ubYL`c=-_#s$j+{=N zUSpOv4?OGdWUYR^{)0LiC{lX-ZsCJwT$ldD$$f2K)7% zshPj*JweKO+oS{6T&A6=Nvl?HjIs!xFNdw8=@{s4mkWNH-iZpjb@Ykw=L}B;;uis~ z%83Tlik#vyI5M)1Sup~%ta5535P%d#Co27YX}7Rk4e{+6Ha05d`)6!EUsB<(FgDDt zZ7h7AwIP4`SkMTBVtLd>rh#(g=g6zPtFd}47C@9?LcOB28hbm2^dl#fX5i^hj;Qdw zI@{LxPk0p*sv9m^?B2txfR_j^=@&-_yB;k6U;K?h-a1x#n9mc#757heN+f@It{Pro zYB}SvR=@Wz+OHmDYe*klx#{Sl{NcKv@Oxf7e_z}NLT%BhJriv;kxAEEj~u2YNH=QpHsT-qdbot;#E_vW{WMc2je$;>i6br)cB;b82zByMC?s zs=vEWm>;i>oc*6Mqst4*$(MXmj>EA{)MZA3CyL)+viKONgqx@+Bi)XZl2yInVCi$E zB~L3;f>>)HUGxc2O6HLXgxclep3d3B2OM2Xw5ynO_&`**;lkIwe;~oO1S#vUT}aePC!cA!WrOzeJ||P=Yhbg;RW-wlILa`|RhrA1eS| z>vV{8Qvb>v&8nVwMOIWtemEO5SV%ons+(vXG&l8-Y|!6X5}0^^bU35j$;O5nx@5|4 zT#hY#ahnqO;9+`yJodC~8dz3a`{QM=n;GkM(mM6uzW#!y&%M?5-k+v>h3Xq*vO21` zHwr+Ywg9QQZfq=G-lT`?ldXkIa_%GY3j%JG)Af8~T& z4i@(>F-1ejFSdaKY*@ZI@*_c!bdmk&(;7OD-zUQ&)}H&RX`pwchYjs!PuIkyLDxn` z@=6S-Py033g_@g3X8h;V2J7+YoSbpFylc0n@dD4=v${=tpT$5yj~{%70I>{q!$C_Y zd4eQ{IZZ08P7)^qS#ULTIEoxHlzhEjjyi^a>u4x`r`S~xOJD1VVU5HXZS2BMas}_b z>)dB{+Mutnmi4zih+zUP7LnQ$~NJ5H`kX+<#Po<~uwDdqWK7&3BQ3 z3^{$lJ1o|rKbd4r9A}H_!n%h=f&uUO$@C?wpIU_Wn_@2B;BRc|hYPW%)g`G;v(stt zY7}%UgPXYVvn1z3e9+Tk^8y>^zS(MKhUr5$mrNGqNfr#m0Nrv~ex|hP%$+5+Pe#q8}r=NvlnMFE$+Q5TH*8 z5^|swufMZbM4B^=(vD=xp$DR(Y1K$s7QtXs?N=**X_K097U*D#qmS7`k6~ z-GouM^YBoV+}tg{1U}y;ApC^HKIhdv>r- zz+G#}zt~@coXAR^#oaHC-9U_So3ciT_oggUl#m@c?SwZ7*54k$&<8tNs-HDsf*glOZ z%bFbc*}{^uN%jaUsZ@n9vj=KdNzxX0G|2HM3v=vgvqzFgB%J{@(6bvCHSl_8uWZ`2 z?3;*vIL*62PSUdd`n#^sv*7?OsCp?6wper3)>%NS1CKuV(^7*GCGm4#L((`moD_ms zv$-Cv*xATWLYrHh*FD*BiZ2Vk=(rhIV}ljmF`{>66ft3uBmnn(6K$a9@1W$s`-&+& zdLn13PTY)X1hsU~nQ!cOrD2`!p4AofMvGZ8S;j3C`kkOR_8+~N1aIQVTt6loo3wHB zDaHRe<(N(Gdtq`83%$i0eZDDNubcmPjC@*0o&aGu`C7URf|W ztG>%W{w(eV1Jy@Mk6nPEQ&zw>_Vd)CN~^?_y%+Vv<;#6<#mZlM;=4l?rr{v}UAgv` z{vfJI?^e0`H#{mL#8t(03rCNROk17nt>gFEhx9-;n}5sSo4b6K1TBIUB)a&A>QY|! z7i9)JzJ2ymyjc|a2Ihd+(C}rTRvq!y9OHv!TRtWkVaps8RI>ZcTNr*wuOMa5+9zwV ztGa*{hh_g=R7#FtCQ0@7sagaR+eAobJ=#p~2TJhtfIw8#kGrgA--5C;!M$DRC}eFv zN8v%7uP|VaKet7KQXfh<*IN@d^gnfcO@6*!OvHX_GiVR(^qngVMWCSv0y8Ct2D?j# z+4n86(CJ1)t(2L!Pi4@&S!;T9q|ij}#A4Utw7UKt@71;RPy@e_ZqpWMVrwT-|5n3& z^6C%6RqwDYa=e1sxk4DSX-h&j47sWtIM;x)E%$nPjcfiB;}S6y1&OaT4r0zsw&}zD zDtxduot=Ft26EUY{-kP(Lu|?%rRoVIdQ)jtc3ck2@4+7I1RBFH`0*m??g2D7$~QRF zfP#7R1wUky$a-S^`O0t;q|Rb_u#KnoCimvH_N12k&+2~qeFl{Er~xIqAw_q^#Do@9 zoR{MsWjno_l=bLSw$RvM#9lt~}Nc<)bFFQJ0*Z-Ncz=kmFC_T9x z&3yI~4ygDXfiSHjCp^96M>Vu~9!66qb^f}Q2;o+BQHuO@25X8cm zy`$OQt@MTC&EP|@_zY?6`uw}}VpT;=p?96UBa-eT1bk4NiD?C(l|{@?^69&meLh1_xvLPF&ANr&KMO}Zsc2>c zw>(t;t21hJt3heOlE48<`CU#8s;Iy6S_^2Ysx@ygSy@OlX(O(~SEXX*T4e>zN9d~> zMyFc&S_>RIZoBrF*9MuGd983Lgip(uP!excHA-0?x8TNwO1}=nadXNV+ywjN;Nq<5 zxLct`?i752r(OJ&da)civPJtg0YUH7u=RZmm?(O_5r&))1w*zx0sQSk>??mTO&Ltq z06Xp~;NK(U*{qu|lzt~9eiqFRR0f8@uLLT1g;SDzq_lh_=*W_^?W?=!pWjFTQUr(+ zCm1>Bn4m`69(mHl(B>R*4OKl(UtEl|4kj&EhJ9j9JFq6ZmL0k#hrm@x4lkGHmRHgh z;-nKn;w8q}Fprw4T1A3$Djm1gQ-FMf7<-kfY2HZ#uc)8(L&vOVj~zG%%8<_0(OFG{ z$BHN^0Qc`MUNcA}@F3AxB5G#Mo?I1ogsP!YFZ z#az>|Rw+-dhFirXs=i(h_5vnGXcd#M4kl|cLO`d{f?KgU_X!Rw@fYKSQKH4EP_$!` z2L~+yo2~2?#6Z#!B=ql|Bu;3ROkVJkrzB>2PH5$bstn*ARgwB-{lPPT=@}gGQA5oT zXm48S4cnvSHwKI^m*r2_^oG6ZuS8o9q2zWV{E2nsH{mG#vZEMZ#6!n1Ee|{MjLgMo zP=O*-;Ae>gsb3IEUYQR=R%=PvYU!-7CQGj>xLT&ct0iwZY=KL?b*@Z(aPHw@|G$sG zcjwEELBjk4n9A@-k^+H32^>-4EX-)0D>DC?N(r3C3v?{!AuQ0>pFa~U6r|}0#v$xt zp<>u-nOXhXXpaPOTM!<>4i|(Vg`PTkH>Zt`40|mh z9Wx_3xTsch*#8}<`!1{wKL9+zIeWDn%)g2m3K00txb^7UI?j316L|-JZ0nN^0N(+z)3C^^GxLyVTD^>a*%Q9d|Fx1hLVFn5%n&Zb&0rc z9Es>>k&u9REIT#A!)eq#Y>0LvTZ$=+gu-yZKgSQe&*5{!mm`JTkx6H9O`&|7Cax}W z@;9W63bm}V_3sGohyV9xe9AlpS1}>oP;w2^s6W5}IvqA4z<88_haRh#kpR54_8(Yl z!q>GF1}rYHuvch~ibyCSa9EZ~Sw3!`=>PwL4J<2aDy(-(;E-P}o58AKvWX`2E8bxv zKz7pzT>fj}ru>vMfD6R_fFJ-!gIgAn8Gdrq|ExV=xC0B;JY^{TKvpFE6DIo;LLUx8 zUP1#lg;gZO?EfokqOSsC`NCzI#9H!7Bw_ylS`l!iEk0p>zKxd7zB}jA-A>$!*+>_J zrA!!d3-FsT0X=8~)f+2XhO~!06syX>|fS&Wg*C8 zv$E?N%G)*vM5J9*_1f)?E9Z$$h2sDB!iHL%Rk*++0rBO`88GReV8~)%2GxoxjeldJ zms-XAhk5YM=mN+tqp(5h0(? z7*bZU7U`qY7fLvIJT+X{-q(D5`%#X+A$&E?s!B!SUuBOCPR5K4?L2zmc|6Q+8no4sdIdrG4dnG6zt{gJq==3jE7ZPX=@*@9fHfWQ$w# z#9iIAueqm!%wUO$a^M9s~Ho9wp0rcP7L}ow3$4bj2u}!v;0k>bHX}lmcTktY8KlxEJS#3 zODzT&G?I}1upLDhvSbL$05U>g5StDYKs%O!^5DI0Q1EBx!*JCx1_z<*Q^%72vleBqSf- znzzk577|pbv6An3{!$YmhFso8l2TYL1H1s@Ey&t}-$X_>SSqlC&)&<3vy2 z4i9Q-Rj2t17p$n`w)a<;iFuWj;v*}#qQ31)0Q4ixmzm_0h}fGfmcFT}&fbd`G+>E@ z)vxL1R?z>Udk@+DMNJGV9wXesWi5z9a~r^6-Q zzl+C}hAVL;eLFV!D~H~Kmqw$w#U(Ry4Fxy5yAg+!)59PX0oN^Q*vR2Hw}Ot7h>Yg9O?odC70whtUkjc) zMvJK25B(>@yJ{6JR+Hxwa|1MD(q6Z>-P~IE9+Te=SGV6>j<%tUW%xb?@}C?Ssc0zJ zncl>rczo5?o_#+(g#^F;kW)fD>UuGqcAwvsW5L&hJiqp5>$X~AENjx);ZU7Lhkdwt z`J`$+u%NrM`tM9rSiW6|_|&XN_a-FeyAF%TRQHp}%{2nRvesmzdVIu_iF0y<)?VFQ zUfbG5eTvV130XaD>^2|DNt_ruXr3k<9xyZ2m(elTKvU58w)xw7Gf|t#VHNr?)LV1I zw~{cZYr>>k4{^js43o@OZ~v8%MzTEcq=VdGb2E6mHLW(d;4L)}N%lHj@nTqQ`Qzl_ zg*wlq{%ld=E@-&9_2hZbBx131P*ot566ik%mY)Mv7YsI8aeZLd4dvcXt@}_$Rm~f#^e2DD8_iUndSLT*qb=Ba&Px zq6BI|p#m>G&fSM~KlYx)#va{<#PStlwWQo6ab60M{f5F+BAX!vg=5Tb< z+`Qjh2z5&jbTbdMj?OKVlB1sBus2ri593pHzql~wv@zEhY$09yI<%EXsFO050g&Yq z0$tshu?Qky7mxJjaG&Ka;lQ(1O5}%=j-NG!wf?^D!erze92L2?WbqIAQfvuWmyq;W zrN^Y{x+_JU(K@Bwu+Cs@rqwFHtg%C5<0{v7B*@Xy2ji;CncolY)S|QEv}SVMx0X$Wmf3^M{;5X#dPeTsU8(9U+9o<$TC@BFQI>c9 zqLbAj)`%eW_xb_bkE98DQxni-N26kgIX(eVche$)iSelg(YJz*?>IFG+IBl|H>*3X zjl(%kI{(F800@Q}>Am!eMX`lP_or?b8sRk`tZt4SEawd0nY@*Bz+wqtf~PPZ&hk20#&zrL{wTf4EhlWf*Aq-Iq1jL)wx6ukqF&6W(F% zTXZTy67xy%_0mTjF>{uqvrnr6(J82W|1 ze$Ab&&ca-fm<5!|7XM_cm_2bN0hw9f`x`!ZEH8_(yk6YAX(1wZ+1{Cf?-(_1-?{oM zQ_0yN!#=vcKs3xl43wiXb_XxkXqvd0d0r-+p9g&S;KFbOxXmKXq%8isf~rk2bWpI# z?Bc?CU;;})Vc`e=4NN$C4%QPR6Dp#ZB;){Ulk%@4@(i|Io;)`*Z4d-k zH06ciqFz%Aih_me3Ny5JcV?%+@(h}riGh}lS(sJ8qHE~9*HF>iI?|3_wMLR0udm0_ ziCZwQ!Mwg{G*$(v1AGKmDw;)qe$A?=d_jJE4$ZO1R%b|%_W)RfOoU$(M3NaUx=%In z9Ujb`(lAGHRTLMMmS6d_aev!XLN*@a)wrksW}isIl7=2mC2jTI+-?7|N6&bZuS$;$ zcL@(uWf47E(TKDE@rdW9<*>XBg;_R&+;CyXI{z|eA@O`DddNO8Cr3;f?Nd(uDCN7R zuG&^%!6{-?#Kc+Y)v5hTQ^5y__96MJzN=O}_A)zL9`e|_t5|^Y{QTom?1)oZmt@1R z2(PHcThgZW@wp`?JS9ZiwT?|B!k~}-bi;NJGkPRh_5!jYh9{zk@ zd{A_zp{k&5qTf~;A0Rc%Rx-?1j0#`tQDbx&OB4BdXXY`7uA-ltSCr_El{a4KWIJg( z8>i)sShq@{{Q=p%pYsgZ*+Y;L@ER6XmJs_cM+1B3Ljp9J8g4CCFFHg89-cZPqNI;) znS*Dzn~5Rhk6QS@F-OW?bt|i>y1LNf#gL~jY9AP-ds+D?ywG4HS84BD_(m%YhlK>Y z&EuelgMKxZZp_rZ{`tLozj91fjfg149S*BXnms|@#kidUsy2Cu9-}nf@WK$oOJ zz@f{Mp(-ciRVGn!;e#J^$jQP6P>$n8@w6BA>{qJ9#vA?_X04zHZmhx67CqW=Ch07} zJYqSm6&a*yQZwa~mbM@prCgtD+5>xVN<9BWefseE-mh_dqjHhwE_{49J$4u`O1lpg zL__jQkwG&`dFRSENucSAct;An%zWL=+SHcb2ang?sL8LIs}kT&_?cGMw+b)F3>R#p zO^kl*^4JbKpeD*g_beZhY@}$TbN*e(s0l}_c2K7{?p`)qonMIe?bskEYED%VV|(G; z?%5w@6?RfjP!F`bKc`)T*U16AM|{gX@!;yul~^plEt7#{AEG)r=HUdjWP zdpu_vkrI!Uk3gEtrlgO=_BK>0L_OF_KVn$4JcDKWduo|=C{2%Klrlrxl6Taw@_4Fe zUfR1@#m#G<=qVXQi6KV!__0Zo#kV}%(m=ZQ-CnU*vPzrb_4xNWqx$hCjm=`*U_!Ls z46lqP^tx%gV=9!j>d+7gc>8q`?L zN$qh4LZvHfW0)m1G3@V_ZQ4+pCEk3F9j=}#UP8UvtsRGG``ED;K0{}3f}p)nj5~%g z)y?TrrQ7rXyrHgK`Q`g4ZwL%dD?m@Hnn#mx}=@aTw9ap9b)-d{GHft?*r z=A+={d_xneSm)g`@XJk+RuDYs{bB2*U2(Z+j{0|!%K$-RHD?nk{rQumB!QI0FDb7r z@uepfG|RQ!UKsF5LHrc;fP*?2&)LvSpDtD}wg=>}n#;Y6TlBOw^G8SGp+9r%s-%Zr zkUrDMhcXCypJb#`wELeBz)1tTOU1qKLgm3jK?34q#5poL?tn_;>-4Lm4H z`~7UAldt<9OQQ(_g7-SJS2s(|UQh1jOzoxBWFUKc^3vBODPwK;=txRKueHh*RN3aC z4yGo7fs*-vc&$%bXlPeX_OnSv|K#5(bao?=APB_1HP5LOI)f|E4RgS@tk``=Hk&B)A=FXUOCi3BoxriWLOMKNP4JHr4?d zjX4R3<#h!?Gy^~iMMbrTfe7E$;0y|uXLw)a?ra48WjIw2Ig)SK4{w@JoN$lMf%{ch z>fh^l?%TGm;Arlq;bwPp^%`NhAzEpO7bzU1zB)yhpx9DwL_vB~;bI$?S=6{WiuwsY zgeDPA!fh9bVT`m^`RDvf+6zjW%d?#x$`eAM(3A4wG{ID(gjOZOBwo$b$Aj=1!2NSL zE!w5+AP33l7>|uO&?5w3s&H6TA)@94^gBmP23|d;${ZUx1zdy)OEcivDfI)#V{>V> z@9s(%qQqAMMuNy&EF`QJDW((;r&Q(4Ur8Pd$M2e!U^jNV*4LDxOn6aWls+d`N6#0X zZ8dB{hoQkQz&u{mOgd!<^;iHcO!9#e33_x*o+nd@Cc2Ar-`!P)9Fq0e?GBfUGSZ=t zb;mbrT$~(gb0~Ri5ey2#LYC<=17hob!pPZA#Zh{k&ccoGW`g)F4P?Q${tmSvk~EvTw*ll~&X})B+xgADq~qS!XvC#;n=}IwX!F3m8ip*z9ZRSJ z{RO)mnVgK#Y9aGh_=E?_si~jbscrXp;%J+%{2hn_C++53CCwl*eN{i2>r!sd6wLCT zSV?B0p=D(z)oY0?N_|3qRp1S`YyB>})Z4P@GWKCb>BQyOmV&EE8|Mr(#K-M$!ZTmY z0i7+TTj#Hc`acY{zZ=fIpJX!ognWSqs?}{k7|w)xS^Jy&%RONwh%;D7$8N_G-*YZe zz?@5*8Re^8idXmDUX8vorruY)UWmMp7ynnPd)(IsAYv^A#_3KW5B*Iprz8A1*jCUw zaxj$R8xaNnXAxk8uVJh44ckAArL>9+jjB;9wps zc&>szyPeRsLA@92Zw%PKnN%$A8$tMAsi>&!Ux|E7lH@}oP?-ihZ$2k|*98SjH2g4C zA9&JB`#s9dLH;NjbQ3#_)v|ne#mTj=BT(#Bub>$qVhjX!Z%C#%?2`lz%-*b>eGKgk z9^Oa2eM$?Z%YZn0^=`Pe0Abt(Ml=v`)H+%?&eb<>K$?J~KT&6Ip{WQ+=gn9ufoPOP zM;s^ZvCAr~v)1v{r|koM*vvHHNvd;-hlS@rb2DAiAWK?iCdt)9K+J+bL3g?4t_Fh& z4kA6yoYTx<${0fBpaWizhnaqS|EA~M1rHMT8fHoUFV|j2tZ>QU&%IqauED<>OZ`9o zn%%w9)BW?bY+Os@-se@8 zkfGMZ1Q$fJR=G$b`%9e(OE@hD#n(mu&v3SS;jhY%p1G^A8`6|l*5BT$ed8hkfT3T5 zjYn5LwHGz;*^xmys!e_%;JscL7bfulKlVu5X0u-;4ugh?v9XCx_fw3l{O^J9LyX-y ztGk9jvS>m4-N1naY^+w%v86u@-KZq8pdzLEhvei}R)k3)X&tX)b~Q~6;Fd)Nx6T@! z>ZhAh2SdB?PL$ux&2B=P97|qn2{+9zu>TnopoGK>+SZi+NKSE@nFfG^=w5bRmTy^( zZ_|+}SR_Ld7 ziU;r3oge5n`J4l@2)qV~n z;Xu&+$lJ%*4frvI#3hflf%^KWH}a2%Gl5;SWuY2V<3 zXLs@6NIE0Dq6ePEb%Mtc|A=5h%VD9vm%bO!a#(hD7qv6AlbtHjB%PgD4B{7&`~#jk z_P|!b_Io^$`R3f&sQ%ORRfp$bz3Q3=o$E2|_*c(3Q z7m_ZsH{`Q4*p9wwv1n*)JIS8U-dM5-4F>*XD72dyogxcM)pS$E3r&y%)lSL`LQ{}P zCOZ>0jIRtjKMjq38funu0t6C|ogmP6+vtbKCNG2`O87^z`y~?^idhQzh7Nn^0Wf|&uw;^`> zRQ`R@TQDWIZ~XBw{~5abjhdHCu445zer5(6;_1&o^6Jl@p8!A|?q};(RZxGOt4f`` zcjzgCE>opC8>7o=sfBZT_nU03Q29HJe3c&HMBcOKtH0U1@Hr$C0y5Q3vq%Q5wVjlgq_ZB3DuK(u`fd35!+J%{*kSCm{BV}cv6%lC z29{(ig~VKW#e8+yphYyKu+IY{(zQHcM%kWoPOVue$L`@>wT?f?sP~uZxNuHK#zt*z z3YML1y3!bMQ-dJ({t$FQ$T0^StKrnBh1cd2dl$w0*I2&H~dQ0qO3RmIeWlj!j5|bf@>hbI$vn^L_98-FwH_I&cVswVt(}m~;OBze#4C{Qxt$ z3F^Y=09kV7Zv?v*Um8xP(nlFJQp>qkSr+1VK~$MaQe$!_wae#j{EspNvWQ@*to-|R zbES=fmvh0~VwyZ&nN;YS+CQ09UtD#gq~OQUl7y>D#Y*Lr^#wXMeg5S^o*~Y(2AYl- z7i!0s@3hp~>?1S{$*51AEi_XIZ+oOURIe9IfQZy9O+9y5$m1lZ6GZw?Dm{eyZGP%j zLt*J(0{lyt8(_Q!g=37>cRcS)Hr!;<={e)i}i~%Q(tI9{vfT&JAsl}N6*IuPHxk0 z;vvME$x`bF)7ji_WH4oR?cb^7m9P|HpuF;`ws&@l+ix;*nacIqW`>}2!0S-)PFx}2$~h^Z_pO$}XzO08s8 zBb(x}dQt+=z#j1Fx1D)WLO*z>5QtN5?x%0Ar@MYJGjMZCSSTTUARfKvM@yRE=nc2e zu(7l^^&foc|3kPmHGN#3@LBnfRer{p$or8Z77t(8Ge`$YqC^nYI-Adl;F?E zX|gG6rVnKjiVAXmZ+CMBico62QJVYlvBEc_m-FRwKC+DYy~BnOYJ6UAst3=%&P?CR z_nwhyuu5 ztXjL2d3}`|uYcHbcY4Nq2h}~drnD@)i@>9u>8#L&yTh=eCJQmk@9`TGT8WF#kuR6;YH<}KHbq-&le#V(QgI^2U*DK`fMg4iky0&+ClGq%Z?1vkRrS&W| zMQ8S$f`1#wASf@pN|HbyWJLRqs=u82Lv8j4a1^FxKe_JzOC@skNV3yQ^Z!0zzFml4=*l9LQ9 zf3S8jd7%bFN(Q%-ipH6V3G4Nfv)3ga?W!~iYQKy(6U|j2OERIzt&Nl)BQ!yg=qAjj z8I=91=Z*UeF>rBX#jPQ1Lyi5&OAyRz+c5IIeG>BDV^ApU_q6ZX_)fnK$TKzD*9Z9f z;$sk&yT1HjZ`win^k#h$Cu2lFK&TexpZHO&q(t*kpkcQ$1sO#_p@Zti+SAXM+4;Uf zl#jHRPQ3=0ZQ}MFSHFhS{)5yq^fDU|Lx7J4dm1wX zlhLaZJGX>EE5xAbMvJ!RjQ(B5&lA;EozZHVn+J?}5ZV`lB_}*n0v6kH3|9B*%EMD1?q9EAR>qN-NG;U6VawDyZmZY;_3i8B?T=g&xEY9gE@<{uzZUWJtg`aW? zineD94@WJ1;?MhltN4-3G)QLXNmNe7A0!5FX%4xn& z3!h&$4?K3W*Y_K*>F#(_K&QK+uE9EwO(Y#dXGTO^9ZT81=DKcu^rEGRWubfJ?r{c? zcN^L*Mmp}j;(AYwht9&nUNc^U1mrWydb;F@lMTkS=*GGNlj>8V%3Pv&GL1zgUwmHk zz8b5M%R)!KnOzH+OyOZ;&MV3ZM}c{oC6BqPCa99JpeFSWg^n<=j5tsWW{kvc6s%c8 zf-*lH1!1fd#nM~FeVNw>&7O$V@R1QjYE*0Oi!JZ>@c48yt2CZvs#JV+DU_4YgnBXEXC^!5n&!i2R^*iUWtw{T=zIAM^N0n zaq8eeRmp@E>kvB~dJt`2r`@|8W39@sn~rl-akQ+kh#@1w=ZKW(2JOuF($kLm(p6D3 zvWwVdEg?jYiziV&wWX;3oIr)l=A43m36|3IwFH5h68TGt+vD{KS--ZCt%@cnp$j}MgX4W@YE z-5^MwX|_KfjgOAP!DZQc=oT^Cf)<4ui~x|Vd#Ml(A%MATz5Q|cE~w*6r+IBz3GMt7 zmmcSrveHjow6Dcuz)vL<^3o*D@#GoWotHh%kM+BE7L|T-*#eb5E!U!{Yuixoje?sIO^9Vm)pKk(^WVIDBB2cGH^_J& zL^${b4YhenTD%#xOu!C3x>LjL7Af{#lm5+g33IS7oH0XPSDg(HJ-7rX;EZxSCAahR6PYNb86|A6qZUy!*;bTIgnyX$D7mr{?sqb}1 z_ERmMRVQy$aJ+D+0&M_$B_+`jiEC%;b_E8Rn9^|23|bK&gM*=8d(7kVkUuC1@OG*x zOSeXW6%8DnS_BkdjeSrMczAFfKUJbB*FRN46yfOyvtH~ldD(_5Rw7#7?Z7{u=*rdo z03^7JYMOs;)$9vETa~xIdR2Zc>sUFY{mj5rWR3MzB4f(r@S4eH8)W-4Nz7qh)X#o5 zeEk+#V93#zrUJJ98^6Vq)r<6CNg?}(Gw7J^y1M=M2M?1~Iy$B-Y0DM0 zLpP?8#(dLG1t?}ufdKHx1FqM}t7)i3OdN@+5_>XzwvwsD(NzUEsh`)^(DL(?P+sd^ zzzqJ!k3_Xv=S0jghZ2}`!ppc-ei)@4*W3_n9y()K@=LD)RJZggr()D>7Ix07QN4plM$vZ zgb%eq+s4|Y#WY?b4Dpw3ylYkww9=GeNiS!zl3#wWe$L+vmSSHMF?{qsYB`LeVbGxGAfd zgpoz*KU+TveSjLAnd5rCIm5VwYwE!@SZsasGQ;ngk(UViTe0%qc9iBhG|4u#!L?Xdl{GSf%snlH)ThHEZ57^GU`*L=Oi?SrKPi z2@%fL0AbICVJixi)^PX4FX#b=3|;>cW*_dS$c@P{ zK(Ru_l&5f0!b{%MdEz049$xxBXkz#h(i-sa!k5UciBiRn-VaRzM`-8*2_bAP9wGrc zGN2&dy=Cax-Ek&Jy!Jc7gXqp)`-BFs2A=)3SblqPDZ0&40j&7Jy zx`7uX#7Fx4RRs+AOjTNAh3_Kcrb=2+XkTRWbyhCR9;M0acee2kZ~*M?jkkLAoSr6V zx!8Z}XOR9n{--hP$Gb3#)^~kZ7P!&*Um9Fzz7R&xQODA5|9bFVEIPzCn=Cf?k+un~ z?dET2=bEdw++aV_*v6@;$6Q^4d0V~oSHdmQ-UzcPoR8%$BJuZ6O4?7m$gYa<{7E$X z{OF>?c= zDc%NQ>9`8MlQK)R9LB^$zPP#jl!W|HYPl9EQzS>eqW#DX16lN~SVw_E;KL{Ay~sBR z20`cI0obTWRKyodsOZSIf_g~elMsJwQ6RvH@NyIvE*D;k=m`kx`krQKmaMw{V6VD@ zMHH_!Ao`pn5VG{^j2}(rOD|J10P2_@VW)HtDg?gF@liveI7%xo0}!1*nN@H z-c7HxsF0a~<;)Wf%1#Ov+mPN{EvbZznYXsYx(eP5Z=5_C5N==^3mr{IRmmOzJQg9MAI1?f# zso&SoJde<{4OvSKtip>`6KBfln#C(ju1eg0oug=+;M$oXq%y_xcrY1jKW(j%5n@sy@+}re4yzjy|Np%^wihHzA8xtz_@7 zLN3-w3t1Umu}3#we>Ib7dtj)QJ%p^jGP^)1eO>(;1IM5@R#~_t8!lC^TdW{6*-A#z zDuDXGq~(rD!?+qQbcSfeFUpEVe=|emR`dV-_1YMMQJT;^P{Sf#QiE@fj5cD1hES zkiOq$5(U4-3}rDl9REwVulH;jLX4iyLnT4xkxcsDF3eo9;&4}!3&Eo@R5LXo2i8Rs zACb@{$oI=SMBL&6nYPYEG+K%nt0SVQt6SH@lX;mUtk%;P(dicHS+}@YYW*rTV=T|Z zj%8zJ2;|ve3flJ9^g=5R3)n%X`O*S z&iwME?Q;PbtA0 zy!ZgT^KbS+aj_z7Ky2xPK7KGL#U|$?Al=jvfk$V_s|lp_lc-X+52#wpSn%uFq?_>H z3*}l%s*){_`0azx7RT}8X4soe0H~^UoYrDS_PhLm73=<8ifLNzhy{j-7DC_yn2+K6 zzdJ|*B7vc_O5eop96K>YezOA~!%K+g#*4aw+xO0nWfFIAwM$f)I`+{uf@qBVTP4aY z64Yy>L2wq*WNF!u)MZH^pbdOSzrXuc#tRe)I_}z2 zcc1En3AYfsTxrRSg~s!xrpqmrJygLMjHr8m)Ia?yuB~KZ+K=p>Ov5-73;X;2PwK>d ziPh=v)V}vhOgB?J2F-G-rffQOiID50%rSOOXFuc6z$8LJzQ#en>FsR*Wgoq9MY)BS z@kg6|VXwymtAYH#`fFgnfgsZTjQnzC`{ztOt2rSB3bM44)wl9WNVb_5DIo+*fG z_Ism zJadNr(Q|97Wgq?}b#$6~dDlQnvS~Nh>TT^az2%6GlGQT_s*PnsU-@|iH(jR@45t=? z|4n`e>aI)E5J)2BcB*!GxU3#q@AySSck}1HuySA5e^bJ(?i`S%=p09cH&cv^Uue3D zV1!V=7f*>#bwB;36)QF0P%59RuA{*MMgmmqE3+&WyFpaC{*Ls)CZ8=r7uQR!%GNqUq zClA-~J?F(}r?3|md-MH0`O_gDmwoa5y*zlQOD9g!tFEv)>pACyM*3naTfh1B8Um3p zlwWlzbwGmKZN8QI+r=9W>594<{x+Ybc0JJk{R`YmZ{)u-vHZ>R|NI!Zf=V{r^BXUeBFgiOR(jP6!!n#=d;io+5InB-ZxhEBYSwPDb7wmmY##G_ zXS?2^SN1cdb#OEs_TiC~#H6DmOmXT55K9b<;-Vcd2RJ(FZ7I2cuU`fXmSXf4gv>xg z0P@I@bJ{zpb=arp>!rO0mVSQ2@Fiv@y4Op+ik_iLhUk^c9BJUxP&L0 zBV&g1ns;gMiUr-qnhb=K08CtKx7hOM;P8Fr^5}BMWE45bUCuV%tC%!ZymqdLGNr~V zO%$a)FGWUJ<7fq7d(X&{$YDB1ZUZ}~HT%{i7bh|z)gqo&4T|ErfWEpfg39x3T& zwU!3Zq=GB#c^!JOf&rl=V3byYi1!W)yTPxWJH3(lB}Y#jdkuu zxzRe``k97RSd*g%lqhLwAE$g+wT)Ye|IY_v+H4@DfTqkmo#S1 zQKV!PQuSm7OJP^`T^iw$L)+PxIJ!{EZPSjb5;+!!V!M5krnS?{S?f8SqB+#OD-vxb zgGs(Nu0?^-&Z-|;_3-tY#m9|W%9@qgMjIim#{`+C8Y_DX?-z(b=k}_`%4Q=&uL7Hz z9m|c;oz5wcx`!|m$w~(yQl8n)nN&RTqW20vmZ_U^5T0{MgiMb$yKD2pg+}$Xlp6Cr z_h-_pb3MBWVpqq9>LZ*Z>eaXn$eT%LZZ*qfoCPkc%ja;dlG-EK#cRn5=SEr5Ekkj- zwpg;LNWz-g+gf7jYzLr3$f9*vToSk^3ss+zK%P_7=x|f2ZE>HIjpRGMNjkj&13^fT zXuQ+R&avf&1&SEHKakOhrzTnRS_T(@gJ1%utHwHyKfCoAGG?x%JA{UJRuNxim2Zce zbsHx#e`Lh1(PhhL^fES`-Z^I3a_etP)cKy*(Q02l0+QWM{N&F=e(u6hf<>d}cAa1R z#7<}Ue^VMIymcb-Emft@w)FBc9^XG_wZ8w=GHJa+T)dnBcNf`1m+B_rmmhD&!>C^_ z;Pn_(06@7S@^RXK$WbXFFVu4foO#*OueSu4@G$BAtT(X(Zh?1r}ZEn;(MLomJ0wGDgF9bOa zD|G?_K-Fb)UWsxwLnlRTKvg6Lr7^^-dckni`?fW(@Q&yjL!@sR2EoLsA6s#ICnSlm zO2GK)naQ!qU4Z{Ehd>@V;g1h0MJH%J$FeSdZT`9fR9{GvHDzMC@xgt%T!3|gD@J{JwnlW&|3kjhpPrYuGrUbh5tXI8HqG;D+De4Dz4r8DR`HU4a zB`HDQ8j~6CY}PQk$1f~t3ydPX;snyp!VIE;<^W>o>{HWNd%W4-%R;|0eeh*5`WHL$ z%s`Id3r#tCwJ83liq$z|&pwDGXAk%Hr=`6gbJ=p!PT)UZ8jZ&RXCI%gU#C)LM^#4y zpw{Dv{PqiaobFHd^@mV4vXe`c?%-QEqoTph@f_)9jZ1f~S)GxMkyHPv?8f0V+)h_P za#d#eBY)Z`%-;0ZfEkG+vtHC@Jh@mV!&)FtNDxpXc*)w;>$teAthWb>e6hP`tJHjq z5en>j@|+J|;4q@$I>@}<`%e|fteyH^hZ2XSR7L=$1_Sw-=Ar02IGYB8+#u@SScnFH z=R+CVJ-*qJ7uKh*qoQ<;4D{Ac8?hmO6%)Stil({TSIBHu=#ZS}687oq2mO)_!qP!d z*_?ih9IO##Mt7vZhOZUx2R~{DEv5~iLqD31B7};D zOyfz!L8X~;nTkyk#@LZxWumNz>F$ni<{^B1o-kn+$t3BTClN$xN}%PZaF^}d%hI)I{9O4y^B4bLKK-w-{FtZC9Dz*YqzZLH5#oQ#>RTtn>3_R0dd z`$55sZB3ab$JrIzkRxSCy#JBf1Blq6qLgRafbzxziEo=3Vn)V=qoM1>ok8jX!bp&& z^Ct=(Tx&d+8esF?;@~4LR_f$0~=gipFidPMKOE4i~@C&cw-P-9`>I zp+d;ynAD(-?OQptU)uD5+at7%gor^7E}Nke@wEN#8!sH7LNNX4-iDfSmt*U1skEPC zp9@On&SN7JeCFmnfJ;?u;bBU^-1+c&ejr9qAwfVQ_!pAQZ`*mN*7Ih#S-#YEA<{kq zBzmO#hn%arVw@@i^uy{iy!PV{2Oe-lZM?G2-w>r^SO&d(^@C>|-8QX#1Os-HH}}$h zv#LMbwVFMitpx)7+GZYrX$Tkx;i*|1u<%DA@vJu?^m|2u*p2`=-go7-K~^ND^wE~# zF3d(*n(^U%NERT@1WKIBMdMTK8EwvoSQ|Kfz5gh0@)obHsoC)L>BP^g@NtNv&ELd^jYe_K(Vd@8kz7A(1QF&>Cf(2DyZyAg(C)h%ZdXc z<@u5I;$r60NLJl(?zJsucxy-yRU-BS>ZjBhQ#N{fcGgx?#(o3q%?dMi#RP?*X)Y3E zh(m(T>_IsJdI(!RAp|OuppqNj#qC2~=>hL}^#&@fqU$HB3) ztwgSwsNqiFt+urs%`wqRq~5v!5*wwbbcJc)ujWvB-Ov^MQP@BVqwPIxg!Ct+hhK)% zgwBH?1J000n`#?&8kuCv-A9QU0-<#14I6Ii$^d00_2DjEhg<-bq^1g@N%*(VgIfpJ zK2Qm6u6hCy4#bYl14w@9+Nbo-mR9?Gj;qLnp@Q}r2JRYPS);LWf%o;qYhJ9Q!%H@_7qa0{e5;OSqKg1+Gjy2jGSy+@kQCax#)i{EM_KKYGYk> zU#$}d(V~115#SvnlIuU)EYbXaT>a)6hvN9s7ta{mi}if9BVA`#!2My;$5^gf4&K!4 zVR?^p5lRl=Q2=YF2qh&HqZjo$&@6sLiX=Vz=Pv4(Aeu@)j1s_jNb-UNOtd;XPrYIx z!+IOU8(QAYlz`ZQNQRD*cRKbI_W9sSkS8C$1w+IGVVgFuZ_Y}^)V_&UoqtvIn55iJ zp5kx5%8C;5PZX=`=YfVxR|ls+N8;o6L>lka*el(*m7z)<@04?pYR9Mfo%)+5AWiep zBD_W;KA!yxs2PDW5$>R<3cz5TE@>`;G!aOo7RqKBMPdUw2H+ZqkS<1AUh6+pM#yU3 zg7{70t-?G&g+>2n`Fsf;6;KWNU7c~k0%^XT9dvxBx0ftJ*`9{RTx9)LZ1iFi4|4D4 zO3^9To$-B1=Z6&2+Dip&^~ycYN!>I zxdo~zNn~;6Pb|Z6kdYo-(?HRM^l_zo^qCAliE#8)WpbUq*^ArnA$3y$XrR6;IH%6u zpZ-pWqt*T~2@ZjrGQghf{W`zSKF6b|7m!SQn$V9TW^`Yfpksz&nDGT3UN%31i^QP4 z`>u!sObmClZ;*K6FR8##P(dZYySDxC;em(U&mC3UHSIB}$&J$z-_(|#r3WEm{hiU2 zl)#z))ZkloA{CMbId650t$M?X|FqXj$@Dy?6`dV{KK%j z!FvJ&WE5*q#7JQj&w>R@={-fMI)qbZy%!Grc%zDk+~}b7d{ZjCsL&yc zall#+#H}4KMe$6Tsgjt@^PX~M6jB4KM};!N^VkA|0LzIuOScJeaVgKY%Y?%bduc z9&%yYx(YpQTT1@lyb@zFN<00MtJ3mPH> z1AHz`ZdCBl!at7I;2f~T__wN3p-w^1YH0adWDH9}Ik}k@igj@tDANAq064VSD z`u0_ppd$k&=$D9;TKB}ONeAjTLx}!QrccjUPmiLm?s+gj*#Y0EVJwP_(UljR*6Rh!uKVxiJFis{R@!NPJX)7_syL~JK|&hij?Dgm_c6hge3Vr z3yEv+LZvQt^R-+#f{lkApj03f0!Gpx$SKp3quG9UM*>uqokj=1%SMpi^%jcgVkdQe zLQU}A#hIHd%w8nU#Z95?H3P9p(*1M0|IEL^#aR#+_`KHP&`XWk9>Lu;iwt3>Kxlp( z@8}wkKec2-oW*(5z{CDrOg!nP0E27;Nepl`8>|8O`|T8M4Nd%A0WLb(V9GKpjW>bS zI}_&iVgy1PNnuWWY%9FxFJihA1k{tlx-T)yhss($tPYA_2S#>hHozLte$9$N-csa1 z-ia_k(L*lauP0wKB=)Jjpp{-Iqz=I_i&A3gi24`6sG*nQvDSq>s9StXez*e?_aNVl zR}Sw3QPIzX_QJ%#WM*P6F0v`Iv3XcCOEy(zT2qeY`}^V*Q9=T=n}yAKr1iLNY^ymUNilPi z*MGyk$pMxo?Ba#QK4p3I#QTWxj`SV;?l{TMYjyf?w+Z%Vr~Ynq=ghRB@Y}bnX#Z`_ z#q07v;MiAREqgA^)tPewXJBEmwX$MmW%j=FzuQPYZ&hS@?`i!gvPZ+`djnaquEYL(PcY7>9R~bfAmjM2)O{B=n@4ppUOBK zAht>X42*sZ8NV2D(Ba(##@1}%d0?c5Mb4NFs8#lJNzV)`G{x#ZHS;Bx7 zFw(Dq(@jOil9xKeSC*MioI11Hw$URMLq(O?8uwR`|uDkqwuNU_g?z~&lcaqo@N93IRDTFU8=5|}XE{#LkE$+3I7r(dM zZDGvyJ^QB!?bDl5?N9myzgG6J*>yuCtu;n_^60^mgTlAycg-4yg@zhUF5GHdiH;m( z(hJ}|=ZbQ2H8nMl`JKg^D)6w7RqUVKFPD_)RfQzKcRCbA@TR*kqHIA02VlZ^0BUTw znHnrr)L^&#JoOr^|KeZ*F}gjrJp-&cFj<=L0g(Ylb2L-`6-|->dXk@^cy)WH#PI3z zJhQ4OnXC*If&hU?i;Jpm&n66-&~(l#`>fwSQ7v}aw+9gRgLB~5h5C{225>eKlC-rn9vp^ct9lNXx>!b=94 zx|Y`Vi847nsoZMg(n|a=Z_ViDmy1ROO$@T5M`TlXJ4g=Diy9P8}yh2)9dK;%+0A&CK z%?clIc$r zKu&qv5%b;)$td!qfmQJJU|dy|B!%yd2K%317ya*EWiH9G->j}=T-hp~55;D7DEh6t zFsVhojyF)(e1FVse4YiabgKS|~z5zopMkg*7_^60a$3 zt#-SR0x2D%i5|zyy3?p96a6|R1+cv(aLPCV1UP^nt3Li8Vt4SL0d79L-)6DT(wX`C z~1amZh6o4gbS3IK)0K^vth!gPqy~A{0^TA^RThE{Rtj%TGIyle+vKY z!otG$5B;wQvz;!5MtnrF`_UlDx@AfX*{KNwt4z7!O^)kUM~l~YxNPhsS6*Hak+f81 zV%eaMAB~**e2>q%yF*+o7Lq?bnqp@|Y%deKZeV3d7&sdq-sN{3fk=RHY>Ruo?fy?AkVG-BY~_<5vxU#n8{n{Sq6hKGuPz)cZayGi*75Vkml2?V$_zh zoSNU8hw(}5`X0;vezXZP(dizWF9o}x5~4jMB5D&8D=RBE3BdMIS?OeH`AMFTZxsjO z@8-Mz{Qs6^XGD7Xy_(z=@r zDgjCV2<0!IkNO#!I5Cuw?*%r%y4-0LnmXvw43#=6c{+n{T{zzez;^BJY=k{79M4O2 zEEHO>+hKdtFTfhW{o(;+s!X@6wAf*G()h;?n62E?i~cLyM35isY@|s^$Ry~7IxAvtkEh3zrbmlJUhFyU&qGE4)fxhG(YC? z@#k+rBR>rPh#0U#JcQB}{mxuMBqTV;-lPe*W8<6{@cE-ch-Us4MY6fyyYrXZIIrQ+yl2R9Z#0l%ARyTJ6#JH zU=eoYe*IWpJ7+gqR6w6y z=%j-H(fm%lQ*`=cbOp&5Uh8)1*Je;YhR{C$`@4=q^JJrMZ%3!3x(15|n}J;TiY@&% z8QHq|hL1kGI5Ih|@CnDz4~Ldh_4OXMzX$tf0da@;8^3>gkZvSh#y!Q-cbb(Lq8b`Q zK7|PlTQ zZN`N7_6q(jLashrlG<+)J>X{1;c7Rk*8xZD?5PCRSQHidc&m+#=QG;MPW@y1zJEpx zyo@}p9zd?VzDAS#gJwPcAINz~Kz+C~iCr%&k<{!JRic>&i@BPDf-NQ;onQHg>2oik z^s1_(O|M#Qax7%eo`S;jM8aKhAl9t^TDC9X$gqT4!E$mATZ~d+Hj3=F?H`&DpITjC z%Wc$97Gogee~6w@y!8F+;L$-{A<|t$OD@&2M3AF$ai#v@j(_fB@du7219Fj zcA3pxtRyBJ{c#~&T=lah#a9x$+eNv}RX_|KWR}@ng(~nwbV=Xau>uIrs0$Tj8e0BG zTJgOG4RHp5P2V#7BWy2O2F%VCz-0x1EeRn$;u`HB$^mAkF(Gh*!+_Mdkf87-CSgG( zGJGyZ1?5|%XcxeaF2e9BH4QajIkN+t)iuu=Olz_-iO? ztkn3A@tfFaKNSXIgaG|=4Tgj{_ua&S)h5_Ju(X<1Ar%wLYDt)RO61BhtxN)Bo^c@D zeaX<@Aext&u7L&%8>hz26=u6grNKZ(ntJv`@bjh3`ER&^iniD3QLYVm6&hWQtgPPa z80cu6&lvm}ItrHoOzH}OB|oVc8R|~bvQz9xp41^c{5t5vBug&RP$PxUe3vJj`@UDn z=js|$^TTKO_aQ-}H$bs56&EakI(}gGQ;qNRNn=2-10*Wp8dy zRLki7|HKl`x$hfjSEBf(KTuc9E=i)RZiJLbwphhGI8cemG`E*>vf2;amOYn17> zI^sZlUM>#VOr4Pn`V{Zok6X_VMoq49 z9*+-?JR~OeYF@~=J$X7PD~sgY;+b-D?!WmWCF|C2v9NyOB4SWha4qdn2eSNOWxqdqS2$k z#r;8c2I3?sNc%2KpWi)Phs5`CT8gjt>}HGik~2SWL5EhF0GZ^2X1b^EGA{;@bSqiH zybz;Ng4%^N9CQASDf}(yzhesjtGLPwh_~Pg5rY(Kg?Nc#U0MHT-+`f()=cHfQ+7SR z5nR(g)1zR?sGnGA3D|Gl+)jJ{+zN%~b&JK)ykv1+{=J21G19mC{2hGQ!2j}B$lybE zsa%!(vHm9{<#$I99op{rMG5pBY~zGExi5MB5B)FM|Ew?m!S14^m0i3Y@mHMA4b59W zti(^{4zWv6sQ*;K9hJ&kw%F`M4haf`{CUt}81rWX-0(=o3mT2ST^<3*+~QPfh3v!O z^j1e6Sh?f!4ax9F*Qr+D2uw`jyN+{6KvqGt-_aNls(7x{8ia^tjybe>uBX+TJ#U1Y zH{q_4L6+JEF))Rh{z_$6U$$-@BazsY%Skgp5z&_?z+!ZFx)f%OwglRWin~2_{|P|m z_nEB&AxRZ;IG}Vnxq}WIXYjBc=IO6y#=AUokv1B11Y4EyxN53uF87Iqs5Bob7J|hF z82777)UI3fCyqIOM5%aiNIJLGkxa(oV6?q$z(A3;yr19HX|el0ZAGAzI0s&gOs*~k zw#KuCt(s%j*55okwhP=x-b(D=G}$w&9_Jj2s>zU(wxBauh)m- zejc&koITWIOVVVS7#`7Y^CIF=)SWWd>+heybH7Rj>X)If&Wo>M_rWakd*kY|qn%7} z(K?0U174?Zvh>MVQuWJYTZfK6N&TRy*tzdEKow^dSJeV!u$L~Spg4pssbcIEDP;#Q zpf}zHc?qw`1|ALk#4zSQS#e+fpQoL~xQ>wa@EM=&Qr^^*x(Qw$#P-dDgUvpruf}w# zVH*CI&XgXD?Hp9h0G=Z*wW;G*KdGLN(vSzy3ed5ZKHf`@_n4)q#LaxFu>LW0+ZZ?>Pp z&v#oJKMxPhjZh@Tn`tHMipH&yGYWwskI(sGhuGiY5sg8k>2jL;-xF?`@IDZb?YNI< zkHr@5_xNshh;}yZWJWGp(-Jn@CoOIyFsmU3;@OXkceZ}5LRl62djtZhkp65kY3?^b zzuX}<3DO*(X$GKMcjTSHrAm^;Xsvm}#@$pX$pD%hj}EC9+i&P2H@ImQa4W;^E21YL zUYIV}?zMgvPfLe~{wOns7~L{_n5CZ%@GFpB0_-X-$}`q~4cL-jVOCu7zdEwocuF@% zw369ON%waJue2V((Ir79N$AZY_MJs91TCmUd7pLjutDgP;oq1CTyMpU5a0C06(jIG z{$-#4_v=)}41ib9f~^O18=wRPb}{o-GC?{_@mop5;{SlX|BKv@7pZ%2OP_@g3EGev z&>^VgVMjvI)aOI|HMjg28+2}wJ6V~t<$8oSs$Owuhj_8uM_|0mmpYuo)8_B7<1u(( z@pQUoH_VIrW`^dFTt9UKiFA)JZ1cG>{Bcmj&st=5&aj7c@6V)7k0+&S1=^UG>SpnMZ%bFyP+e`H#=cz%q8aK23={WteFT>b-&-G^Ua7qNV|) z_-VP+4Lebgi~c4PsY&L6fg=Uj@E{-hNr5U+o^T;vDm5Pt)b%HvgrhO2!l^WDY$70g z9Ow4fDk;_{*;2Sd5F68=9DgbboS-J;mg#!mX4B%SIfCz@EP^+jgN7>qb~j6Upov50 z--=rRa1EdW;QpjL4Z!JNfv*4-n#;BQbtfqq=)wy$I{yqau)*p>bEEInO1635l<1#N zT2PAO@qOb4cOdg7aC`iIHd0`<2_G~P$b!)T4!P7??S1aLWUZ;g9(>0yUtV3WVki)bdP4BaXplQZgO(^od8W`0lZ7CZg&)g- zwhN4Vu>4wsXqUGg=zb8XDKKM018#^1bVC3YUQsac2xRv%D_>rS%9Xvi3EOhPyBrl9 zh+jO}eQznLIv`?&h_Lluzb}mz%Y+1|4PxLBfExt&27aAw8UC-78pMDcF)(ufU9+Be zAKo}{JbwnpZPKP>qxHU%57CMYVmA3#!&K!;XS5B$00CviNv#+A^^~mDH|}FIS1eiCjfh^aGwR+9e}=(4KZkq zxCd|4;ykhx#r=sG9J@%a?B6ajkGdmKd)>$9cyGTb zmF$fJofS6HKd$NBP+iWHGIXNVWJIXE|Lr{RPXiI{yDWyzUqPKlbM2JRHi@mmf#o)p z(kaHa8()kdP2lVYwAA3A*EsW!Yt%v-Y4%+U4J1%$O$Hy*M;QYZ#YOQ zo_64kK(GM=3f_nS5744SY70z~S!}}xkf6{!_WC!7Kb__GwH)u4teD?yob!Kp%k{zO z)44ILwGgGrOjc!ao++LgF;HY`BBJ@1wH8*K&J-IOl4zr@@?u!9DRWdzo_ew_{sEf3 ze&;_%@?Tf!{Z{VQP2&gI$B%;pFXzGJ{r|s((d7PZdN5ygWP<(kxz-QDPd5={TG(*{ zn7QL0S9pmmjnY z;!W6h)l-pjQ38Yo`bL|G^KZ(vICetZizg7C9f-)(}!YzS{)^8_A^98R}* zHu1(q>(%lSPh}AdPl`1jzaqZx!i~yj*!ll3_uf%WZPB}E5Cs$k0Rg2d3P?wKk4Td) zUAoex_a0DDX#yf5(gg&h_uhLabO^n75=tluA-NmRIlpt>c=z4$#{27KFf@U^vsamG z&AI0M<~Ny00OTih2cUVX&71gSZwv4+)SWQA*sultJV%e$Z1vnSVm}Ld zv`Bh~D$eGRSZ8~dGMw!;(JNM`P_nOtAb_}WP$gnvov3A$C`JBH@1)<)jsuIm6ipv+ zJkRtdmI>ipVmG)h=u7S@%oGL+smK7tA1KpgmDOIM_02leqUDz@umMQ}VMV;08GZMg zAmv9DZBo?DN7#^B<6@V+?vl4Q;wM{YihK{AtED{9EDsH_#rJNcjlNjg5d;*$w;9(; zh(~ZK8zCsG(WUQfdROwZBM781?+$9JC2|#)z_j!8VE6q_R||ZaB8oqDFrP;zy}C;P zq9ZvE>!`PV60gdVIvLbuQwBs#0EZB}N1;J7M{EyXGvdftG|*SEDBOg%tifQPP*Kif z4~`#9^!_SnXS)}G{f?WN=$9H8$=;~!C3@@^s_|r?yxeDB?*NSWm-wNIV1Q|QM z%vCc!iE%fu_cb27<=XDp(k8Gav@*=^at=c0YCT~qE(s#07BWBl$$nHG1#W~0MI+1xICYoJU!KgUnM&?P$D96jqKnU{o;nI6N zPy*(e>g#AR^@nkNa^%-f#c4~~_Rk@Xaec3=ihg|VBWQ4eHG3^KCM(Oe-X{ys9KUtz zMvW#@Tpy*x<9vL}|fB7G- z`5lWyfX@1(xE6_|;YZT0iLa7wN>{3lPjw3hJr|o!J8zS}mmDW{}TsvFqEY=d;JMZhmUq>FR%XDXn{QPqT(9lbj|M05MPlD^S8+egn zz3g$LZ+JHk_8)fRdxS~91f6)(ar&0-vRk z;%2~sqmE?`)f5vK#s64+z=`koV)aT$$5*-vUw3aHK=p0bok}>yb&hIFR7!U ze>~eI6>a(g1TxQf2q0f;lCK8>7xY+cH^MB3cKUkz!23Yf&ne?7gTcs7p>a)lrC+y# z)Im;f?zVf>d@alaaNK-4Ey$@^gD`pvp*QvdU;bl_-@b~c?QEf}?;{H8hYs{mhK-Dr zrX&hGW`7S0aB*?|$q1^gbHq*{0%}Tfe0<*Y{G6mkR@s@_4sBI);Xk$W>oQlDs4#mH z6%ko&R7kur*qQ(r>F8j77X5gRLjDt>lXcfvO-(MHhdmh49{dkx19*5dNJ018_t>JB zoQ_p?(&DBj8u~9@xGUJ^oMGkxKFk^;JkY-pNkUL=t{n-ZWMRL?78O-(p=okr@>-J; zOC0#3k+dH=Xd=<1+i&)>s4B+eSP-A`8(4_41d}1Z|xigpWRTP0!TPa zLSSfN6jJspe|NYm^^xM?S!gf`orFJnY=(Hc=1jsAa*J9sJ@?>Ki_8Kiu70S{YlQqr|O2@vPK?*RF0`S&ncrnMC3 zv(1vQ-rRg4H7$1_cq|cNWo1PGYB!5ENG1f`k(0cbC$-tw2tZyS5 z?lRDbc&*dNxLhYS#M6Xa4(q_AoHiC^ zRg!={Jkv;#r+`Ghc+@*;Lv*Fq$&;%eT1PhsgePlUR@iZESDJw!)p!Y{YrHQm;P@zY zSm09d0iZtUDO0TA|0c*7>G7`^0}-^>DxGWB3II+npq2fKR)p zI%#}@gh8_Qv>7j6g#@$#O}WRgy8%|xydzD<7oT*$$IV*Jw8s6xotw|vZ>(l8;>LQz z*49#+?tIQS!jJ1?BM&DJ;~y2^x_zU=>|nEdX!XpS_YM(3P}!&!2tXr>P-}Ak;u91- z(4|oy1=hh$(cHU$x?qP8BT9XU_$Pfbjt(RoGAY`kJ~ ztxgwky=~eAAUU59lwf57L2XE-I=M(2>g(v}8bq4^D+nzhg^B)wLEz_6zR}AcJVp7O zk00~iMP_DN0&b}36RMusdQS)EV%$))xu9T0!<;Y$!|}O4*l!8da84SqJeqp!;}5uF z>RSshPSkwtjK|)7{D+M7q@qwf2=>rGrg2G2qN(Nqs#a+fA+kqSTdVw zp`p=Rq!1G(yP~{;70ep*tQ7U}<0C~N@>~rLYWWGXVCUpq#g@-FNTrgtK4H;Xsk}nB z^Y2#oDy*0Obx-jfqN_^1y)`53;l$JSRRA}!z3vX+mVT1}tFZ>4j?dDDwwy6YRxmod z2{$vEJwNNW_|!v{>vZU>yF0dzI>mn-Vzd-np^>W%M8l>(qN-Dv6ce%*{8uUh(ZNjs zRw&?wu1TZy0v>4b{r&3?LSLYHmAH8*nR(RB`DpN(caA}Cm15fpfaF;D)V3?iU)Y!! ztYWT%T-`FDk6g!W&1K2jKE0%y{ZG5!t~fTArgeP$_;qCDuvZB*GzfLF7gq~zsH*bY zD4a7Z`Osv-9s@Z!YAUgVN`Z=}^Eqj=o2%Win6dVDLMbF!rc!LZYP?a_@G1~V*%f!* zuZaqnt*&p6x7+tjft<84LUu#5KRk<`vpPD*pPhh6rH*dd+dFczvyt((dU#<0YzN>l z{id`we?e%sL;DHH{s!P`C7gAL<_DRY`o>zL(+n{l0EwQftLrum4e&2&#-+|^R4Yb7 zJ&BWz3$Sscz^FUY(t4P|bp^AKQ- zL>89+7;vgT=^b8SjbZ?k-6(-HNb--mOi(&Cp7fS6VyDWW5M&n^)5sxJXMw;50b0mi zWY;&ju&VCdYV!Ei{V%r{y-^!Hk_Rc-O=oKh_-}!oud{+oSr$?a@&I4bavABsB* z4&RE=65&n}KN=fFP=*gKzi)RCy|HSmXBOeV6O6j9ZvTHe{Dtr~fPikULkC<% zjqxKg-}n|cMdf|*75>t*#t?VTO({>Q{3z{Jh%!6u?juDYYqV}4q27d(D*Nd8IiZ}! zm3RA|>2lo;hx-)J`m;8~ztuV4H{*XzzY@(!Ssj7-rs6!c=fwull{m)jc&5_=UeAwT zGiYbg02c}9_DzB(wf}m3Kv}=*`#8D#0jzLR%-8aafShELdXd)<^J>eF9wi*d`nmU>#@3h_5b)syvqa9Kh8&@_n`k! zWdOFq|LKp?e{i|~-YnpW_ul@=%kLck=IpP1de!*teWGT-&3WJ1>lv-Uz&9OTfcmkU zQYl)tmG|b!&3_*2brndU^b`e>zFRS~t-JR3H-pbv`Y$~?@3<)DZilr4r_XVZTLM9* z4*w_sxWvsiUZvP)IqcjV3ypq=v9qb}S3n`A21YYF5#ncGRMj1hDs5)AJV}sV=BfWQ z@(}()!;soRorDxG;WHD_mCfq^nHe?pKi$bD{pSf^2tB^OzjP|iKK{nOd-b1R!wD^J zT>JSR82zai7Vd@$te)5Y>BcEOkSKrpqWv#d6p`HW$f43M;lDTbvgcj9^5DN%;E#0^!(ColhD6#$MGu}I#bvGnV7{#*Dfb9ktSA*S{(21iT`p=Xc)nw|#qz0}`>l96f2mjOH%br$)FYnr4ZHpQbfRycY zVs=&BFW!4HfB>U;M!YiB`)n8pOrhXiA~v70*rrzw?7fMvDu#Vvit1{R_gI(-r2bF0 z7UvT_!>4Kz)3?0l1H!`{L*$kdrfU;weZQuIUO8H!kuy#s0&_KPdY@=9o2+2KCXz@j zPw>V8dl-P3>$hD1g3pJc>bU7W|5^Z(x_}+gI}|{99sdCw{{5VHes>oi7v-~aa>Mtw zJjLiiUlJ2fr?e1n5VQ01!>G*_b%5UZl3p1AHH3!)bv)SlVOG+wUmHVYjAifxEzPyG zR2__^rI)6Q0MJ@0YIftJ85x7?zr6s~n8kAkILR|pM)^>1oHR>km z_{4-=)vt8hP! zSW=VY16Gdpu3$kR;ApeL$_RwriLS{2MUt%5nke?qYc{I>uTa9NZ07&FaV+{8I_gka zT)a8e6D)WQ#RQOzs>rWgqFzcM0C^MuV=StkT(=ca2OnXDP5tDu4ci}t|FgE=-`|Hn z7P)gnRGJ(JL5DiYf4!wTAjixc9v)r~>f%%U$`{WW!^P7NRaaMK5V=F;vI};$G4ogH znwefvZ_F-CTLScs3918n@7-cel)n*B4P90BCJ7R+IX0Xcn(WhsIK_Xf^1#V%$9rQ> zm?sIWr={n$+U){*b@ly*6#4)-f>gM&?v;u;*Q#|J;uKW~Rj%Aoud){+bWa5aiG$dTBMVmL*GE(ibBuUTE4qPAb?V>_CR?9N_pqb#29cK z5m;YeGnNP>@z!}$RZ(st;pN%$iZ}i<5Ifd*ObJvrpelp?9K~({V=anxYHH=b6$wyv0Cy#Re(lW5Z~q@e#nkXdQuHTbNc zfiQ5jFeTB|83RN0R9`;}?-zN=ekf}mzRy1!(?S8FN};^o9yY@ZJDd{19vEc=UP6!%v9>o`4F+}D#nu} zZpX)cq?haJ3Q$wdIYOOR2!aCa-7Rn}GI!)6Zj#1-?xT#=nUz7Iu7UQ?Vh}F1Mzb`D z1KfJuT8>?gRdU4D396mT%j6&citbuB=b0#oF;OM}J$}r|$IW9W;DZm59FE&Lt_^8; z{y_0-pE3a)`ij>^DEq^Az)+vgB5baXTbc!EK$(;7eCO{fj*l=6%m7x~BoW?~^hJHiX{SXIL4`Q*l z?c7`ExBuF9fy2OhF_7mU%g%~=_hFL&w7R;QUzl%EaSV(aWZf;*T4p~ywV~V8Nr)D2 zF_StaYB~@ISArLVLK+BLD8h;#q^uFr&b?RUysQ{j)pre4Q&R(aCBR+AY4^m?)lG0% zPxeTmpM~PIzgyv<>)7@|N%R@La)bW+M|329GUgeYnMM`)61WUTZwW^@Gd_L;AqnGr zg_o(Jp~7iFV$$F>X*fZXKX%47{+k`oc3dZ`6?TUZJWl&PCY3EV1hqe@kr-Rc)9{BuX{#`T=ZVA`+Pk7oI9*gey?^!X zI3+R2-5m}{fq{8nnH#@n;$CQWif*3U5%CQM$TC~ZaJ2<5sCj7dsiA^(*9kp9-kDbN z2G>$d8Zxt%kdh$byKJHOCSEhg7t@nX^!3MGTBt>t-wB+DjjO>IHB!+R2OOY_+ugXX zpIsK9gv07mUtg81s&)Rw$fPSlPupz47|{(P>RI}WcOY4O{(EA zu~lVZj*psNu*B9Mj^Z$_*5LYg#>ojOxSsH$dUWR&T_&(SLw41%i&Y2vnX7K8{_xmT zY&IX$YudygqF!5_c23D1DSs<-5G9>{+W27Xx41p9^X9I2wh^~=?*`z1gAkHz0jNgm za+qUk*{aI=TAYdR;Z`;n8xQ3ZC^IX;?0!u3ZeRfMCaP398ZDIAoxW>Rz^?OPCFZOe z9HGRxqYT#hBP0NQCbkb5x7{$g81J)xd=)fVWI`1x7aT?BcQ)JwfDvj&vw<$beDO zDu4ROU3BFNNA`lxIa1uoZI9Sm-BiR+3_Y}_OwDat+g!m#bwt{PGmd@^cp2~y(5NG8 zwN$X1eBqZF2TxFCQ;~3bm3fO4}PAFmbKbIEBiUaV#V zDB+_{yQS^oSeiY7#AS@tPh=Rs6yGcJOT>J)0mQ@qV z33n0EgfTCgJP!^;d(Fm>!e>xp=3O+~wpm#l^HOf8g3%?!Fb$9YdQb4e`Kk=ad3R|3 zyTdKLA`jC#*m>pxT16eP-vrs{n(a%Zv28*crZ&13oS%cS`n4A~KRyd;TTvj{<>u~Z zOij4xi~=k?GL+B0uEQff#<=DkdvJCPT!!GvjW`NyE*vT02GqnSZQme zd!EeLD8ei7eViZfXJPHK3?i^JqoAkMwqbbu6c_={+c&Q?#|7;0%U$!qVUtraokfsx z;6_(p_yTUHi(=Gmc>ZkYJayCN4c}c=+)*pfgL(axHb(#L_UMZQiDP6xMm_KV9lJAk zM-e+CjB|S3NC3iOd9aV$KVkQAnB*6a&ql%M<#D^Yg>d(+VDSD}+J$)d4FQOZIZp$o zb8%m!Dj2sA7jO{_M#(vNtc7NrU%xVFQjaxV2z=+K=%Uerz;v?G*xDhL`}7={2f;uZa5|8yl-rUS7#49^l$lI0vA=5cS8O zc$5qLSTMNVIZN+5db9+KUUR~5cso(cTtT&X`A2rsoVpQBFR!21Zj^s}RUUG6NrNfPT(_5zl(pCl;Fj&%?i*7`Mqc|k=1^w ztt2b`E})IzBw*v%nyL00)|Ri#1Y1fFsXtoAvX(la}0#HCHw=(W$;5e9S!LLSHHh@Mlxr**xzI z2izNjeVU=wKYy3|X;$%~8c1sxr%#BsQqzuvp}$>^eIY z?e-atRH68O508kFxrg(7m9QIK%pra~3= zo_@B?QGRrCEcC<2tK`uy9^WL{_d9F+n4xf!^D(?Q^VcS?~ z5)%-{B5s)9Y2JOH%h%j>E|HLK3qIy#QDa>Ln%j3bHyCfzOhkm-^o7XCK-Nn>SH>&A zUv7N;T3-)gG&uOJn@1V?Xw8y2TRqt<GL(paHbFu6RAh_#@LgHGYP!p zj?1!MOA$@<#VYunng*P^tvHE$Y*^FV9xaxl#F7J0F-1C)W3ZXNCfx1-Vcg(C15YGM z2j@x)pAY<1{0p-aWg4X}a=Il9enO0!g}ef~%@Rr5xHJjQ)a)sK03i-jo}rN{pX6s* zuApX!4f!~i(Tb9ow_d>5^TkWf8e6N}^Wv0pS(`~E)94<2i;yxF^g@3S2A|oUEe6bG z)H=-6;KC6TWW!^j=Ia9qB3A7`=gy;U(vI=4GnMbJ1nh41xIPANWM=C!pVfdy z8)4y0eL;PCLWs8n{3Q8Y*lA8x7Lo5?Yl>iy#%qj+p~BZyVilPgAted-q|8UoqSd8J z$6nbCe5Bvoi=v+{tj8}~!gX{7Jtd#rudwP2oN;bY=FaDkR40czTD)-AKI==t3#7i#gl)Gc%m=o z;&L*Eu>lN%0c-{GZf}Bt?2i1lv0~@4v2kHwUXSRdbW9h4F`u5LFi)@MQCAe4kghU^0cRTtF-JSY-X@ZkaUC=H7Ef`@oVPr_%prn5aX^o z4h*9*4YPO?4Ywmh}u(nYS@fMcGQx*Vpb#sN1;K$}MAv`@nt-0 z{Q=H+*tWa7>L95~aJ&;yT3MP*ZHO*`4}CWJgko+?@KZcOd?Cs&J!qtL$V zYt;O=#JGX7MINoyWNVb;P67Mlvwn;K7KTx*n&)Wy&+;8go_LQBs{IP~VtgqPi1u@m z@RN`#aVq-pG%%IkkEHV0VM|tDuA;|+LEz^kMOJ30^{85s5>t9uZvwxy*7-5~b%lY~ zuIQN0b)m$)N$`mTs(a*`TUPz)f!DPTOJLXH&-yH=-w*H<#dJo6Y*HOg&!n!e4j;sX z9$BgRd&90M5Q@hd@LP9Yjec=>~4heK7;SiS# zG}7B?+)dn*-rdb30c@?LsDI53o;-z`Obci*pZDG>kvxwgAO7IdHe=vsYdcS38;4@oMnE zeB=4k4TbdaEe4-g8d`3BRe8cNdtGaV;7*p0CQi+?KsGc8M8qWmTCA)*i7TKDxEP&j zg8;hc*?SCbssvHy6wvtf7O)|UGX~Dg&hovPCCZw+y0Q^56Y}`Mlg!#mI3qDEaI^Z^ zFrV$zQ&M5Qym54EFR2=HmP)F~I;@Lv{{(rq*(cbw5)<;fv1BVJZl3KiyRnGZwoD(@ zw^+S~;}$(GE~WLHY}0_M;@|Fr{h{IOY6ZE45cv4%jMbM0IG|<%PFI|mnU+SQ=Bk|G zW8cd2sr3SoQHIQqviy-9w#hBLfhVglewN*7KM}5n!Gm6JP|J14{!)nX4F;dpmJT~% zdk0N{Du=VKNC>MMGwR$2nk;&d?nwnqb><{k%=fVWCtd@CLFL=F*MVoKsNkrSZOn6n zZ@C+$=gsz&_2}7$MUuGRN*Vgc4Cw630c+;^utqCIQ~}y|`kXA{(1)%N_Q?iz*KQ%} z9zG@|DZllm0z5tI?AlMAfu@6DgmEgV5-0I-3*w1i100y0Md?@-f~V0WEP7PeKhlvH z77Tj|uzU>Zu*w@xNYpY`BRQc-hTG0a0Ska_d|SE7tPBQsz^x3f`cS#t)~PlRe% z-gK`Tw|N;XY@Mq9^l};(nMxYaF9*f zTTFb0ob*|=vhG{JhzJ5>@ZtA-N|d#4lM>TUzhHQ6ft- znpdR4QuSkix#QYLA5qy=#=GP+46sTyX%jV#05zx-evt944S|2>@ zWMOU>7MyruCog;YrF%8>pbLX9Q}6Gu&LAl(YsAgNR2!U8MjY4XU~BuBgWLXh5p#Ow zm3yJtYL63WoTdM6>rgVCGp`zhsExoqh(CUy zhjMR{l;oB$Z3N*d+}-17lVPT=vR0`;lRR3!K#C&pn|_yB2`_0bd+(7eUnZYE033Sv zVD5%%Spuc1V@irjbBkHY?5rfQYZ=b-DW|S|YJfe7u;^BK&#Qgnn_=6-JHW75#e{~i z_w^l?j>c1}TJZza5P!X%HA~A{#lS2CgoK2yQjmpz_JzplhX%fIh8R~=6`6X<)4=Ta zCaYli_T0g8`3bpU=xLhp@sX3yJr=dUo%1^E1vV3J`dWrRMdr*#)c&n)R8b1E?rv7X&sdU|8m(vgtgS+#teOw+?XH92YX18sFBjq?_Kl{}{0 zRl@O~RcfVWbrUP{tBd#a6|AYPc&x&iIk@iW{j*?Sf6-vFwaw2fDtP1Qc!)e%a;=fI z;N9j>3g6qM1FE8g*i#o2X$z%F_&(-g9i4Br3kPsg@ab&E$yGLKw zb+Sc8W^7>aQr|>LmL;PEXv*AZVuw{tZQZ1HoT+x>xRrUyOCiH91v>$nc;nv*i7sq^ zj|#9+$g5gfTIwrq!}!fY$9gh7h@j|N8m8Q$f*N-SkCSPrtbxAnSLef!0V_9`qhAw+ z+?^xoSJq7pGd|ZQxT(;?kw9y%ZM5`)9T2@^XC^J=`Qd%s(8$FWw$RHbl* z?=jwGikW#5m>bL0&)wS>_TT3d#6eexubRvU*bB{A2w*OHNTxNsea}6@cL&!FWX-Mz zx4o`SzfBh2v3%&=57w>QGS&xbl5y|vBY~2BV+p?6Zc|A^AwWH9n((#dch3ZEb^0J!d@2(S>JKrAu`8p%ydG7 ziH)Y4%YcSFp~%;@bMUZK^^luEmOSiI`{g;>KJrnXiLzy`_2P<*EB|Onx7m})$?#@xak$|$>1cQmV z~&{uNotV)L=icT5XE#~d zrUFCNcC$HT0Qsz8+KvA8#4qAgUmQX1g~1K(x!GD_&y3Uf1!xWe@Tw#9?R8_utx92I zEa5Gldrgc;B3@NQhBEj1cVSl=9Xf5!=DmxaR~7M`oH6lZzL71T=V73yn*hqd_{-Z4 z1F~Jwg~`1R3v#@H#A-xVhLRd6V3Mx zg1L97incbWr1IDuxC%8D&y#EsJe|Z?e3@#$;@0rhp|n`z0qE%uxoe=>Pl^nYc$(28 z7K7ThFK9u=)O6J2+M5_ZW>&jL$%|a8~@dM^|XK@jyg)gdq1@l6#q_ z*Sv2JN9Ga`H?D%*jXfnu5WNKG?Rz%$f#sh3lTg>NHm{;2hz%0%D73=kG7RAU4nkArBD!cFkS)6B4XU0)ItNHN|?Q96bp1 zVDWFE{xjNtzyFVAa5)Trz5cZf{@>`#w=?u{eX%orJ`(d0kBuC8s6#(g4fX(K#cCRo zI?U!mTA4L_1noPPia$PEq7NXOx1H>vSAKk_cW>8mh<24_SA#uP=~rnXdfTY0Y-gJC z8pt^~AX9-7NZH+4VU&89PP*XTlv`g4(Jnb`(=iJ@>pPX=V1HcOn(lkDhw82407K4K zWc)}?7J}}C$~Emy`P(2`)EBU41mi)8*;cl;hf2#}Dqxk;fyl;shWw#c@Pv=KGcHei z#OegmHqrD{HZGS=lWyz!ygSd)IXqlaT5mR4Y0OH(SSLE!lWe|?gtdK&^7QcFVPl)F z^f-e38r7>ny_f6Df+qPbNV?hC<>6e`7QYm)aimx=7;=5@?JZqVAZ2A{F&bw;G@iC7 zYFW)UILm8kwKah+bP)bbF+GSnYdE+N)hrX`86GlUb8%YTcJ7#?H`LPdX4W{SwhM_o zBF=aEEgpaz8U$C-M10BzS>e^IHL;Spae9jwze2wnkch_@Vyi|eVC#gxk@R&^oDg<1=KDtv5 zi{BC)kG&wg2{}GKMW4`m@92HgW?=-swtfD5>KEInQw}}_(bb~H19)pk-!Dy{!y5j= zLdR21$R>9(|+IGWkf)_0`4`QkP?14~ua zOtJ4p5!i_--K)vJ$q#xrR6AY6&Jo+9{Y_Wmw3~nOh2Ksi4kgCW*9#F{x38n~U-MSOH4w0mG~FVACvyA}s;5XZIBqI|c;{oW4SyhQc# zTa}4&9nU5r{6~s#Kl?vxGr4+r#LU3T^e1tX$uX>v@Ocy=nVft_{do&DEveh01}Mmz)!=nc?W0 z+Z(&PNy*U_E(4#^->1VR>v#fPuaVulC&-zrfP_2Lkz9D}uOPsZ$Vq8op3{~#f;{cq z_OtfXMq_iKL>@7KSO%Ags{{Ws3{lEaQj@4d_c4B!ryx_z{Ob3eXNQ4S#zOhC`fQ1Z zf`g7AnTI!Mk9f?^Lw0oo0T`u#Nsy=B(7$p}PQyjkZ~?0elkXsOs_)82!Q&9ZV-tbZ z+xY9yq3+^rQ^>>&6u_mPo|;zjjsp%OgyF%fB5VU-wYV zlajwuK=%Nr@k8c|5nB~SrGUfC>`MDHE=Sx_Jh4^8U2)ri$vi~BCIc|C^}9(0O_&s4 z?&Fc^nFfbRa~_GMm5n2$j5=So1TN*;Met2`SI>SW=ydrB_4+q!?jM5g$bBa%tSt-& z2f`OXmHG4K3+T4p&gNI?r|4Vo)VqOV!W@2Ehv#*t+tCT%R0@pY;)Sby$@FB`f=RM+#*9fjni%$u2B!q^@<@+(1h}k2Z%X-QKC$U_# z0UdrA+pS{*?zoM;6+=yA5jPw6RD<1lsClqB%uhM|eaN)0LC@YU-1x-V z{q!Z1lCrAFMVlT?MOcUk-C%kh0x{|I#fV#7MZ&UTdYWM6?5vCtAUk4@e$J|rfL`*; zE9Dz~|NhxJPpzEUFU-QogYLSCI8|0^mndIn{XMv37%cwZr z0~E$<-d`uprhfBw)>7iW|DDY_!*#Ln~#!O1?va1v60hQR*0h=={kr-}lnnE0d4$W+d_ znaoUPCzOZGYiVw>8b5EYz}3(%L;KUy3H;Ytr**B0VY_(v!Ir1)fT_Z z2R3w}F=1f1n;brhhHr4atbKfJbeK>Sa7XzO2l(aM^170&V+#C&kks31?Z`GZw=yfs z;UXaD9DKNIo+-yX6F8?Pi}SPU$d_}2CaX;&k9goI3{C-um346n<}xesXZ*6-TE-NC zNDH|)qTvIF2dBoEW=ZK5=|FpIMtQaUcG4U5hQnPs1rGA-3+LN1!laWPU<_U0?&^m( zF>up^`()QYyw^!>N3MrnxRO!fW?Zb7-lq@2XdIj@V2R*Vha)pZz`4xGAmU0|bJv0%OB{K0 zazl{m&jn(q#vjpNOYC+?7C^YT1qjz83FOH1LndlrJsw6UD^pVNaTDs4o0I$TG%q=V0$%sWzMft;%K`p&V)SZ6X`nfnF47$y`*!$ZAB!V z_DRR} zJr8B?P|mFY%OmGoFJt3HePt#3T`&VJpZ%CzX2e}lc#gG+qpm=~#erRrG_K#Rh=fky zvzU$0h!Y%B7dL;}q-WxnUH;2^BejYDO-F7Ocx%+UIdadCg#Ikgv`IQ|9{Zzh>Gp6~ zS8B4LpR|X^+KGdqgk(e4=j5jal87m(#sFgKIdSue`mjU33WKecovQ6*bqpq`5_q7# z;xM4u8L$f!1&CgS6r*wr{WprkCk{>5g5CYL#;fS*=(e712x9w+8YpO}O3=YY+zoF| z_mSIF3?7)NrTW?Yu*1^V4?D{}NcE2gS=$soOS*8vr-o%7DntdMVR}ERdWM!VQXm1$ zaec7E9bb~*^D`|T4rrwC3ErEIJ;3iP?^Y-%UntjpK)H>`2 zqt;i$L?;pPI<-X6(`KykwQDsGGdlqItBEj7XPRLE6-Jm5@xcxJ>Mg|eNx4md&h;s*dHijBbCTbspxtW*1K zweuI}{YhYce#yQW=y@J#(;Xs|1Jo+hy5V>vm!DNVyo0F>hG|z;mpcuSsz=-=Q?wkh zW(Z(s*Ve=jaV*_N z;4pV~j-U-plydTw_MHDTz7tQz6#Bcd^5kPz3O~(fS!8Q&96{7wOxuQ`3-2JT13&oOu=)DL*0>T>RBDs)QPgqedLH8`d`d=^HIfczwl`_c8qo(GjOl#@ zK-b#Ve-B5 z*78UjtAC$x_rC2^yGtF2TxE3%l$G63V};bB!^zAQ3UF!1dOH;h`JrInuOapI4XqhW zXZ{SMSJzwVx2B?j`W*+_=`ef1LZ;<)9};E^ESTKkG3-%VTN`w2uh!6vN0xbkHH0{z z?Wre+$M+;(_a_tu0_>eCeW>lQ+-$~x_kAlcd!e-F?JF)mMkxk4=-uQfm{H*pLMCiV zToS;Ysp~v$yR91@t(ZN;g4_O;nd0{fhKVnux=AlpihJ84 zD5wKuX&CwFZ<*Froug2}A3SGj*Qh_HhlY&VuK6MIRiyk9LPkb3(WH0jX3C%k8Nt(W zLO$D{J3Buinl9dVfB)`#62qelaLGQwt`3JET_NRRh+-uVotu?}CPe~Ce=2Xu@7~26 z$1$?DGd^VEjuW=yO?4mDZyb4~{FfWztW1wgj}{7GGaC%-4yi63I|iG+4-YppGbCb-S# zAXfNchM7sgLCC!(kk`EA%{wqhkJXLO@??L=0>s4RU3^LvF6g~Flyc$A&tW5Ipw3v-N3ZB;#U0~#TVuLr>|GndwNC_CW^O4Y*1=|m3@j>oEXalx2 z|5_ROin?{CnhovIANwip|oa96}&lMtrbWcZi2)0(&&71Z#!XNDzXtH0-i6ZpJR&gH>i zH+1kJ6Yl5RudQGEk^^3w;JHz}Ofnt&9@;#vSt(Ftd~vL9*LY75T?ph)Vgdc>x7GoW ze-&ibSPp-E!olFDd;fM))9H6(fv+WjPkE!d&QH2br>Sb|y!HuZD~?F5ZjyL;ML7kW ztp#$V1Z)h%;RihnwLv{ppD#nEO`I0#?yRhIt+~SNJ$(&q4XHox?jld{6s+XMF6ZpU zi{HaGuSRY$_4W3Jw7_8FFj#EJh!)i2rCiwt zH&glp83hsszLB}Mm=O8TG>OqEX3?CqN-|T}Xx3!64%&E+|8+lqk>oih%(^$M zkG;1SX!AsbVE`7+%Cvmoty!azJxm@wZp+Lhbn2uUcI7=juq7X9zp}Ya78|EqZu)w^ z`@!hC8g8quVkYn+$i6bQ(sA*yTDD!qa(iW`Z5IFh8v5GDPrq20y<9;KS^X(u5cp@H zX}k}a8`2t=n&B67>8+9t5@jQNI$Z4PJnB~VB=N~cj!t?oN2$4=L-(zGjR6a^romYA z895nDeCh&ylm(qfJ>q?2)8Q5+iQZkwR)6#@?)!|r5Kq$t_aj$79|RVn9Io`^9V>T% zJo-HUcN{#kZQ7jo{P6h55{pD00R768+sgvjF~wnX`z{aT>x$m~1Tg`d$ah!|z#8pg z5jeZXUK3N6_n0dRK75gKFWg;BlB{QUl}@Nme|UFy`>Qh(cG4qpc6N@6(^$Z7c=p?` z)%5qvy`^Crj6R?GRwC$x4;vL29`oc)Ra?o-lvr9@7;;Xqm1Q&2iFfp`0C=VaEM~5G z@n<%JZ+co`N=UxY4yw~G1XbknXtJpBqNctcIWTEj4znjD-PNzQ$jOd7McH*J$@qkL8oM(`k@-Zbb_`i#av~mot zT)7hZ8xXD#6Uf%qs+)Dl^GD=BL7dD|eWqA)4QJ=)GrI5IJ=i0DLc>#j!N$W8u?OoK zn2Whb)HW&HY*wQEEv|HmE^%OeZDmquN&zvCucRCv@4{_smltSowCBcCj~&9LV9?>D zJYwD5zu`vQaUqzCpy^vZE|XrSfx0HT&t#>f8c{wlm8PhlKZ^mYJ0jwka?LU&Wxjvo zI@vASC-ND(%*-sngXF!U8mx!ilhqVt`D&8d)`f(HMaAn_lEkn(Sssp#aAGR1WJxa# zC09*dtAuf@i`9%O0UA~JQwC_`J{m$Qb=X=KRjK?g)-sbBpYYa9rH7lG&kijv#gbJ0 zhls~Olqq7aEGUGNs&9eTmt1Rxp5c>HX6;=uPA(Z`{dLvJ+laFnDEpz`@N4F{cj>81IH8wlOH znmR^F=hcy4pW9yho%;rV2p-fIs5)}}?AvC@Q;0qbR@ZC9b@G#f$ESw8;r%eSvMfO% zfeG#Legob*LyI#U+~;>`zGi_o8x17{eHvfm?5Sktsw2lth9Wp?Je%NPU5@$2QYN`kd@KJ({sYMTx&z6%%DJlgziE5N98yq{TSltRI1=HS5*QRfMGMMyo<~o zWhIx7q}S0i*3;CMc(eX(zk6Q+?sKMOl0b6msP(9m#CPK;9HEQ~%%Tqm**ZMIqjws_OE;g?ji%v zP4o4KF(|)ODQqhRBH&mWGaMryl!j;yh@Q(>j_Qbu`xeR#&O4YR<%$Rk^+$zLGkWhn zpw^p=h1Or5pSK03N%b0{qT<4v-u)Qp=#UE{Ag#l-D8xXMLqm4qySues(A54iOUq2z z@?GrO)>e+6rvt@xIoZ{{JsH{4|3%zeheZ{=ZKD>TA}t`TBPFSHqcDKd-Jx_d(v6D1 z&?3zc0@BUU-H3EEba!|2E%o<)?>W~w@43!({yF>NADGRaz1CiPt@Yf`ecum@TSYU< zF{EXy-egVmMEKNHQNO97QM7%AbLl{CTCmWoS1iZJ*LOoanBcyc$2m3(1{?R7#{tNY zl(l89Ufq00(ujNK94uud*wQ1bG4 zHboHYdKz3%)t{YVJR*B_ep1v~(Dt%oRsgwkICw zwR5XsccJ#X4cj0-JoL}d6>ynMu^ur#yB< zB^Izf_xrW3&>wl4o-Js3PQd`%?7)Tqz>#iO-8fk2&1y+r@43LHFR&4|7hQ`p)5Co7gTs)FH+AKP&bWw6g z4}U9i`TQa`zWCZU97)45f~)WenvaaJI2@P4oJ)^fAgp39;u83*>g(?uJi7}xb6_;>FCV-WXp^qLi-+@azUtf3lvn+7(X=OL=8ItNGV z5{Vl9F1*25!8Uaj>r=fmdS`(8tR`@<&1fThJs<8Q>|7vEZ<%T1e2~UH-sDptd~FNx z&27(FN{IfQ5b)l7h0KMs3R-a?dJ|>OXM+QGghMIeWITqmU(E>UWRoJ|W8B~OUVjz^ z8))%7m$M?`MCY}vB{@O;B2A_5-?{TOdO5__7H_S(;{eKX&Hiq9XOim~2_&1L!2Jp} zx^BJ!UtQVpeE8@Asqk4oo`LvvkqcvJyVdBUrmBxyzO5%y%=m$%>+AK-JIKWrBosJx z>Ph`fq0@B_X#P-6A1CZ`@!S|a07uu$sTCR88zZblkH2iZTYl6Z&OkV2+d42H@9~Cw6C~0S8X_y@7dfUFSB}E@p0sqM@8t_YlfRC zVZ+g)-B4lY!S{W^B-|fYzaH}=361St{;=* zm(B03fCUFcNDuB&be-2Ybc!d-+mC*IA#Jwdd44@$?+q6Zq2#tbC1*D+hf-k5oSm} zfdqi`0A%+Jq?QDZx;p>dTcd}b=k$5weq%MGn!xd9kj8 zUbBUBPU%2@iV3fk10SXIZt_>=+72qM>3W`gq)wmU0G1YVc3PS`5jq_w+tFf*B50ql zyI3ZGj90J7$;s`!7&PuptOgOC<@BkYt~C)}?b*4MoWRjM$OuV7X_e65K&Dlsls$59{v+U`Pv+TC13VhmBut#su*SS%UXqSyIGrAf_=t=!I>!6@A zzGlxut9M>~{76vbHsZ+I{{7E{#gwHr=5-UrKx^9}P=H5!N}KSZ*u*Uo`=hPtB}Ye@ z;Ao2XdelT$WlkH(wHP3OYmlXF%oTTd-Z||h`4c}`er&AojTt2D8{9s6vif@A_Dj1T z_+TE?b;o(X^1eXDLYj6k4YBJiz<*I6{GtCGML*lQv@aEH$7AU)oo%VA`!0=H$MfdU zWpD>!XQN}4;GJr)f-%!5_%ix=WXE{uhmW<|`QQ0@`Q0$w0NuIYG#%uSI$A4>>Ke~a zblGKlWX(&*f9&M0guJHz)?o-HG>S6PA0ecvuiQTH-7j$`^Xkr1yZD^6 z4DZo~uMIr*h6kY=_;oT9Z4joD5f9%C1B#{LD=lkiRsTB>aXEHVQ1}m<=N06ohLGOA zT6p#3(6@)+o7BlL%j8ds>h3zR!w0X*(#W_Eb!PhHooFn$I61XD%(1YJM%`a(TD2!R zqkA{LuNdh3QCYdhHk!92K3THCBJ8N*x7M~4(q~>eGU~LuH^CKPz7p-BqtiW1c_x!j zf9uu{ev`N{%s0NRDaaT?@n#;7OIEQ9OFt5h;qzwELPZp)YHJl)Z*QYWVq3+~-0PlF z=S~D^*j-;PoJ_`B*5sF;h;=OJZNI40*40#v3mX|9`4pS-eQs@SX=BA^%l_~U3(oEK z?ngX70d-YBRqlX+OvV^8uB=LCz)F+yGIo^~1MoyQe&x(Zj@V@*co zPPj+T=3=Chrpy3{uY^lWw8%C04Ug#`jo#nC<6}G`A9Lw&9r)pE6Vm%ITZl2!yq0r0?C_v11zk+}SD@CQrHx zS|E=$QD780lr&HEL3DZfvduv~E!VK}YJTUa9s*^^mT0pMz_>xL*{7_mHa;mY*afd9 zQBd=(a~85!<|PG5Ngbw=a#Cg!6;3mrAXwt%MTzrh0f^>z5~&crO!vV8eir zE^aPS<6ddUYa~|(aOF%3)u|TmS6qH-cpcap@67iZu01tr+?|jVA7OuK8lO>qvOAaR zzY01+C`s7qS_HyZ=v08x2LRBg=xDhQAB6DyX$Bf*ak+7NH@kx7=S3)!gl*>Z16ymH zPFS%0_-zkkPu>Ll5HgjHZx>frKpSFh12;-h$qTO+B!MmJiwZ&G-&6He#EWp zMRz7ZrMA46CB8I)N+TjOM+49N)-CItPu^l2qufl%MSP`|(`t|de5r{<+r_|?ts5>x zZn=6?jwQa%5_9HcPtV|d>l{o+donwRq05*65F?yy%v7lp-#ty4%(ax0E69wA0ng9l z3NUE3>n_d%qn3>!46KYEi$!$f0r(Gng!8W7qyf~k;m3Or$=K9g#-Aw_46=ZkPK|ri z*awpB)}>eN`0`30)UIoK4oSn;utR=;b zQe^+g)z?zPwcC7k@)d9^|JCmHvb*H7<< z!s%HU%+1W6L0Cd9xMJfe5*BSMwOMem9~i4{Oq5fFwoAQ}6%U?*II41Q=UP)EtP(>v z2407%W1zIDqV;~S%d`J|w10*;IT4;haf;A*53fYpFNGKIw=K(Ge~}ZNIv9-X5q93> zGRemVsUfT{6Y|ol_+HY(;iP1waMJ_U4OV;U_XK#H99*FP{h=xSrf@*g=jY?i;>;7& z&yB()fB}*)_$*94chKDbS4W3Ge0^gh2G%m&_&Js(q*edy9F2oxh&_B_#mFRwGyC13 zvE_8(cFJeoPx&cnzCO)!@)(0_B+XS02Zx7%Sku_kGu=GM{!FN@GVQD{*?Wl3m)>Tz z??Y@Xn4ZO=8A*nvxGi)?!mP2GQb=oGDP_?>^ozKnM`aFd9Ut%NZ&KI)2>9FTS+0jX z$D>L*{2N7B;u~bXT7QF-|HjQ(%xb=@wy_ThQad-t>dQ(h^`dMTB{r=5! zr>Ey)P;p}uBRmCJ)sgr!Ot+&oL~P>n`mzw1iI66;ApN1Mshz8s1@s*br?a<_C?3<@ zm!IXwJ`~ZUwKAmH&M#*9;cTw#S1i!US_9N8FRMr+&j;95 zegzX;0v``E6B3$pD=|Ga%FFVy?rRewJBB_qyfNgr-<>V|&`c*6YhI*j2dd)j?^|+d zX_&n@;Lv;eG{x8VJgQULK9pDAhLXr4D%!44T03_{(3$1tl8q>|8v;osyi)qt6OI;* zMYYB6GXvFpR2@>185FlUx>_#^;^y^(_ru5LFfXfI0)F~gbUsuLV9WdMDC4n@flbN> z>yt-xr^|ByZ$(N$_iymuol;IalS1|_nF-~OvAy+nSWyzEKkp&#kA#h#*OIWFS}`+gEgctKl79PwQ#fx4bNnI+M?bs#uVquFbf8el|0_R#S8FD$0DpW^!)vemTQ(g~WJ_UWF}Sr~nREn&P9#CH$uqVh+- zc&GNMlT%xHEz^@lpGw@5+8Q=i`Zi?kpdh|cr;&@E+GC9Th_Wo!WMRI?+Dq|U{I{`B zEfN#aTBR$dX;l_wTtZrb8Y0?2@ERE+T>|bAA@W9G33iOhP&PA^Xtpt0AedRy7MIf7 zlb)Wh^jPNu8UkL}9)G#sglFv+Q3`FHUP``C(NAXMR9^6;>e^M|(adnVp#^rAsWWM_ zlxNj3tes+q?*$BOU8fo+gj}Sit!cL1kN!oD9vXWy8pXQ%8!Y(p#F#wyRAj~-Z~OhW zJkNeQEXS0zLl)JiF4)sNBSjsY!?;mn67VDY0V~c_B|%mUCqtUFwNvfGq09(XBnhF^ zP5-A<71sqUhKV18TUzD5aOXRXaMS_eQ7Pe>OQ!87{>eR$`ph`8F>=}7&jhKiq0%8U z-h6;51PIlm;t^`8!H1QmAF@=>tY!7}Bu-9!v+p=;970F~v%*0&-pP(b&0s(p_`PV! zb)hHAm!tY3cvWs_IQ9{Go@A@B9ULSgTd=9t2%qFCFtE!d<-TBk1}T!J7&(nl;XZ5zXQAh}98qEqe6$c^+N*(dm6`N{lb4f=} zA<=<0IW4))Dx)WH8t)3dZD+hE_rb05$2qMj=4KJUDPo01Q_eAbPK=Aj&|*#Y*$HBN z8pE!>G+n@WCgX<)?CY4tm3P8834Qu&CEB($fpvf@cHHXxc7bWGq+o55*$mL3=%0t4 z9EZv?k{z%UFi6>sJ2K!(qKCw~Z7*(HSUmW%53|n+ZfqPuw8Sn^2sxx@r87^hex)vr z$ZL20=EUbMn`4@J!F|`{36`svsNg^_OHlKiGx|Ljbo7%ad?NJtDul%N3SEVGTx44p zOBtI#2Wurli8~CLxGee>%_M#FXM9V=VoCb%`n^O1{w$^x^;IJ#UP_d~?_9jQ6Bi#H zUt)75M--m5bNZmms_VzQLBs~xah{%*lIFNmmkzN|`r`ie0-bRSm1xy%SkA|z`@4r& zn1LkZxTIR&Tzug*cOmX~Q$u&AzQInNZVJ`qW~`x$OH|W&7e883CqlQ+P@SyO40eX% zgRm3qJ?zye=S?|pSwZK?%c%6K+IlYq-3U(8E_X`3*U+hpkg#8y*jHzw;sbMIp9y>* zW*a9|Tqb>EE=xWnZ@EEFRSi8&oez2#wMXi9uh2nU!I4In>?tH?cs#`vs8Uoo84vmL zQ2KRWG>n<~@>GX&O>+w@6gYt5QQ06Go2O#>S@Lvaa^jn3GMt=5K>kzXEvghk35=;# z#Lyg;(zffa9c5X7l<8_wp;lZeELthiX>MgC0NDDKJa(`PH+e5_r0~Y*!{;{{f=-J+ za>{Y!o_^!!wL`niW#21K%P$6sy_=(%afDbZXKNWXcbolx3ICKBkG(5%L`WJ5*&B0Y3GKD)S=f_n zzf#cBpbz7PReb5P`-om!#&eRJoz~bol?1;O)ejHZ88C~)DmBW$wwl9)cKO!&Nvm=w z6B{NpN`d}*tz#Ca9yPpNa}*>7d3nl5>YmUYawD*CtNa}ey#;Or=SL3onwPsLG0iEX z8!xS}hLJd-*z*c>0>(SDmmC4gG1AMab zQcBMc8hTJ^X>}nkmdJ7Chdz@X8j$evop42sKE4J&lh;rEI`imToT+Y=ryRC;XD_2e z)`{4u9UF8W_?0`KIUO8gvab$74WCCTDo8tnscq922q(C>~^nED!0N_h$eOE71EIT|DJ@HQ@AD`=|N>55-A^dlD> z^GnrV<^n?aEr$dapqAk#kbAoO0Nctevs{z8`{<}{s_K;!Q?p4=I4=*!=x7HydAxvt zKb-FIxu1ltrihMMrJU)L!Mm;O^ey^aYs!*hI(Z4mz=Uviygjj$kAXXL`z~GQ{un2f zt{3ML(B%Ew*8K%MmLYnuljU?xpp|;@V0|P|V>%B~mLRQ_@Vnzbm z7_uh&`&+}|)NB~sy`OyJ*m8ykl=V6mX_>g(#&o2}69i+AFp<4n+`}iNY$TCj*?z54 zfCgM%v1oAp+n6;#ev~UCyQ1(Zvkx5qc$<>PO!BQXYcf>vdu+ZUJ$!X2F~Or<<|SE> z_U(EmZms22dj*A~$R)HFE8@L+mO~pT%j3N*FWfMcp+MzEujc|?>?2nqM1tddCdyPm zcs%fh=Sk9Y6IOXHPOjk}38W3ohQBI&hyr~&mr6N?X(?{P;lb zB)Eo)XOuy{!S8*q5Kdc$#Z$p z&~NAAZJ^HNXl3-qK*y(RIu=EJwwNEL6y*awwn1e62_3CTqijx}4&7;}f8{t|!n`p$ zy_hg=$px8+r|E>7-fVA;YRgWa*5#ReWD2g*Mqnd543U~QlyEo}pU%ZJW3(s3{?|L< z*YkjrD>9dcdE1&FKzVgRnDy2Pw+)9ZWOX(Vd9_&rd5jNce9!gmoXN4<4L5U*?}-$> zDX2X)_{{o}Bsjq{@zx}5(xao(4uV_xE8Tc_S7p|mKz*imu|G)$<391H)i}= zes9nRus*Rg=yMV12=Mt1>lbTYe=t6m`XdV_c}2?yTJ!-p3jF8z|D;g;Zwb$TD|r5h zeLmgD*G~Tu_y*(6#QK!qt&h~{Zx_MLIWl#PGx%4!=gTC`^XH@@$a`3e^d`NW? zdL4aj*azz(ngsp!r=2YG?epu>X>B3x6q|;A<6!fM;%&|5&};ofDol=R5@EO1Qub`l zwB>f61853U8urPZzXGdIRr1XaaZU^y7fsm`qBTv15as)?)%2fhAv?6w*tLyv97f`C z$m=IqJ>84>x-dyFUaMUi_7!Kx!Jgl`rGs_i8)Y4K|505Cx}FI#bu$Sk?f*Q(-}t_3 zAcma@fMsQApC`VDmZMa&i#8mPNMeJpeJIC(YUtQ_vJP6xw2JXLx+< zUNaR6Z97|z4ev3+zuDsk}3CZ{EHAr=IGytt-)Np=t6};wk?S^U{)lE zR?_u(87PK@6f#nVf~ZM`@ed_I-)>AX_R=+yHnKxTymt7@88+DUg5&<}_DD8oKHU=P z*N~)TLZ+oXH6vQwen>rx3|03_jy8p4y0KZiW;D{!j2V<03Y#pujS&rKRTZwalxkz8 zMJP+Q>Yj1yU9>x?jj(rqkL&tPe|DBH$a8QNsy~s({QDh$8ip6>y_iCCf+k*{=(1kd zV7lC^9htI~CCu=!Mr=S0a#8=yG37vnuM1B+h&rlGL00E1C1tOsi|^Z@f4yqPAY08_CRs@Ok+e3XWY z8Q0ePp?Dt^pTiIZFdU3~@luk&#Qt}8hmh;(kJNBvYU<#Tpfh&#pi@IbnXr+qi?TEh z0?Te}TD_+89=U2xB%G9V-9ghzRP;HXMjjDmXte#YrMPRAW?pt??yPMEe$irfz(45m zmI!7@&yg)`Yi%|vLy-w5z>JFw)FGda)2|(7>wo^^?bM{{Pyu5HB*i>oxp8*8eVy?; z;gNl7GY2T=L9C{>+*>mlk2CEO?oSD1DznMWBGqE>uTAUg*>^8axVSm-fKL`F_lJ~% zf~2=hv?%~c7>WS+Wba#=fe)$T7w2aP>9&-nrc^&1O(vrBvB~(&n6X6Qb!8Z5c}Vs0 z*AMQY(cw}G-|CDNcvz~=_O|yb^S4rI@_gXu|^bN82@GL*r>i0Z=AXvCG17o>olt{9%MLK(S34A-9w2JvO2i zB*1mpy zk5DzV8b^Ri;FV#_kmz7Oht!OkC-u@{AO6OCr=j}ny_3;!ut+&%1grgr5nhmX&L>ThBfy^WZ#P(pft4q2d zE32ooJ1aZ)@k2E6@W%Gu8C0v$OB`T)yj+S`-{67oEty`xyuefOeXBR%qS)EDEXg>Pbq>ZoQ zk;9%s+@n{=EdDZ_B3yLZ+Yw{R2k)kNA)0vj7QMvoF$vCCOBNh)1`_ij6#jw!TfE!( z{*jSOl^PmM*lznRYxr5x8N)Ch0opfDQwF}zk0sWYkmhyCZg0!Q- z@bmM#xm^rJ7#c}oB3rt8dFkn_n~ofc9lsGItZQd z%FD^4Nf}zSdoCUVIBDH!xevnARaGN)P-hf)J`zxw#F6o(pUHJXYz(dqvyGa;#w#IP zG_7LLp}w*AYzS4a6V7n$LKLvlFySBpDx8?SE+V_jy#;_CgQmQdyV2VC)VB)pi=w=Q$kJB`E(Rk}3HZc>mx4!|rhdiSxv@yaW>+Tx394k%sI z*#Vrcygn2Nd9V)-g1lWuPmIHHm)WBi(?%vlkgZ5G zQJos|qd01@E$ZG+w!!e`Bap!8Wo2?%L z=~nMtp$fyWUbT~IL?m8+qla6&T-@a%JL@Xed4)H|b{tPEoPqH-f-vA);Y-S-mHGKL z;{B5yR6=Z6{-BxH)L~~!hf;Kba}ZooDgdDMAN%V-t(NOrFCEuMC=!xq$;p^RGu@Uk zQE|TyV@$*2+*`jytsH}GM=&XSkL9Zj8oDG|c)Qz=1>#Xl2)^T~ zvaz_Uv3Qj{^}vR`z0g}tEp7YOR>v2doRNS>vHXlks#KFR|DVIrsT`ad--MeRl6|!! z9%Xpui&M4jGtx^nb}dKS14f2_1iujjSu9PncJ0RD_{&()^x}^OX0j7}Tio_2d$E%n zauzje+-y$bsi~qxN83D2gR+>|dT$Yt3|Yk4@Cp^#BXkHUr=z<(?AM8&SAW^(*VHAk zR&9*dBDNny|BNY%p=?HNJxJu5!+8Fv&X@d^Sq>3?42i013ck1?^eYEe$Nw_zP_g$+ ze=^b6zc3|OtIS~3lY^Z%nzP`@8k?A;mT@9gb7C*a<4cLB zdSMT3d`S#5TdY8d*5m*5amATPb7~q}CCX4%lIL14jSSjSWVctl?X&K!ZCQhvpqG6} z%AM?7rxz2`tTRjHnVtMwhJLvSm8NMFtGYyw%ZwB9LY_Ox^i+$Vs7#f$C$BCw|||QIS#m zGb#~pQWae<(8l<|;@Xtnc5c!0@Zat~pG9dF)|^^(agK)DpJm{OASJtQ{dUsFYWeA9;~ z5?0assc|@RNe1i4JXk!{{1u|RBI@r9F?;^?zIGy%Hd>Nemc@EIQ5QsbBm^Pk`C0jf z1Hm`@W7g2*8u8K}g(I+cZEv7k3y&gEKdZWOiN2(0<}3P1VLal?>-Z6kLLHzrS&U7Z z_Aw$5R$LZpc~nG!4t01KIaS5(JI8so7?1XMkN0->!B6ASKieX1Wfd2*fvj-X+I;4z z(}FmgzF-8cYLvR6ZMariip5w|-bhE!<2jMrzQg8L3LHf!a-pPNg8LQjLeb4z_I(<`Lzwul7_y7NYoH@x-!ChkiKX#?h=VMFgow`q*D?lU165T!r zwz;K&;M=m4N9a1At11uh51&z{Oq%CQhITH=(&G9X zIUXO{kbNp#a>SO@C$S&rryifRbrHJ0))n$(t4xq*THbU1ulKF$Wvnz`o_L-zSWHzT zB4U_ntBmwR$narL{zoRZz3zSPJaV;Oioos%2yI_Lp};mk(8JyBcuOxP8j%oY&hf7VnB4$BJC=)dmnT8b?X-~1DKN-=`4`gVYvB|!Y`$0 zF3SA1L+w2YXqn*1D#x1H3hcq(u5Rd_BPJg>u6W9b%t0e3!gzNfT-}i{ph=qT5cf1| zij#QY0Y86r7Q1oeV`2(^dXvq(|-U=_R%V z;gT({x8I|KgCiQEocubL?cEQxK>G4Z&=o4-w6f=HUb_BvGVJ`kD&+U$-BWjD2lUCu zf3wSM+hpRUpD+W`rpNk_2$LOUVuQhrGv~7iQ8%Z0YPRLOYqis_xLx{)2p4a7YN{D& zvLnQusd4?Q-vHwg>40a)YS98Z4jJ$oUcjcHXJ!cr3P>z}|0=1seb~Jg=0c%nY^YpP zUVc({b>Xx%{vx`=z^w&8EC-?0n^@aJOLJ9pbP`3hG~4K1P^SL#4}}dJ2NPmjbz-i?W3L3iB zCN?w7kO51sjP!VZJBGyOxyjl?Pd7IVVq!Haz53j)!>^~|AEqD=G50a|Z6_R+zeQKO zwL6w-I(XJA2@>UOx48_X`=%{~_gX#(iEwssv6?sg6N1CVFxl?cbUGitMc<}Mj z0kG5)^YM|up(;^lauzPpjlK+-*k3*5gRBo`6nK5AM_G1sy`_Vs_M38$dW(uQH9udp zJu6C;0MD{2A-w+=Wf7o&Rv7<%sI$VvgaioK<*L`P!ctq=?30D<=mJH<7i8Q~%ha61 z+0t!04+kFsl)Lg_OW<7y&QKI(KBFG#6Qd#x;cnsR0d23NZf<>2Ku|KbKn@IEUS82C zqRxzo6T{P`1*0QM%$lp#vn8>k4lN!PzA*Ceee_ zOTaK77se;XeZph5ZeK&fLX8*SlfwP^^;;$)L@OZD4dpwaBf5=?)J4Kp#{+699(;w^ z=y_?s{M%VD#@#)fO&CvWJ}#^fzI^WM;{Ox6$Qb70&uV{&Yv-~Nh>Vl*l}vC|GV8h5 z+pxENTaEMK3%rj!@c`Kj3gUn;(EnnO?ZOLF=u!fb1oKh`X3omwy6u)dU=bu!Fp8&O zSujmPlI4Sj1~^R*_UKd?j84yF;t+8mf7LJo?x#O=GYfQv^H8_T-;>IhE!+bc5>o&I%)WU zIXDIv(_elg>S1w#hZr6o8>6=-ZZ9cPXL4`=;=%lAH)frwNp|*u@u;DpA!rGr30a)- z#btJTSr!Unw87&D#jFw}a&*IDH)^$IckVfOsfUJ?5#6eKTEvg>rJ)M_{lHku4~K#} z1%%j+p_GuKw`m;x6k(z0v)O+e{7Gw_Hti*=U)A&z^0EUNC;(0S9ea2g#6l$BKp|Wi zk{OB1ge9rP-(+&puIDTQ+03yttJbeyO!>pxm-zVj@WK>P`e4(&zO1UIl{31=qb*x7 zef9W_45vyYFx>gT_7gyG$Z zs;@FFg5BoLKrFjiR!2a(xCC8BStJOA);CxWtIa0FL=C(?p;z+GWgq^{?qewUmqV8wb8FWejpxu`l|!AGOcI&livAI` zIV`qzgg!M)#DX7q_pbNJ_H=AioX859yg`!SL!M;;99U1J4p z8rPKeRE8t1^Q~(yj#gk58YF7~@J-}`t@dRH{2mziUbwsaWA@t=f0>@9@&AN<>>0n0 zkx9qC8-jfI4p6o>PxlN{+kAb$o;pJqSXdk#9oGg6ghM-3a)v(o;UpyKrFsA9n7!>! zJ^!qGVPwFwRL7Ah@*hmWP?Al6rGjVM9+qEMofC*X8p(*l=k z-I9+EFv@O_p{e|Mkrt6f$N65v5ic>LG1}dAzL7#oxhHa?5u_tVN|&5e&EL~bA|De{ zg1r<}F?RFX@232wpq_0|X+l<;Av{|p+sh@Ltx~&S6cN-WmGu3s5$Ta|G%M}{D`PUg z4DGM1xYKY)8Rh_>-|?CX1d`VAs3VIt;U|Ve|7DnsKKkhI9bT^JyB*P_%#7sG>Q7ys z;f`^eaDT?HCapa#h{NX%osn^zYva_La<8=azCL=29U|M)Rq_MB=xej_ji7bm)dhH9 z%92KYz{X1F5A=YZK)KeI_J0Hw{%zH7m46`{5cBzOP9Fxpo6umMQ>7{)b?HUX%Y}!S zXWZ?u#a-Zin4agnZsx7aiXYHROA8qL3rBTUV{cKpg-(ti^fJ17&5@-XjPeElI{53S zh2Iad<4U&fU`L`30f;PIVy3Nw5+>TW2}v%lxvVaz1Ct!VeKZ-Y z;I3OFugeFa493BdFTy8uq6at_(uRX9{$2D>h7V0aH<)W+CB-LAbE%rw--BXmfh_ys zP`8@muX-U|Eh#DX(pi-{owZU>5DsJ^0fVA`E%zs&(795q6a2l*pQ{j-O;h(U)pLNr zl3hmavDRBfDU_?U^KHXEGa2;SuAW3zT;1knac^DJq$N^AA^d+giWJVyVE>Gg>$)_e zcZ5U?73pmC30UT9J(jWL^6OnWxOayosW*s1DmnpkM4yASOWeEPusFp6|KA0k&7Kmg zt0E3Y*opibW;aZC9k}>^U!TdxDSs(Of1^Pl;jJO|iN&9n$+cECG?Dh-KfUIDHTxdM zf&S64l&6}M@E?K?h%(q@D*sNn_1D0(>J~O)Yje?={bbeDhKhu8;K-bfP2i`SGPgFc zn*`^7R-QlG!3=}z_%wyoKR}|ivxWizXWN8Q&DI0wI<7N9Qh?Xea|J{Ck9j#ZHC~`< z-RW5VjMwGXO0U!PakBx=O!pGZy2(?mcE5#~s%GRlAE4~hKZbu*6IAOVV-@st9z~Bv zkagQ{pV3ii9_xuzNS@yKw6R*Aw@y z{%0l4CasWYp<2r4DR65$9i8f%3%j|!pG-t2m-z)nUDJY8VQ;7Sh2Q@nV>tcDP@Uwq zf1gCK_b$o3v@E6Ab-m?PXH-|^gNv!6mAnxBXi<5}Kr?!%Z;lUEJX{@athdt1YG*wBLO|t_AeKY*Fh&*9n!m^=ENnRn0x1r^ zD5aP3f6K5p3-bwBc4v_otDiZbn^(gRd%H+ZSUJ}J44O>;wpZJv=!si9s5y1W4?M&S zedSjpzF*(PYi$!ySFWiS)98wrOue{!?C2?qQLn4*nwc{HvtXxisDvsu!x!6gVKIw4 z3+YI6ppwntbqTVTM6w(DCy9nqO-IX+&84H^w=HjB^% z=U9*!c~>vgJ2rtaGD4e?eq)N%&}az>QlFihZhvpt!8)d*W9N&~`E>KdtG?fosNjdG z+Qh5-Xvh6wPW*g6r63_@WTTkix)S7g=5{rYsu|;E~aZ=5{trEYmSq10tX2~ zCpX^P&_znt-OT5;iMMX-xL@~Au&!gZndo|snwPRss0+Dnv=T+Gw?C|f~6m4Nb$I9?x)U-5IusQ%Pa_4HfCw?f^%^6geh;124@b~tyCmiveW zm1~_ZI503;Muw~xZH9|3x`}zk{y_#Zi?%k=btEDF?;DtKl@ zDDk{$#lJPbU9OIWsQPgI3@$q}HmSY3J0Dhagbv28K&=wx98S$V>z2N2EAQ{JPx!lLM)?I9<^I$KTUQF-CRLHw zR#jFMavb`0GUF`E5Q!TGYI=pP?v|?w2^zk)NtS;LwYKhQyzME#GOAx>I;06H*03Ti zRm~XOz-k-V&mP;xyL)kD==e(i?aglCkIncmjB?y8g0{<9#EI_CL%W|%!r8wM7W>op z&6xB~KZhI%k)Klo|KvO3vTTPwXR`Y>%QjR#%^sm1IPHDyR zB~>&O65gBa$Uy_E(>RmTG4S;ah-%O@g7Ap z{_ehLHdTy_q*AcRrl4pZ59#ja1eI5`WvssUXG-^;qB>rDX(#MlstXS0HJ2$>RMAvR zVtG8K!PJ%=2W9QO4PBfk&r(&hC_VZLSfen6=GB1>C+87Z1M1uwgIW*LDTE^r_o6M7 z894C-ODx}5c{K0S>8V(h2vDAsCkfTN%?0VW;ZOzeqn`7*|7y^kaHNFU7KR4g7xdsN zO%rn&jR7tIB6XLZQ&jxN1pV=APT(qYyNy?lTY}P1ORnm=K*65&rZU*~xtd)fBy1wY16W5V@O?Z46}+GvW|#NFJ8CR!CJ7UVmO|p&7mhaw2%H4w zuH@?JAZo-C{FRn7a|_TC*s*e@_HjchE13K6`n3v#IL%KR91!J^YRUw7q3u(3b~np; z)&8pqk#Z*+Q_txexY_x=`s1_MvKCWWRe{)70t&{u`+is&x;Ne^;olkM=LiTG`S>f7 zhK*?vDrxzqH@Tn+=qC9q<00Z9zVQ1J)V5hRzwGVr8x@Tm1;?5@1P9uE?f;o)(*=@2 zY5ha5a7xxmgUiZ}dy~H+Cw%Q`QJea~@KsoU%yMO4H;k2ZRnR7Wx z(H{fRj6`C}XEXR`=3bgg4-GWU*SmZ8PSqtS{V9%u7uIb&QF^lbxtZ?#Brt*7ZlLgu z$COS2mFK()9flh>u?fU=@iR?V9G`dN)NpI_)X{1OJ0oSC+iF7{c(zXj3ULBk`JOm^ zhgbQa;q^Co){1!F@qY^;Bv4RxrY8Vy5TU|1j-VPM@0nPd83}K#EA;H#*_Jncw{X_` zBOPHkvs$qgorJEAQpVt#PCU5=6OmuHqkV}QeZZ72D$0rbhpQ&YI9Btz zH&9m(B`clvwU+uLqveC8#y14KnNPNJ$WdkJwLcTRGvv*716LG7}_lMh`)83xZ6^rbG77Elwzz@-V z-0J3+1W}YWLm5=Ip^21CdEO)-IQd9?p?@JmP2kE^L(D<_?GHo_Qkj-FDcT~&YwyATqU4YXYRn$gprjKU3#) zSOQKU0%FON4MX`eA)YC#$Ne#Kx~dJgXpurxwdoRIGPLQEuW*~6k(_Xb&r0RQbel9b zNb)e8JwriGpm%mfv$JorO|YnKl4U)|1%`Xyg3TC2XdVkY^y@deIIT@zSWDMp$?KC# z@{uRRZ6aO!q}71R6NezX5m|L4WaR}`ii9K!3$1EsbF2PKKqZ@1Q4trtJD6=bLV@3a z0`8^v6t}VYvPwrmz)!;LrV|QXzj^OKDG1Z~pzgacutm`84OoL3UK8fkct9$1`yq+r z*KWYLm36mYL!^60d>t}(kuZ%duSX5(Vqhv)wW(2`sx^dHd~EzkIR>6Kubr9(0Ka}{Kkm7V@ha_P6y9@5ZmME3J> zGlY2ggsZ-l1eQ=T@&o7d2jc=@UOm3;k&^zLXR(E+;%b(dmZq22Lcit~;R63ah4*%bTFZ7V@K&R@G7^ zTo7K5v!LuBX1ldpprEeODFxILPug40LoF9ZMv@)AQSi%@POI8zmHkoq+KTiA^d^Bz zhW^a0$!=;YE7Z?OSh`!kz1%%rF4}fK5ZHn4aR-e2h^az1fAU@N;C^2jvdrPoaxn{N z9)?K#pCTiPVtU^HzPLfJvb)5B6PLPbu4G%aZL0#t%sXQ{U1v9y+ZQ2t%bY>a zm8|CKUx5b=4E@<)X6V%KPoZSOSvWfSNKl08G^eQvABbh7;jV&{3#p|;zW3zY=J%ol zVcv!a;kyAJrBbcwa-}G$$3CRrdU7{w>P2rOz4q>EQ?w*Eq@EEAR77=HF1FbqJZ!)m zN=fq29C}41645G^abH%RY8F;6Xq-oe|3w>W0_$qU+#i9ymTOurg#*#svu3wZk%#tG zq}HHEzDa>WU+a!V_&j0PT1;U1%T?h^47!d_5k>9*_kXlY6vamkHdOh6x$ zI*Xl(V`~afL)B#lyids8Y5g^G;^~FywRY(=u)iD!+;)jlxQm+%NE?*SVj-|Ez;fKXsbb^9YJ0ztfJrcN>>*^hy?s{ zLVO(Js#1Z%?pah#^$h!GB9D$4UoXxfvx5EqZVI`-+TL^1 zEi3&T9+{dn`vK5{-P$B@Zd?pWU`Z75IxrnAGZ9D}gK^0603x^!4MpUQ|B-(yUixF` zf>!g_Dqvz_&&dyhN(kTE`N?X-RH)aTXqTFX6-RG&n+~Y!G!3b5?Ut;m2>~kQnpF_! zmJO;}SlE2PV>Psba_fd&L1*JOD*a!n%W|sGQ~)U z5&HA(W&Kby@N}OE7TH+-QvXk^x1KY6Dlq{P!Aij@>C!s!?2jW7h~Rg7RBl~6@{v(QHGfzz{II3|)9z0T{*xo%Nb{2?naB`P(U7|?5U;&5 zd$DTDcKsFW`pk7^*VQYyn>H`*r}cjy9;Bu=4gBd{n*g#1s?Of3&H~mi{(POuWSsM# zjsZRc$ku;;0lfXM$qWBolk&eF8EDf5K$0Z?0O!Ct>}?j|&Gk8ipoeF%UL-KMP#`e*M3y*Ztp)oCyqP1T`#mU+sm<{&OC2jQ=jf0Y2Vf(`E<<{r#?~S~npF zsJ8m&h12x&@2CH##z*dd8{ERHJbCm_6dSbov|*s9GHbZ6{;xcPd(D z9-5lh&!w>dqMwh-d}cSZLl>KS17~%m-dDsxN@+ExYSM7^R%HmJVW-H`;!%a`;2UQR?F~v%3Dbxihy6UPYX7p>R*#|<5|g< zw{a#dn(!vz6X8R*`ZmvyB&6y@=K*!Kn$6sFKNLV)05^I$)25_&bVO$D>_$TBTmP_p z@oRu)#y)x}EmdEMLQs;IwCs=R|L3)LhJ?DY866}QJKhV<)HSYs(|%@JEYyR7AG6yjqRr;ekiPunZ`KIT|G?&)}} zs0ofbs%*6>E>@FOUwl}SS$!by!n7p94qNz+?Q48C;Z zkyJC(b)ltI`w?%+Q}o>)_xGuC{uLRPbfGO3b($g*K6>KTqpYuAF9e?90`fqzuO`J{nr5!aU(*_z1e+f?y5r;U0ZN|4biX;WNS!=+McXtTS|%DG zRWJkBluoO3dVX&pc`uB~(o+?8k!6vM{S}z&*~~w=KcIHIkUz3;yrPc@6S{yrKOz>W zb0cAK-ubuys4V=S4fBfb_%~4cItOLemXhqZ7+w7bxer9>*_O9SUMw_CNit6>920c3 z9qx~sH*+t&1T+A?xjtU~64Rgi^9jh3hVZG%Q_!3Gj?tWwx{vp)om-AKLKJ&zl<$5~ z>&d+F_zxcT9P?;pzh62YkQk1Wy-W}-5&h%uVjXGqnj7}X7qEC*-mE@Eu|c+%w?^aQ z)j2W1hzo5E#Wm7n|A#eQwu^6}wz^(`ZaR6mlCAD+wpyO~rtkfhb)IUg=W>k?;RqRz z*XaQOgtXWi-*wI2+>HQRXDQ;L3(y+A-3z&tyy$xzPQS$CJnp9iP{pi$_*8bd8tLX8 zzr3j>I)dQr{th0c<>YU$r0 z4k7`pJm}Mugxga!vvB?#V(lpt#*&sxPLp3&2hQH?3ri z#eQ;Wz(cL~Qhc3@l`1zNNqx9XV;BXFVHO7Z`N9BO#|cQT3a|j^5|MG3~8O0js`{ z&wj>Tn?77F5HdQ^U9E0?n0$GoiU9(T=8U!()5k8iT0$4fMfiRC(aqPSGZ2ZI%JPyZ zIniJFY_9+mZEOGVv}=A?VVDJwul9K;3?ULdQFE!D=pSDL;tFFw-6;J}f!w2Hjt`5? z<)Y^|F2!N814-HWie%NWYkiW^NMN)jyN)mCP>VN9yU7jqQDs{_mzMiQ4W-L)8n35; zidj0gA6R+7Z+nmAMz;!yRsd*-QYiC!pG~;!>~M5_RGOVA4Qm4s6Q7x$mIjp99FK*3 ze43AE?3;epoKzUGVT1qE{x{Ir##nF9gE=s8<7an7{kap@BCvP>Wthx!n&?^aNSEu! ze0FBorj^L%@2=>w_25^ETo!%GIW@cL-%(fy(M8-x(i{bBwhX#KU{f z$$6d&u*j2xGE?~2wWTyDaA7d7m3p&CwTW9?H3Rj@2UGU36?y^AgUjnSKJR;OT)<%% zPUT%*>1E2(<_E?OATbRa6*8C^labt3<@DEv_s^##&XLN-<` zjUVe;gWxt`_i@&diVPgh;P6V7Dt=zOfBWY#O6f~%EMZtsh{ma@>-&s1zAE^DJHD1v z&~|INb0z zluw`#m2Pa@(hUHdC;V{7zxA7X9EabX76APXRLKq!jy^zp4HH-IoavDRIe=i;^oL5F z8AMa7^!15h!0kQIb-T2ODBG3QHYkeNJ``cAuLoHQQV-H}udU z8_+aJkn#EIy~dX(0}G9<6a-{Y*gS`-otuI27M$c z?sM|xewJT(`<@NW^Zg&TRk;AFuMYpU)WW5lCgj_@`GvvLM@XQhlDa$~7Lv;6exq;t zWeZAFTg&MKD8oZd9WTC$N#c{>$w(3>c@0&ELE|X{Zh2^hQ@&Dnekv-mNpcN(%6x_) z3;b(d1nzzuk-}pql+mlpZXs(R=49Zna`$+)7F-6X*?)fn0oIq$U!4FpJ1^?9TTeqh z@3E?7<+T+X#eBF)17<3C`Kk|M*Z;P_CHmWe5K_kR_FX+?$gJ(v2^BmtUC8CaEE`x~ zJ++j#FUR<#O4@+$g@<$J?3$rpiz;Ir z``|ula+M1@@FzQ{E9lijp9(~QBv3D(VPm+vIElDk;OpNsO7xbbrs+DaArzJB6EgfZ zKl*IvS!_PsoR@2Q3XujZ^aI(nLafOS?c{ld+KtDnm2;Ey%*o)^+?q2r6HfRcQFr)? z30|e;PP<4!tZJXR+~^Pmm$T#DrP8Z=Nb4O|)OyQv)Q7Y~g?V*t_1`|ncxX6iR8+4% zOM+2INxwP0BcoSr)N}Ue-#SWI+*)tu3ni_q?C9ZDzc7%LeyOH>+;49}n(MgbyzO{s#P`~7rBEOMb}J}4-)_WCH=na1P*%kG}OSYh#997WEfT%3hRH26#3Uug~ zWm{^D!KtQSYl`o`7GoSwC1j-V2p{e*U4cn8868}&F-!dH`@?A80-Uz7k%M-kZY_e3 zKsj^wM?M*^Xn)~vji#OOM~EjXKtr*5vAp!$m%ysA>x)ZI;%01gbp*L}?3Pmx`Uj1j z>0+OPEb)sJ7*vqj%{Ud|nK+#wRPmku&h2Ja)^vwTt%s}eX~Zogszpc`&xEEws%W32 z-nZ6gP_sEIT}YaB+_E--sd#&6D4B~%PJq|o{fwo8g{6#SS<6=O(sZ!GuwC~c_yQZV zT1&o}%__0xx%7KEABp#*?kjIZxdpE%P8~f`1ewkkmQY#Zo0rL54eNZX?LP_J{H5zRw)o^;(?IW?L0htpfNyK- zqkP!%kF2#i9`QvX|)WYgcR=exST{PL}MCEfI+HEU+o43af4qUSedh4;c`~;TC zqvr*Dfbdq8RhKnM1p3JGcFYT+$>}+s@wM4^@4}|6-TdGZbr?iMqo{!h_=W@4(f#LP z6BhlJK=CYjRjliVCAuw&$&p=g>3{?-tq$L=zwV){zzcyns#e?dSBO27J=z#&^*h4Dktq zT_%++SCawAAl8)2Bg%kSF#Upim`|wdK`fhl3%o}z_F&v8?Xk3CskSyFX~N8+?SQP( z$Z%35(B|1LJQ7ku9sT;H9q-++XI2}Hc(6;Jd@E~*bhB)mV zbjQhsC+iA+`SRAClD}1u+ON{jW26K#VL{j!De&djl8aYLN>Th=laKRZZ2>-bIK5p| zL_Jc$7{W`>H?n03p>{Cqdb{NpuHNqEvTphtAsK$pK)d~?q=q_iF)uXrXV_Kv7bhcy zLkt!wq{@^vG^TnagUbyJst_mdA~bB8BR9mTJ|kg$9*dPLm_e*T9v&vah7X&^0cu6R zGwc?u(!N-$thKxiK5vJ7zbu zet!J0Vz}b9A9u;dY*CpACe?Y^4-owk8TB|&o(?eudAMExVCq<~LADBmLMb`q0iJQ_ zEpc&y#jJnVBk2Q9mM2}lr!V+Vms`2rBH(x12zZF$d>Nv51uibYyZn0|=74|&fUS>) zq|H6}Hdo5q?#W=uv)CeV>+NM4$Lo>_eDtkYHhcXmpd?v?m1Q7BFsBF#mE2;Fvky{Z zEcNV2rKLqS33a`0Go|#eTe2rFKn)%4jxj!d!r@{aGKG(WJZNx$2n>4T zroMIUyjoT!6fFK>hKYjeB8V2JVZaQ%h3@6&bVq#j;BK>@JUYEmKyG}5?D*b==!tU! zJw=qwp-=etv>!F{pxMgH_n=PqGS+qqGPErEq(dcOE8zCOZt+H=x-jER8GbH2MGBOm z;SR1Xvp0PN(G$N#qxy^^{^#uzeFbVry@!dK8g7Q@u;m2yGYuwu3C_7dgYtHhw@S#> z-DbSR!{$NbnLNogS}*_p?ulp(2sPNq%-rr)P6tx;l!UY)K_@bg{g#pCEaG zpyC+@SAhe)h<~mle)1UI(bHQJI&ufFHHd=vyw*KTH}th4cM7FI9cE1vJIoQX)^#r` z-~2ru%^%Ih@pH&_?07^9*u&WMu`t(9e3Z0~4(B(2Z{mjP37@ZTjHyWiDA2W}xDf`5 zf9W01p2&*-$dKi4^TbaMQ2D572$f$y0oBx}{aTke8H!LhX7|#<`nM^gzJXoC!k_OY zvR-tqON_2Eh;;zn_)q^_JVtYDXu6FJ=-Y&A`R>d~5Y_$MG`FQeSLX2yJElZPtrb&o>?H3n5>9D(v8)YDK~0&$cVQ$0Qr{jLo5R zN~37KQM0yS-i6^AHe!&J^a3N3sA}OaEt7wL&xhIzH$g&t%prY6Nu7@DTSBp^=Gd2d ze~)k^S*qCBC63NOP7$t31$un{DGjY1XV9!;_F>DP>OM9tX zZ-F$P?#o?Q4XGZctgJ>Y*Z;bb- z1eZJ!`O%;U^+V>%rv4O_)}-cjnC}*s zN4Iww`}DGFNtli=|IWhOk;i13?lwE}CSgpZuGhl8nYFdszmuBt_blyqt?hTcg}See z?!wTpojtY@w}uFvm02v%$4Ou4@UZU<2o+>Ir}2OZ)=H*MIWNBmsbqxJPn-1e^*#uY$$mcwCSLNxJfPny4vBCl-LHPzw^~JaMK?Iq}#ZJIAzTb5DyPi zpYDl)FPNs=&L0r)t6~RiN>Q)S#l3)s8%00UyX}Q5zuS)E>jOczogIGA*GNn+Sa;Ru zhLiN=taBm<+ZCroJ$@>Y^=_W<4bx6k6zNDZNJI1elSbd+qU?#cjbvDNI_hxfs5>@R zct%ano`_hWL;-5ratxXDuuPVB1FjDi@ew$k$%cO`6Pdd(VSallgahYZNw(~RRspz@X$+y3Xn0QqI-LQ0>9b3Wa|`&DW;yT(?#>Mn zN}8Go2x1|sQ{u7hH8LpRzDwyI-WqV;41xCs_@%~^+>I>k(+!-jezzQLi#@(KTk;8j z6?BI?HB-5CkkvweWVz0dc$<4VXJD47#bPpy)NR0NCW{ zf}r<`_jXiBWLkjV#=wUUFwplz99U2Owg}ARSjqpC{$u;)@Qg-R>+N%uCq&Inw zaN0NUu;U;7yYK_s_DaIVkJ;5sU8*mmb@Aa+dG1VP!cM!Z(dZy$2A&MRi{tTVD$VjK z{RU4U<9DzX-o+|()RD9O0Izqrx$}vLj8v$32+M;>M`j?-_JcrUW536z#{s%U+iUSG zoDBcA`r=~4(sA~rA(!o9=w_}`%%R81g8NP%EboI?Ii%`Lx?K4B$grMV*r_A9SNnSg zd|?IATH8tr5}9w=sE&I09z*6=T0{Y2H7IVb^J9)_~0PQijvkJ@*uaI9ixDOT2*oV=YBE#ku>L_3LrJPOmTJp;Vq0rB#S zxg0i^b2$DE$w+W}rzf8%RlI+&SI>HSb#~Leu>Wu&nnBLzO9=9ZRVQFTEtG!b5e%Zo zGbh)(ca;Nj)&>r<`uF!ZU;EAYSp`QMLF_HSXLq>1BzR(IDl zyjuNNI=FxxM2_tT9GdWFUehNqW&AAqZT*3naK))n&o~slAeUCP`F4nyL9G;vF3jGt zmQ!dO_n-N(lOzc zQ9hcVm{C9tP0m)_*6tdrVg^^Q3a6HA(|Cus3q-v;76!WpC*h4-!Hl)}m4&9Z@&;b5 z5A>osq$HffUHT`38Lcfocg=cO3s%&qQRx}bV>r~Nn9ZP!f;4u)&wKqMuHt)Og5hfy zx2^7;&+y9t|F|D7kU<3_1`6_D^=f@ThGT$vXw6q5A!P>IPe5E2uL5eflnNO*NFo%e zi64V(j-%*%Z#>H$%rQ zFB=DSICel>vhm8dJzSB8%-KTO{BNsLQfxd%S64(A?a431_IAl{_ZGU!%M2fSii=TD zq(uR6Z_6X-ptW)Q%d2zj_iS`$o>53WXh!-;_MF6+PK@OX<)z@H^4YzxbiSe z1^QWL_i!!hcQMbzwCrsf(P6Y0urpLwjty$hqS+Rg$cJx5i55&+kwhG^1;E9#l!cv; zA}c8ewZjU@&!Q)Kx zT(a*EYNfjh+X^~9>3iC_Feo8FH@SaoDj@3tZgaKmG{$lj7@q91ljOGcV;b1h(`zJ* z)h?_Gcnvg8h}9y7Tp=wbW&ft3vr_O&LC8XbyghfaEs<&=K7as5Yu!F^UjYSLAx&Dy z2f&S08+^Bd9@?0$^%Pi-L+*T^PmI{u2m+sk z1^sJ~N~q=EDnDD&Yam$tnmXc`!8?^C@(ONl6KIOrRO$VlCFh-{Hq6*y`MB`+ojpL{ zayk%qtw1MCNb~=(oGqW&D+Z~Z9d`w&3p-M438RsD8~>j2ONpt1`h!b~?=)B`+aF2( zU4q-|f6AvJ{f5VfkYJ2qXkupe?1@FrFGOkTub8k~7BsXemN$93x%k{UF$?@_mmPFC zK~Pqcv42elo`M$k#DpyiJDS9v?;Z#UG8c`?tn6$N2*Z-8RnDi1DXnWwwJiVj4FE3& zM96Mf?>q2B6C3UFWoP5dmTfvl969Dgyq(`4$(T?S6iZ1;f8NkUZErAqJHwOm_Lg#L zte;Pm!zn!7E#?Mo#KfCB57av#r}?x$rr2NBi&ZKQ&&-q{v0u$+Y1~a z5Zsh zMJo%iN4o)zeo$chQkra@$k{$9W7MLuZ4~2CY(E~_;t|tmx;WcHHT0>i8k+ELqQ_!r z!3NhpZr(LSZl ziWEakDFy+Tmz1Tz8;Baf_k*SOVRB{^k$|{oTV58Kro|v6EY*dK+ZS&YYq06V zQinDC#T_WaVY?K!u7+`)L}>BMx~Gy`q5^bvKXYBfm_#>s&q1687QMf^AGa4x+1wW( z%d4(ltK&{T?(ZMQc>3&)Vo;R*wWs~^{oTO%z?4k`uVxl~g-Vvi1ki+)3uqL$?F!m6 zvz!WstTu-$aA^%~Pq%rF7EcEGQ7JkjZ8~{PZ@F6#_j?m0ORCE5u_0iFwuta=&JR-J zC_%7^FPdEWO1=5P>2Q9&0Z!66q!h1CXxd$vW9i1=1fdhjH z6nw$QGV->ICnw5kwu^mzX<#NVZ*+;y&Sru6(ziq}$QGBTKIl_%bC)#dY*;y%V{0%d zMcy{e1LOn@W%u6;M!RlyC<8L?nH$Q(ZYZ!fKMF^9NsT6^t=IyjLjcXA%5KcJp^^cn z1W0f3Bu(Sh{E-Pfe`dw!dh~rGx_w(|0o;NY+6!~&&@COrVaE3~Yl(lZk2K2w|!tEw7FDICLZ`b9O%wxm2o z(7`_-z|h1wOf`$oe^Xi6ac3x%>|=XrPU+U>sp%iEJ|^bDJkHH*yt} z$fcx^m=7gdJ##esFlt@oVB~UqPe({b;(q(v2_&PaFqoRIK=pM#d2f(tG}h0<<@_us z+q9=ASAB+QK}Uy9XGd!!GK9bXqhKk%^V)r9XJBCF+FBM@fnsFX+eaUDuMSePK7K4Y zur1Z_S?^o>_|d;v*6I49LSu0|!&iuf9jL+4^S~Z08;OjSj#5;sV<_Aup0q%F@(A>T zAiNFk-K>!_l9oY9{=8U?kxebt&cTKN4bZeoT3DG$5w@vQEGRB)GH`>FfKEJF!(|6Q ziSO*ACH3E55MT?WNBmITRuO~-x?`9nyFm? zn&jlM&Uz*ux4HQrJbirX>$u4Uou9OKZaIe&CBSZOs%CA2#ht3_pq-7?)2WVLtblz7 zgDE`^mz2gjq@*NunZH4L`I^rRT0#cKj+%zj4IcJ}PUH;&_Zu1(S;^vPqpoOx`!M+k zN`&8Z23txa2Z#~ai6f>TSDLfEWPcsd0nA~i>aweK7pB`xEXm1fV ze3ii4(geg0`v}g6@Oi+z7nhfO6orSxaG;vC`3&ZDP9%?kNk&0pYh&jmWD!Nlzv-#U z2c6UK6<@zNNFof}BUJ~NsiTB^?)lY2$zPLk&n?U~XvsOProIM#snE>DdEpgY@>%u_vN4RtSQ(c)fDqytooe*9p$bHC#SB_?srba!v< zWIYBc>#2If=XvO2afu21*7Um1*-A_~llH;(d&kG3{+l=;&pQ|kAU(8o#>i&)s=R(v zz0Zu3-=9d!11uuKDyMex_aw))8raUVTTA{RqUvqubll z1bRuA|7%zn9|KpIRNg$up!}C};PLi{*X^DfbmN}vCY3TfhY}(URddWBM<=(mgoKs3 zW%t7Yg0?rx6%{|%FAD840(y+9pqo&nH(HWrz~XQ>czv+cNJGuZD8y-PHAmz z<(fI{NZ%B%e|6PJT$Ot9$V?EZ4ap&Om$p!#5@M8niDUb)O39+2P`wS+(S)AEXu}gy z1$}NmW|QLJ;PCO%;f718$p&X+K-|0n0z}2KzLR?k3kd}qbk@}o?iT=5G^Kim<=bJ^0hXgoS z+rFS6Y4P3tWT%K84iJB4M?IX@U)5<;DK$*?jBaBPCa{#YIl;q~M5cFZPEX%WM{B5& zOqI3U*{9N#pfScZ*>)E(C9ndI<@iZ(jIc}H;YY14BEqy{zUsqp7C?Y{S;Rk*HYqix z$7LNEu4JDJ|U*lPB8BsQz)zc%3Uft^?}>f(qiS+&kKSdww>>@);Op{?HD6iBaD zR6_3+T1Y*<-5{ss7U#OOF9Th1gt;VwkT8|I}MGHCIb5zBpOh z*FP#wzK*NlHevv}QAR5Uv2$u|J~Me3^_@(+#M*b)2O`dnh!XzBM;;#g>V3N&A89BJ z4S`3sKq(G-$<171WQ?0K4Cv~)Ku4-sGYlJE((%@{mJVBT z<)LF0Cs`l;v9s9AGnE;mfp5%5lgaT2BTI3Gd62NeyY~Ic3X$8dnz-yQ@dpXcut&b32C5@jlvWm!1YmTyk%1#z1jiV3mp7U z!^YuKQg!|h3|h?T;#rEt#l@xL);w_uY?WHJZEsfB7|hs{5?Iq`EPuPzPHD0lB$~NP z%-v{p@4lCK{Mh4YLX8oK!>JbMs)ml6l|Zyf3CQIXJ>wI9sQTqtXXiA>Dv_jhn5kOT zGy(GAAr8+z=5i&%^Fo9A)#GNX!kk6W+z9Xna&#=(3sV?u=fDHlls=w zpb!y7>~K{v{z4cAc9gAyot2H1O7RqZBqatWmN{n{CJ~Xh*Y)L?~JiJ4Z;NyYANR_0u~ z)sB?6n>Q#sX%s5|R#QLqYzgDCP?PPBu!$3C6R9iar{nQjSBQ8f5%kz(Tt?0%HmaNr z;rzbuirPpP8_Z`R6ySnH^Gwv6< z$)x?ea-Sr`b7RI&PdTualon#=1-Nj<-`7|=&4uq9dhJ_4zRSL*@Kk=uFnk6>|=G_oU--)#+(g z$45D$k%hyVzw>{xsGwj$ls&L_YuBymXatK=RFsX4GTQQ&cSMyIvufezdx&b*OCp0- zUngJRlICI;AenJt@a||Z818|@m-LNhICBQf^Seu5xHLvVYO;<^Wa;v7<`0=0E9DL) zUqktQUltto>IgXyFiJmud{C);Ey95t_%$+uD@6ggYkf~v5IbF5YB}HCDQW;E1<5bo z(AB~h+2WkK7n)@cImLIrYMbJQE0S577h^`X;vC$p`&>It=#MX4*>&Xs^*USL#BTyY zDiSzaucA^=)2d~mw9DUaXig|UJsQc zqN6Q%RgkyTkj;Ap>g=SkR7*BBe~n*sI7t4RaZ0kfEI&7od{L7EpR8zR ze}b!8F+<3hJa2J+f|DN1CdA3e_v+wgyh}{XL>FIfe z-uTVelb1LGy)ktVI^WZHz&J8FC?~|}EcnZaB34E?*nlKr-rg_T(@gP5$O9XjF%G)1 zPfr+*^rn1@g;f_iu$}TviZx--tm-#ooK$HY)K`+5b7m3)G@_}-%xrLxQ|~`LIq3%7 zeA;_~^d{?jtkT8=N1;yX#BR;zN@{b#n2Wsi*{|N*`fSj|`1r|JG!V`+>|T00{qh!) zl zK8S3d^X0tT3{yEsE7gAzDbQ{DX`z|`ulwC`W##G^JLv1zF!ZQzYK48Qt-pS1{c>^Q zNKq(Su+utloE9{|JJfKLKR@!~5GX)?q8d0cImr_D4FxsCvbJgY=%^oC!}%^XPWDw@ z5EIgB`U)~83Jo1yS!3b5@|gww6)9SiMtKxa8o3?s9p30je;Oq7yErhWQo2wA0T;35 z9+}G6n4{7u?eI`GPdrBj4Cc+ZFwe`kxVXNg5cJi`(J-x+R8k1sn6CdVv(zU;PDm}j z(=mj9R`}%J!nA(*5$MET&af&4BSjVlM9x0}!ivX9C0w1a3C^kul;(#M^3{N9+`7x8 zVA(wRvlP3jOB?l>au^K8X3%77W+{{P-J_=dc=_~lNrL~AmTes{z!m7K$1Q8FCbkHR!J>NAXT1Mzyz&fS&```7n?AoBS(Bj_bR zOB`q&e*J)M1Ykcosth_2$v}?F6XQy)z8B~qKK-4VRHXJJc5>`RojBRx&PvrE=*Xj6 ziogmq`j#2*aiAA^oC%A2oIW)xt8-(jVgbMVl+)JvOv_1(Y@UGI{R^+~3_(#y<%9WU z#6GCPeaYKdfiC=A&O~3cHBni(YTnD^Y7bvHL3sDbzzD0BR?WtKIa#$?irx9I;}WMo zqn)?vCwN;)z)fIus6ifzx4jxVCn%TW=6<*4)d-%?V!>py18lB_@TSsmtxb^l% zC&VvZs8Hc$6|8VzBd!Nz59H~>zY#}=tX|02o#%XK^7J6j3^z?DR|@OLo^G>yO#osS z;*-Jo0Vpq1QmzEuT|H_aTMaaQg`ZVON=XS|L_mLY6^!x$1WS`l745@ICL9Yj*3}!0 z?pH&FYaL<>7;I@H6?MkF)yuoIPG{VQBEzZC3OVD+Bzv@Y{p*`*akAQOrDqf~-xoY& zVCh5wAy}A;Q76$9E&CBE-1F{1yhw2mCI5Ug1F6QovUr!A4<;a{Utmhv*`t zA=6ND4${gT)@%RXx__q!6MM$Q5Ica-lw^BaiP9nXE|&CxiuHz=l~N!Gmo(!AA+FQm z-skgHz)b1s>5gSnjR=hZ9u*GAyQw+$y~E{hUs7yJd=fH6*FSU4Ee4s|qGZV2tjl%vi0*wL{m z6Fb{*(;xM=Smj*5v|e&-d>OjGO-Vp7Ijbcamz@ZP7+t06<@C=^FWPb@?Yg2g-uJBq ziHUWbhQ2#_d8`yF>VI+4CfwYI7)cc%CU=>69oN)EGJYcCHpSE6v;H(fLqcT8rBNu! z7PGw*5ZW{`?SC^gwrXVJj1FsPu)ZWQq%`2^iQhfkH`v2_R=)$hr;`(lk|-EYj*eVWHjs)Y{y1^5tLLzDB7BNP z&4+G_ltGW&ds6`JZ zkCl-Smq2PCTv(Xwa>=Htr6nPDcey^f&Oial^D>E0b!ev_Duwwh+AJ^edN(<=7XK`( zYw~o`?iv>0Wd1rvqw?Mj@MMz#WrYiL-_hYaZ=V?ZjL>r^(XSr*WcmD#k4QG8ii3SM zqBN=ccy>x&z1((S&ElyiVo#qwCEq!I&p?1l=c4l_P`_f-j9X{OoHgN2ChRo>t(_V( zoe#wK!$6pLAgq?-3mkTl=Zx>4&eBs2Y)&^!X+Sp zR~y0w00_Lkpf_{oeId7P1X_C2pByz;rKt_s!eum&JR^_$x)=Ao);DEVrpcwtDoF$3 zvL}JSmf)?23_8Np`Blw_)O!|J904%+TLQr5GHlrW@|Q5bk53cn-oBwPj3CHBNg2%< z=O9jw2t8cZKo1cn=Ac}xzNwUH5)J68w4P2YDP{0YFaDOXU!EGLASQsH^~_uVCEDft zM|+$*mmyaP39R~Mle-N<%Y_@#EauhAB}^-=)w#BX8pTwve}r)rTzLCg`1qJO59EUb zO4MHKBq#T2TFK|u=6UUgZ5trQmFgVs#OX-EN%C&BJY>8Jjvn;0p=t)LdUdXEl^xN7 z`dhShbEd5OwxoiLkJHm^rrTZ-led;rdKRi#dzzVb&k4d|x+$bHZ8d9~p*hpEQbB9Q zrMd^am`^c|o8X^j=aWeXHOsE9v5hJc$?fW!4k#Au3v7488g8C^65l;KctJ*%Xqjco zFGvBEM8yJm2gS-F1)d2D0`TN+jR0Ya+xm{m+|7;TbHZ7T0e$ePpRl_6jDe?BkVbKy z^6Ta{c+V~rz^3~PclpoHp7?(3FanHYUt4+S%ZcvJ^_bI24p2pWf1=tR^yu`ADFxU7 zPR3rs@}nl{qu7{PRbJx*0Uv?_rAIiU!VvdCXcWb&uanF`KVISixg%$#%n!|qH{6`- zP^kGeD_)wS=6m)3)7w`@McKCP-k<`a0wN&|Qqs~LB7(Hi-3`*+f`B-ZBP}fqh=6p1 zfOLa^bhmUPu`lp>zW0guTWhcVWBbFklwoG>x~}s)>MXHt%&{nudVm)e1_ZDJ%~Qj} zicY!q6DJ{rxuXVP>eZmUH{N*B19$gIP;L&rbd7?fB|NHbO%1Z{5{8`gH{D{%n<9^C z1LRF@O%+&}k8h#Bgj-lu#|g5x1Z;wFFhN0q0Ld}sxZj;9sI8?D%}c3C5#!=mEa&*K z6clCWHB~SvDJORlc)gWHmdoK*v1SWsc!DEl^iz8+&zgs`I7YXoeVwAe1tvI+6xoB4 zYYT=gC@K|ISW-eKNV)cN1s*-lv^#8GKIMz@L)H- z7Vb3NfoxBoA0ImXtS82k;cHvgRcuJE>VJm9V;^wp^57bt_GevOa;@q0+H-g5?BteJ zC?B68p;eC9lh4URr87HX+hyzo02>$5mQw@;?{3?AvI`#24zA0-Z9{Qz&ME0R+K(p( z_1J{iH4gea5B0dK8;%ErLc|e$#iLbH0QluWQHiyRo^aKsNyr#pC7o6s!q*wK-RniF zD(jUEZ8IUbBVKiroUAA+XIQJkv7ih=WHmYXX((%bgC|ZVQw~wKMh=VsS2zAV>V_H} z^wq@SL$`&UZr9s36TZybE+;oWf6A`y>zhOYnuZ>Iwz&Bk&c|59%sqS$L6p1U%1%_W z=N?jsTp1V>Dp5aU4|3R=47LvrBs*FKJZ&$onGVN)r;`4#v%Sp(3MHow1OzN4Iv3kx zWM^}NRRgcUp_t#UdXSj1eUBJJ^K3aVrbx{SKEmPlFq|BXE9go0Ze&ti#-Q1%jYiPT zdp2i#iD8o$L?i4A6`U+ubt)s1?rZB!x1+sq`2`hzr7hZiw+JaZ--IXPz!OJhqT8&B zYt#Y)18Au-evTF0v!UvBXZB&}|g1y6{GnUsZ0o9qZp|S;4s9uF8d|fE2-jCNyqHSxb%z32$3x0=y(lcgm0?S#5@%f z4;G_TLLcmzs#|a_BZoE3?x{?gJ>ua#9dpQ!XNt~=VG)#ZCNYI4nt7|+#cPB? zjt6@>ka@#`gD_WRDcmjH@UyMoPJzJan9Gk>=E*Pl5WLy zD#X%!Ur2DjCo;J6(w_*CumG_xCpA+IqN;HB~{`w+&%xDgE@va>Yewm!BWW+8i8ZJ(RFE$r7~U9uGY}Ep)crh z0dVo2&m-#Ry?`cz5XlU|iA2|Eiam~u7gXRVlFVe)Oj^}d{6nean;-liVf}Bpz#k%uM_*rIiDEYI zeS62iI)jG)hg{$q*uwWjZkya%y#8BcdHp`PfdmJQP$(C#3sQmUD+UEgSvBl&jIX|S zIp0j^va@sYny%T>()vN%eNXcSVE6s(rw*_EmIM4CC6PW_*?+Cd3_kSgol>)VV>>DN zYKE-1)H|o7QDpFnhO9{YR>*d6iBENL6?g7AMjg?| z3OG^0EuG(F`32e+vu!-}p+)jXX>k|d9lXc`64sT`~gX3Bb zLeaek>hqv?c4ji}jHr&fQg|#Ct~2AkU%wjuSPd@m26~;EUrPv=O@Qz1J30M`O`g{f z2dCBBEXz}${BnJzWMr!>$XoOnane$tha8JJ4VhAYvAIlo(j-KIT3P2DS=i?ywH_%^ z4iy4)Uo^9B6uV1OS(%H3L{*bjrb70uw|Goi#XJvr)EKd|mFZikAuJqXjp}koP-eTh z9B$;v!I~Q8Dj2m3=($;@6qg6b241qoefH2THBbg*rR_5{Q3HjS`ypA&_e-P%8BFDL z9;XHcnM!zoZq1E3Lpr)k_sb&=#l=;SLO~G(uWpTVq85#2p}_*6 zEde2FFss>c@ zpY0>&{74CX3Z+3{`h|*MU1@qvm)@grQ$KDj{l*LranPfrv`Y;JK}pT!v*qF^+Lpvi z1U00mT}Q58#60io|IXoIoi{-3`6@+E{{`R(#)K~3)f;uSbzSo%U^m6QgJFHXMP>r0 zW91!m-lPp9BZ5nHD}R`*bHS{jvJ^j9kj5|dISwexm-jTlhH&thuwhTZhHA6^GIyQ_ zttHpmD_C62L@v3Y&a-DSk^jMi^ajdwh+NhO znDoGA<1GZ{0>$40d~1c^lj|XJ_sT0q))P-33Q}5LBuz+QY$S8is!nfUKn_a_fQv2l zI$z1Y*RqR_cXV_d!Ji0Ea5!}s8t@QrG4 z`y6@e`sl6{;wsYVlL^K?>^3^a4PV|0H_umkV@t`2`8@n}dK6(D zfQh#{mfCJ@H6`=;F)>(S3(`1vCgzmlHxf~%KchcXk}^|sHB$NxBJq{cGi0e6+!jW0 zYe7LZ)SXzx8uSDh2NOxwix%gRMdUWBOQQj(y}Z|%m~}S)54uqVi!>=|NU(B8n?NRT zf_1UGr%de)Q-W}<`|&JjA%fyuP{3A!{K5YkuocaLJLvoOA1O+7J<1<4Uu282kb$61 zo6U{rMVj>bAGW)h$rl_@%D^&URHf1f2UW;~JzG~Ix87t0R*t?p7YfjF-soIu%`$^h z*v%NZ#?06f1)Pg(^M;&<*+$Cy%pyCC3=OgEB@MmKM0AtI7_F_Xz)UeD-_=j;x0dMN zi9gZSE(t4Rd7R2){q*g>__J%i<*&avn99SRQUX#!kv6P_mP$^CP&76CF(R4YK`L9J zl!L33gHxv1#7e7SqzGZeHUcD1$_r7g%l8o#cf#ITn48xsH~gkE2lO7s*L`AQG} zhnpe{smv>Nm!Xft!{UgNs@8E+XNEf!m)*g<-}j z#c)I4T4+fHJ)dVkzrA+|1{O4b`xarTQ|p*olA)ffGL_xCZ8vh{YN6rowC@BKO~mu8 zfz?$D%VG`Lg#~Faa)kwJyy$g_MOU{?9U%#B4k)9COniKNpl8oy_?+j%6|(OyZ;sWu zaKoE+ws6>DJEei1$Jl9M_68no!7)tHyi(#NCeAy zK|peyNAR_!YW{VU8`K#e-93Jdmrv|AYOY&6MHZnvo&<)ev^`To`_jFpXk z5#$np(@>LJf~aEPp~7K_0y`3I+`Oz-HH(8j#JM)jKz}=ptY*I` zDJc*1Qf3^hl5CU_Z`y>LKPs@W*g)hDzsKmhMTuv`b(zqINFn<6+?Nz<&}v@ecL!S~ z7bA%*FF4J3Hsw;{!hpXKGUy+E14gMt>?c2nc*yhZcs%^>ix)Ey5%jpn9zv}2c)VS? zm(V|HsWqnsyu9ei7R^9`iQ4kQQ;fm54@&ek+P>+;%q`|}nLkLWBKtJWrKrHj)DDLN z-=|I6Z zu0l^z0uk1IGmiUlj4Eec8q7USRt0LPk>UPf1_pByPhH}zEv4C^*MU!YHtgtSU3Td2 z6Ttyj*b>P7Vu25@w#{>Rz6D-vfe4@>BCGSxE4hb*De@6nGzdH_SdR;jEmMa=rq2?HK15%9oYzL>QP z>&iwF?5+oK!xTMY-w%$1jlz5_N|mb=Dh=~ZR2=EQtq92y3-r<9^;0)s6!taL1^7z7CIIn$=CFTQfh@X{V-NIzCyoAEc`%Lip%q6+Y-e4a9aJ%~g0#bC zY^9vs2{I;pi8JLN^UJuon3Kd2*F=D<^Ylgl^yM#jsgc*$(tfk=d7eTtKTMP4GF~hc z0!5&tBv6nnIOZg6Y|MYxOq8%+oX<2i0jykC!}srdlS$T4_%kYs)S3BfZfdTtUp@eM zG`9<;&xQGXhuPdcY?^jWT^spG*%^RX@^!tmago;&MJ90D-akCt-7S-Dxq>C_xk4f$ zD7d*@fVcw!Dn9U#pq_ZlW)bS8SfK=JhTk&=O?K~5@0&ouU7^TiRX?yxEEpsvN%<`$sX;ssac zo#aO_^yMF$xyCz0S`7iK716-#59@;Bv#aJtw9kIu8vUL;q16ciT;5;^@5tM=%k-?r4Vr zr6wr_>x%vU2aGqmUQ?P`nPRIi-n_?Bcht#h!{A&vE@HQ&e&=HpXs2K)b3|o@I2FlMiN?1jv-;dvZfc$~xK=?p=Yh`D?|ML(wK< zv@(fuWj>o5X^{$vIxR+z5(rl(NJuZ9#W3rDhg`dCMwvd~K~!i`4v!(nePV~Pe?f!% zG){A)`z2L1sSw1~Cn@$=DMn}H`}gNQfP(uM=&AkW8co}=U`K9IjUX$p@j!yG3Ox=` zk|DqPYPTt;$X{+F4+<)~V9DDk=_T0}1+|ka7BV#KtaNTN^daxw-tZ+FX0WtYA{o`y zsdTK6L(J{CB0|YZV!I9*XZ{Y$z8n&G&!l}9KUw7YLm=Vw_Xi@zS`Smn5rtfpC(j?^ zn#x5qG7w+hC6*IaI{7Z2kzFvC!VcvaT++lXHM`|hzYHZ#Q1qG?SGeuEc>Ut^UHI15 z2#aAH>mOL(>jYk%^`(E{p3wC8$UswuaU6RguDzQ?5S;Zn>OoWtlV(zUblbwt>YBwz zg_}C`pvf21e)BapP7NJR@SWdmVd7Y+z+$4tU+o}jx0Y*x3iBn9#8_AX1;2BV;g?Gw z%c$IA5{V`OuqthR==Yc?(174;ETj1nDC6Y)HtpTF3;-wA<9QMnmCSx$WPnELQ|NQt zx56*vB@S_K-~bVl8o3pw_+EsG;z*w+Q>s+0Z(;=Hs^lPCTSEs~_dm!d-TRIGr96n0 ziJnX;8yAfEhGWM=++vtq{n||{Nh6(Ws)nBio;|R#&ZS?dK3{Y;@9{xuAkiInyvTlY z#B8&|Z$LDmJ#LL-_xj^6yu@Spv)I?`^;k(@8yhf48jLg|%jyT`Ak}Y{?J{v-U~_@9 z;KyYh>RnEp9AV`%RBG=@4D`JPYQ%~~UWJvq;3$~&SV!7vC}T5=ZFlb1BQ z;zKR{w|AP&g-Gx9&C>(4j&Uk~mpNX+^Fd!qK*~lL-yT-O?mywV%e)iC z5V<0~?qm_qSH3L{ZUVn{wzfQ{U*7b?La!lReRk}L2MaKrP0z)TMD)T^p4T2)3CP_> zX;fUk0Xd>vo96!+MPuuNP{_sv@PCJ4VO<%Qe1?LcfZ+D2Xsdg0dcRrNlE#uFz7h~Ag~&=yF<0bpo9>f-lc*akB{PSx-ftRrDm=D%J@P0EWq_TkD6ynn zDa9hjcHi5oU(9T72`>Or!MgK>9>D9_MT@u1QtJo_{hj&vRr!{4WU-kXGp3`4}tZ_iKwymK z3SmnOl|WsN$8vD6?Y6z3`YGp=95H|AzdS9B^jy&`3vRCH>1k;a;^G+ZH~Y-K3nX=< z^|Ph+=A@^eecw(8^!O!2sHiZ2=9iWC=~Jcipt<*bN1)ugvbM;Z9eq=zgm zbV*Lo!PI@~g|wy1PG|DckCk-iow2&p2aFH;H7t{Tb_xuMiY&`Aq+@imcqk*@VdJz{yX{gM8YoLO4R*u; zg)pQClx+Ats+}Dy027U2(fOR4SI89JNx=Rd-Pq78(eRg}mV%Ok`<%wY))p2-MMYht z_R~_8g}+oDde+g}{z2$Tu7Y-jNQmHKvb`@Q@CQk9Eq^_#slC=`Tp)Uj9_-|9>z}wROl9# z+wLuc**O4Q|2o`I$yOT5`8Mvh`|H;)g#oteni@^b_)rpFWZNZ%!qmLli~>nUygq{4 z@Ftm5kYvZh*csI`wZDGQ9f|=xw;aqc?(h>8)v)sB1TFCnJ|o)g+oZ(Ay;+-{!$4l# z6`wda+fGKjEbPAQE0v*9YJltCb_#?v(AUdvdma#-*~}2bvWSZ#E+*dA+>(>0%*8om zsQDClzb{!78Ad!eH;-!~8>gPIfFFg&bAZreW@H8oP>t>R=Qgv^GMB>z*b*I%6sWsN zUgjnUd)DRGVp5~SZ>mEI0shj%%+_`{=;Bd=OmJKFe=`yI z?IxAIu0phkwefLsv*=DQ9t;lkTmrME*39D@hdTeX-T1>r((N!_6esAKdfY(hLBp>dk;eH0swT(tkU2_97DKA%--a0E#CqF>TVG9-1Rg)P zvg|UyTpf_Px#>gD{~L6U??Ez#6%nTP6uFJ1I`h0GpZD&q*yj=cI zd(E7RiuJ~ZgZ(bEuE5kt-$v}c>gsff<3~?YztK`*VBD5*R1Xaf$#_l&l#gbfo}OKm z`?pcNI%pH9u_bl9XT)@6fTuD}ojsIzyl!rdrIGT%_;u@2-GD;@{14tN{<7R5m$F>& z9L`ph2fhwO2D{4_EsC;@w9G|uO-oC|#x7t6Yo@{mkvSnGQO|@f9E%iEW7%zL*OeOp zqTn)l3fxn*Bj*`DBG0Wn{nj^te%hemp^bMva14KmWm09i=+3V`TlIyON6etL^GxWZBy&$acOg zQn9XXm&`Xn>*D(+^;9k8*#y0t)SIO7Re6@yDV>i-{apxe7D>#isL>BR6Wcx{HA_0v zBg6%1;9Ni=MoOKaPT?SQ^3b%DcTu%{mLh)Bl_M00J|zGc!%qE{YPOJ6Y8+ zfwy6QLQnuA2ZLAsYD<8R1xkoqzrqHh(vG=-QLY z1}NBVbkb!=jr9NcG5#G?CwHK~0O(Sa5`MBiaLKm~1v-$goT1VOzHEhT`h1ZHFI9#qk-aD7GWMny!H!{cRPruWtCQ7H#^Gccfw*gkus#KtEigaSG8 zoh_&O&lwsv`um&8C%%)H8v2`is7un-)yTtAT2mUPkt<|(s-|cA2;SxhRuIC30URK_ z@~RP3$Og*#{=t#@g>4%8m*woa`DdhwG{_k6)jonwP%ySWAcRYSZU71T4|~8i*=8YT zq$zDFp_v0j%U-MVz0(l%jhZTn-$R3u5XdBx`P>A~4{FM_9XKyd0HXQBz|WMeWWX_A zdGrsfj1h;N((@q=htX!@F(x`8q3z`vf2jaq5X%2l$VNjGs^wj?Q>aC=W@bY~O1QIg z5T}=E^y`3E5|&u))xUDvPxK3~RbOlCP>=A91ncLavM{OiBmq0EYz3YC>UNWY5n_xG z@v$-&7hu%s)3Yjf8|d*F6}uDZc-$WV0Id>@^*xzj`DevR>IK`uN3w58MNEeF1}%rr zPLsXo$nLxD9QA=}0gqiPizi3vp~a_9t^ztuaqRRNv&|(^WV*@0wXr}d25NDzK8A;c zkqJ6}-I(?1anMiOG**yz;pXL+2U6FHBE&U+Kcuh1P+;~kqayg!qO{S)#k5cj#Xm{T5Q2glITK_x)^k1R z3)yMHItnTnJ&xoPRJ4`%0hK6pF+caB;OL-WpeIqVW_N78C5#xbS@B#<;VI9phX&)i zGJy_2^VR(V*OWTY7~(L0SFKk@%uJWhRa8LK23*`g9NM zdN?&~Fwmg;?-jgDo0MC*d*1b5)RpY$`n2V*qzTXKBng5BYkB!$*iysXHdoE@+*qBH zqEVsU*x+ASkYpwFsGqUqQIqaF5znaRe_Adv(Bt8;ob+i5udS@`IqbX^PY?am-9Ua9 z@G?jc;Dr;d-ieOmqPxgM*Xxbu$s^d^n3+wA+D@L-s8Lm(HDKr~*h|@u=00u$%+cu` zbpbYm2~Q&CT<+<`kEy=-zyzbg*Bl@Nj*e%|WIs3`Uq17n>LJ)8@~CN76uI zc|o>R&~l18HD>rntXN+7+P-_saP1qh#`!66|J3Y)SErmi4eK+Yq-j-rNX5b#+BHbm zw`J>T(7)fFQ*iSpuq8`&OO0tbSQ&;^P*=HWeoa%z{yZWL$SW@{NgGp}_l-_Tf-QeM zTcKfL+Mju-C&ai#>VCG zT$4>m7&smBT`(4NcF@%8TmgDZ46k^J_Ol3vzbw}>%ffHE)(V56A|^uQcXNtqs?GYLK) zG+ao~;GlBqjD8cW<2K3@2gAASxt1?Y4}R~WhEix-kBpx#=a;fJRNo=cKba}u5A)Nw z_OQf7kSd{*JX*2I-olV;s&Tiy95%*@R5DQ5g8MaRx4KRZ(M z5eU7GGKMl1k9;^`4yRYL%v-api|jHa{C(TG5w6S(C|KCKO(o}S{fXmhb~aP&@b_j$j}i4<7z^z<^EyH^SZp2{I^-Mp17 zXu2`aTNW#GFOd$iU72+|T@}NW%vO@5js%DU(?bmqFriB3wh0+cQEA;md^s|E-c4T-g zF-CV;_$6UQbzUZz3H0e>ai|u zPf~Q=A%Y=UIBJ4Pb6d+vc@P-WFHSmGKu`*#*Sn%bsLV`+>ihmZ$LztFpO@F^=@}wo zbLXAxv!5#)`bE6L-oHq=5-5qtHaAx1W!%EI1lO7@j9h^ZV10$|ItXOg-D#GUn<`dS z)zq#o|2$)oxW5=BnyS(9NRU0JtcnQYu!zcGn3^FdzcREOWB*}jA&}YPGO+gx%>MX@ zg~i9!b$N}Y%=+w9(K4l_pqO@v1T z-2>;Stt{@q*@YG{d4j~n$$3^gsoemOJC=t6zzPfN;fmRud@5JVKtO`)?go%B2+QTr z*SVZ?B4w9r@rQNW00l2^fE7K!a%u#%6+06E_A+V!I-F-_JP-(I1jhW}QBzl=@2e$i zXnw$wfCc;J>?QtzE4PZDqauqFYyzkvR8zIq;|@95$#iIfu}K@uH9GhN_jdI{x>oQN zZCqSV)@}0M7dz5N+3PMf2-d{_J)cQu{KUZE4QOIw0_gCG^EH55Zj;{ix{DdQn~ar~ z_~PD=^4D9ft*P}CkeQ7o2`S+RUItoI>kWX9up>+l5BHtN-bE1H4Kd@0S1+;$fj#z% zi-8j2^|@0hT1X;!;owMxgj|{%9G#09=I!NERXwB`MravW>ZWs(FZ{Yp0N#fLMfnNm zP+p}}Big#9f4;N{!_TmAFxV45d3|AVp2*zdZ}|Oyf)KhbnfQ$|3kNo`gLbgP_>Gh2 z=YD>z99GJUY*dsJ%;-((WGBp@3@nU%?>P>n0>|1kTP%glWzri-I_M(%WG@dpDGU;q=||(m;yvc_Sd=ZEx38l zG^~DFqX+n8=>QHu2*Cw)SX{VygzR5$YpZ+wBla73B3P(RgP&bOYtda~6Lb%1YCU_p zK|{-z8`@-&$m6cWCA3le2q~qmtnB1uzl5a*0E;YHV2vWnsHz#o7--sy_npv<_a2^!vU-IRM?5twqZt`PS=IpU;7Tu`M1NxzSdl5S-d< zxOpQ^zvi(GYXX_x*LdyARUV9&Yo0-${viayhZ4mpF}Ge33XFk#{SP-*NC)HmdR@+( zR`wW+&I}5Z7=ayrgUg~N^VPd4Op}EP(SVN?tzw3xZ8b}v6uaGAr6#0v~}7E zv)b=9G775{Sqa}wJ$3Z&EYiL-rQpE^P#aJa&3e<6=+g}6c!)#8fUAl@*WH8gS$h34 zhb)Lt;U@8IGI0B{+zeX4jWfB2f)15V?tN93Essi;Q6M#%sT*LVhs)yLcg65For|`> z%Fam`vfqU)-YAIuAuB}oy?)0v!AZblAedC^CE}2Kb4`T&$85MqI_&qtC$l;x*5G1~6_#-HXm__yEEb9|tc%CJ+z{m80?5 zF$eR(0xy*42Pd`p;fe$0T1iT5C+n(XH1WOo6tBY-0StN8Re3V1!H9kx_*p2xk!(3) z0{tE7@v=!#Krc~n5N4Gg!*4^&avWKj-{Bb;F7bZI*Kqj{L4vQt|0KMN{#!pGNGXGN zYmxX5)xmFP%WZLFhtS`@eI-)Q-N9v3k*WR^0Box$H=so;w)TZF#5{7t?)5luylsaR6N`?ytaxeoE zcgh8gZKocATQl7Q7)z&)c|FNXF)C}x{Y|G6FVZ)ir=-K6& z7sm}Ej5l7BimMqp8fteP7Os_lRDzbxESoh%mV+bXlL~BKn7c1J!rSK8mWGG=A57me z=}sD$9Fof0n(ZJWB(#q2GP&^e1@?~*<8I7(r>XUi)BDgM5YyEJlQ!*Xb8>M3Wo_|~ zy$_)2|GQJ=Q}B?ylpGT?ovdU}3j6(QXI{{AC52DnV4frOB`Jq`BM8ts`8rkBG7r=% z4Wio2j0#2w)Cc(aM}ZFl_dX6WF?Mu#EWj$0Ssk1`G;hVd+UsOwAxoY~rLc@v$=61N zcf{nnS~q_l0mg567yP(a=C57>;|jp!U+d@yYERGk|^bOF^A5*mEh{THa{ z>Q37;Yv&64LCoezm4k$sk&>$s z&Xt?tOr=MbE1_$_9tk8EcmXX1V9UUHB9O_1guim2lxgX2s|MEhkhTMt?WuubNMh(ye6$Vdi@R9qJvOS zjppVgFiF4}xtB{odUs@~f3$DtlR~y!G9NDon6o}}_r)Ej5^y`9SNt508vs>KX+p2L zBk(z7^sQRtgpmnx^qp+qlw9ggB*29M)&li#eQ?bYZgd0+F;E^^l#Eu20b@0xtbLr7 zm5jkv6p`WVED|{nl^8vN(@$=@RqCc6&~o!} zi=O8yWGhJxezSBB{trYpE&Am?+ z6A}h;c>4PK+QPE_itG(hP?d^NmW7JussJQTNOyW=fts{J84a($se+f@RV|2s=s~Mr|JKNO#kOwRZYAy;iSxRp~3Jqb% z(8RVYfJu*4pa!G((>DOa@~cESe3@c$wbQ`Za_&Li8HiD7@UM9D(P+)HFd~pU*fJ-SYTHKCw?z+ zb$vswrLAroj8h|vD7*S(2RPZD89 z#U+FRuEVN>rH-q{WZl*HmCL>nxLy=5B_LqA&#&D!Os^-$4hd(sG%JY*LfYEG6{ogk zGaLCBQD#)%^U2B8wc+8~y+Vy#FartLr*8NH=q&K$1Yg&?DP{N`&g|F8DtDQG2Mm13 z^I7N*Xh@61AFea#CHiiGJF=ekX=fGW33FMwYa<3rKp>P*f!j-2r^ho5@7}HGdT$dz z9OIumlA;tf*G@xTQ2P55>3R$pu@T%3tf_K=M09oKl?O|JD?4S-f)1x0ME}~wyFul4 z>nGCrRu&dn!d^Q^fSQ0wcd(fnG0g9ThN`rXko-{9DYbI5(4dLw$jQ%%kfQ!EdHHx5 zJ^lMIsRh=}?*;{sno4as5)?{C-vV|j$tRb*1|jcg!&`9#5|+4sy|wXL`8$5yp6fvF z5AL6VZ*f-9eR{=moveK)SGIDF`!BEbrW#&#LH7vplEU8?+Vse^giV6NTvK@BbAMLc z?Ld{BlBzDf!Z^MV=bg?m5*~l!x?mD;;|{OoKC!y|a(iNezY9-qmi*wR-U{kz zSQFbZIy7x1akX?_X+0@k(=-_rG=qv^Lk^K#%Ee7Uvm6Q>wm=JdrAP%^4%%f9?vI&Z zA!-E1RrogY&-$xZTnRq^{|G$)SLx>8WT1b2)$2y$Hrm52Z=S@U? zfhO|uyj}hESIy^NzsUdos=rBS|JV2W+pGRoDE{>mdlkVjJYOvLXG(;yHpkTGW;lK) zJcpL0v7ILAa)?I+C2F^Rf6uEEwp`EhfCDdR?zrY>yy$Z}CHjy?r5uTn`*VLx2fJDi z1s|de+}QnNDA(_Ta|4DJ5a=fIJ8RvO@A_pXx}t8fIAZtsRHAB8@x?okc}X92A~^IN zZjyH5Mb#pGDexrwlstNEcz9qL)#=MJYC~fqFw{l(2n2fZGSBZGGvcl3cXNUsE%iA~ zrT3(R0}Xs-VZ96B9jqy2&wc%+ywb=X#WLb0b|2|DuNNC-s%a@sMT@5L)L045?E57J zz|bBy33y8MR0>}pd~|>gl!&XQcDsbzVX^ZX`NmvYi;358&wb$Yeq8624`;X0ad#hT zM6~I#CTsqh{XQHP8q7pbmnelntGoNli_OQ^K&!+(Iv zIqHWvTnP?qeWK)Qg;q^x*85-g_lt{2e~M+i>ZROn&m86klwnAIO$GRHun&+woSMlm z{Vn@MyON-Kr`dj`G~X(%DqmBGPQb?|JkZ0(;|eMQQEADiKUIZ6Mpz7^uK67WpaxBg zY_d6@Hw9`?80VS}2Ega3B79S(LC!KC(<3w@Qa@8~3=G(fh6m|ho@bz3gtC?TC;QEM z*T^I~{p$Ny5PYjbJRD$G-*DNaeTuRStoKLrN_j8_q}K`*`T5x(8Vi_0=7*Ey2ef8q<&WXk|kz>G?wso*vnz@QBQ6Wa{S~l`WNBsfl6*AHBNfp42ed!Y9 z;qhHZ7hDIf`sqe1vY7V`i?$Y@@(vtJfxZdtx}W*0`o^$@@zyqm|`-QA4jaK|jJb*h^)~)Iv9$1*;4oP|b9-Sa&37aTc%V}LfUiDYG5+OYH`_#Y_ ztRK^L_w*zBLYz3KI`ZZs6_8TWbB{d)JZT2@C9`fM%ALO}VLs84>fQIaMQy(T3T8lawf_gtC7nfpImWD0uo@l{;QAwj%ECdf&zX0 z8IYC?3J1`C*jI>h0oevnTNA;bMdzs*vk^W`ivSwLCh2HXBRK^7{WGr`NCfL!HE{1e zg*8w}{DKS}JvJJm1_r?N>1pslcbWz-1QJoOx3H5mmvRRK3W5KV(&LDK zk-&;C<kqdRq$|NmN42Cf(lZ`U+Q^jAFh}i*{!scXFG_0;uU?>b~|&`Iy;?AO>WW-T^q# z#m+8-foJ^0tlz(&t0R_DsIfxv9 zamn^);n*J+;`VgKa%uwI@yZ6s9+guBuCpCYqjP1XD=u0{{&uKi{ao{}Zb+LSSj5c{YR(Z|h`uxCer3v?~SZ`6>}P4$Yk-AOauU6IGRb z`|f8rJZi7^kjYk>WxDRJ2ZH)R#4TY+ zvl)kdxfW1;=aw{Wz@8umB2;4~yZI3z$ud4OY5jYhD?mpv+>@W1(UirV=RMO@Icm{j zLtF)GZf&)FZfmwZ+dtx959l9Yl54v~ZVsgQXI@_JiOh@wX&~~P+TDQVwdG7`^ z!3eD_jr$E!?9<$W?%cd_FCsU*SXdZ{6SvwF(xr40057r-is*#z`Zm8Kzs23 z6?{kQhmse70svBCZ&h69b{CyANY$r-L(YQ2m3?%V2b7eQ`}_NI*>csDA8SJOsqDpjAjg{e9-6K4&mA3fI5~?eE?G`SqVO{@1nsYt#d_me2pQu>YL#e;(uaB>m9i9o_O}aGSB#|)F zGZhyXdx@}<7POX#&t(W0%=-pQXmgx#`Sn6a%EY5fO}Y~Lv+G6Qj{@a^_HHL%371a~LxQ)s z+5~EB-cO9EdRx10*|enINYcq`^P7(OM&+=6bP)Szif`K)|Ez0^~$-qvY{1)+z1nLAQuNMW9g*(_FcizNk@DNqAgLjLA{sn2YfFcKdLX zca4otV(l8^}pANPmPu!N z;2?|*WInYk*?PdXRddun>|K`g`}eb50o&`($iuF|%%ti_6ob?J66+4Kp(Y2z-CRnb z^s(eDP2%cu(+RmKeYnq*u~oA5}R?w?IXzcck&>#Nijcaf>l*_S+M z#snn8QsD0=R(5OqfstmLN3dZYPv`!yn@*&3f=Kh7n-e5oWnyx29OuhBO5o77K~=;n z)%K#tU%9?UhlO)~)d-TRb(F2Y<%80m4LyguxP-_crW}qDoe+Ijx)+`X1|4Y^GJ3Ky z!=|Z;6^9p!cpD}2Kcf=Lp(n-Q`EYWx@9oKOGk16*+g-nnIv02E(#1-_VQRY#%~EYj zGPl9fk#A{ z`fuCk=Em9w*PZR>!kde4E-PGsv@Pr2s+9ZiAtuOBr%($y_7I&`<(uBu#Hgt0%~mVC<`h*NZDgFbo-@Bn#m9f9U+Wz8Be&*!hj6VJ1rS$saynHn zUPK2H8i)XE>V;w(v&_xrR9g~&R^d69;qKw_*S>{@cahZHq2$sc9%t7kmmeCgHcn>3 z{&6Q1Q(MPK>8v@AmFIvgsfZHOv&R%;6oB*Yr<}OH!482+r&EB<(N?4#0@E*h4scs8 zsp=^{1VoCo3e*Z-w)@>j?4242^lqN$d#@9bhpVeEA8vTSt^yysUWA4pV;!It_`)4n zn{fcVE^Ltomm76hlMw_G6_X;VfbKJaD9nL*U;%BSXx=xg<1S0C@>I_l@%so^8$I+r z>`yO?LhPoQm|FI5~gp0@oC&WP`ZT`%u68vS_St5Ik64A80n9v>MiB~tIS zi2@v+>`mRh4S)F0GX`-9n0imo#pQ(l_8SQ&K0q5rf&%0WcU21EGp2a0z*n~y2ip&4 zrPd_t>iKwh7@;>_UT)&+UCi|;EB*vB{1q_9IMxPRb9GoeJrL2KbhlKR0a><_R7lQ( z2{~5Z zN=yTn`nl{#*-Vh!rt{bzIGnDtf_YsyI8?N?FPi*1f0D8=x$>qtR@E{S)-<=vFXRKxl%H<-qPAnSzu=^cBhKb~yfypO!tK;XuOxccsQPgfrI^N(QCMW0WE)ibY zlb8R%UCLwI*S*Fd+M)P#WUBDMQmuuB&|YGo6tD#6GggjyIXhS9ehHJ#Iy*f&K0PwG zw#M)|{>lK9mQ|U1tWy^}&DSd8PHr7-1#M2G#hO+3H3>jWoaDSG)L;eLQ9S>rZ!uZ- zxIg}LkGT~nVeOK`@$L+_+k-#qX(V8Ew(xw3j8*$uw9C$TEggm@tW#&rrRC+xA}-R9 zvy&oZbE!S1-C||7kECxx*@S(*y!E(<0Z-q1`d2cX{({n1)* zMDE0=>2=G2tDOH~FS<`wX3DN`0Wpa$(F6-0Z%t@nIk3e>B-`@?nEgZGM@HLe7yIbR zK)IVEuK~O*0Vnpf^a5v^Cx^M2t_7XU2Q%G3@{l~oG;+xgY$>3_` z{me`rMtl^gu%Y2wtPQ!4u&=J)^u*o7O-h=Kejl5Xhr8@|u!x8pcsuO8`b5OqeCdr? z3kr&`X>z5QpESy>)wEkV3@(~K%Z8Ya(-f1D?NYsbM>vooY;3Df%ZaUk^4Gpw9${yk zk@HHpWW=*M*DNU`G#FleO2~t2x+|=&6OOG_R4MxSc~vhn@{j2-eDbKu&nG?;NvNX0 z6lHowHd_xp@+ES1=H^If$j%-b8ZzB4?DeQF$=>lgzPLUuXx8U-NzCxmeQQ{zv$VUj zR_VQ|-yV1daSyvbIw2euOdt z*`sDk6Tl%Cz8JRh>K^i| zj#7quCsps~6&7}7pMLngNjPSMJpIyv%@UcI%4aYWy{YexJdPn50Q5}OW4aYmlj_aZ zJMu#M`xq&9l!3o^3?v`+9>QI0^s0rfO(Z&Nq0cV<9`U{8n>$-*SYY;dpsZ6Oi=2%@y z^gBr&z~Cx-8E%)z$ze|`tF5A~eIF#CFgG1k(ha5F$&kSEiW5)Ih8ZtR>HfYuxE!n* zcR0)%XaRklt>x%L^uqAG?(#^@FaK)z7DiyZ+j{3ZXkj=wSZa9_(>B!m0Y8Z0E~leF)xGK)?F z=3HyQ))oeUj(#p!X*?9HObDbkG_={i0!>MPukzeFFC$7<#rS#i;7M7-4-RJLg8b~R z$mQqtu)7H>ZQBj+p)pDrSaethkSv$8l#Wrv6SZWd3OH5)i05f0KCak%S-nT3>+bmD0l=E;1!RLLr8b`u5TLm_AEn()U?%Mk&%jun(G@I zr1)FY5@o-?eM@feeMcTQU7+p)<{9zDuSYNTrluyxW6Z1ynJ+w>l=7ry>y)*$R@c^u zp5nJGO%=_%7|R`RZ3S^-zMJNGO}i{rkeiG7=*=sS76bMG zT$hW>??#ZWP$CJQir9*-F<;#`n1H#(4!$%&BgPr;!d@zeyCeaCiFsfO+B3;qb9T0T z(J0`f!8Eqx(eqOYJFv96f=loo|B`%uzWG*>hE{x1!b5m4Lri{Mb{N#skcA+4AU;kx zYp;KNfA()ej6NfN&#CBlG~&tH25O7K-Idv8w4Li4pgtD>TDF_Hn~|&Ph_##g>C=6J z$$hGM=l#3m9hi)Ce?mE{kcU_Ua;X1_VQT=gxTNWJb=4>*;cZB*&i()#Z^_k(Ch8$g z9FNCEwQ*1~f7MGS>Ilv2kP`1(5a0neGlShTxn{IC&dz$vt#~Le1Yd9c9^JE;wz}E& zE&$h@s$Yv}tkx^cEyUatj@LUou0<0T*3-YUnY@FZlYIks7oWOIUoQT&6}wr5I>zIP zJne?v1a){K8M{yh_O9lAt23+zA;hu}lw`iLlamrCztbfZ&~Ug=?y~IJ%GPn%B>>x> za|q(21sUQLA{gd*jvMoKfSMRSgWj; zCByl|am7@OXD%y6wmX&IM_zA@AAo7atEgUWDxIpSo2xF*3wZsmD|$t3ine-zYQFl? zdBi7={e6}K=;aS}N0-ZCsqtss`f_ZZewWD5*-ER*RmZPC+)qhF@AH}tCnMUcDg4TY zB=NGD>g-Oqfp5=+ZP(^tufBfW=iIiodk8d~9aoezA2WIQ3%Q3gHK}6)U|#X-gfY(f zI@(ZgBcM{`-nm=zO=}!vNDtMgZI`5^;no`@0T@0r!lNE8g(e3}eS}NdFk->ngR0PG zqEu8e8@dpfJG`fi6FA(kVAOZBbL&q%m_hz3pcn~O>$zh?6lIU zz67zJ+mNQGM$6vwMWw5#?~c&*sSSvOkoml~1dtQJeq zJFGg2K|eU&_)89|Xz2C)_T$|g28IHVSrw4!yUEY*@Ol2GCR;p2o;-Yr882w}NXTn= zsXc&lC66=CYPlBXB|Bk$nq5>6^SWg=?OXg6`F+i_EaMUIL0K8ON_Tf*|qa8(QB@Cot3E|ESxF*L`SxmW^;vS zO*5!}jf&TkM%Q#U)!kgO)RL;9s#8VK)YwPJ$(GVCkVet%nddxbPANBNB z{kVK~cLiy^jJ8&8B{o6!E&F>16e*~so}#m>YG+=otm5q^fY%-!eeC-p+q~o_nTUxQ zj}47N$|*iL?_fOlXDF^W&F4it>GTieB5v{m!>(oyK``g}-otb>?W#7+rz!QgICX1r zqs2NF36S#$6juWAKQhoCNih6NM4As_s&?OX52#CcBew-i5npQOop+6vYsTc01@9uy zHW%`ux^8Q?lW>;2XxLf^{{UC^Ff_6Dib~3U-!}$vuw-i5299aE8|rTle4Ms}ijR-q zh?u*dGP^f7S2x^rnYTFG*6zD8lsZ-+No`iYI*=k{vcLPv0V0>4Q>d{N8E?CPy^i>1 zY1(Qvj~qqgtLGI6BN9RfH7S$h4n=^?yu*OM{m$A>YGHlH9hrb&e}Z|>`}*?qLfNC~ zW*e<;zOxJuqCCzCpA91y5XITtJ=m-;I-#HoxAu023tr|?cx$$!zrqaJA51=ZM259R zuy`|HB7A;SuYiF#kPF1o^IX3+BBUT4CGFc}JI3-^MW|6HI!DIXPK5IqiWy4F86lKnxU2Yg>PY-tJdCT$2P^9EMqLcMD+9 zOOwYyvakbOPf8OKkhNl8%PMp?5gnY7qD$(J`gzn%BJ{bSdB;lSPSx1UfI412DDpIL zmk5lP8~gi8Dvmh7?X?Bo4U@PcN%ej@M1$8Gqn;^<(iz{VuVWN=5fdc&h|G26@F6f$ zyNO#bwzD^%H!@b;<}{F-j*0?f5meLzQA(-oOWw7#$kr1AZre8$zyqv@yCn08UV$hp^3oXNfxi3NVw)z21H$&7 zN*R5XpFp)JArL+{i~?O6Nt{!LZy9WEZjuo_Np!u!21t25e{tPG;HC~+?`3?9>bN(5 ztmS-@e^2vzYmX-t2Ma4wn%XfmJTI#I_VS9~-67=Jz(kj_*0E$)DA|xoH`_$3^RF!f z!YAbR0fIQLfFb>FFm@+TFVUAbYSJ{n!W_*-|C-JK zsHERmWGfK4oQ{2WvVbP@LaCL%r>ZJA@gBxf0EG{ zM&di~@u_HPJ_bOkkN_Va#peTkya+^V-eRV4lkMgO2h~J>zaLca(=W5eCC1nM&j995 zF^k5(zs3LL_)5220on*5qKq zl;D!79v+*BA6K$)PFL0c;PFG_XY8DKU1kSPMTJZt9|v&JN1OE@-SBc%(x_4kan?7b zKl$mz6E9?=MqlrAGO~k?QZy@ZyK6RDYRF7Pcq{dwncCuWUBWDWfoU9!mpOBT;mM8}p8nP_@yq%`>yPBP!);+DGK)=Ci08?onA-^{*IFGS+Bgx3Q>}}%;Awz|)mZ3;(T`#|P>DM0ZXVdy_ zvE)RcAgMrV#Jdran&N@O?sDvbr0|dZ^#F6^85O8H>>67&yku)ZX5i>ufjsGbBohx6L4#kl zxZQMFnZBP(DO{rX2Bt1x0)a?uJ}!~G7J<~1J)wZ@16VmqtoVOMp3){-h%s| zK-g}S7Z#I^uEeT|R<_Iph`2MCtC#OE0QF+pLXD=w>rO_%00J4O%a%NdCnsdlMNQWMDV zS8`OUZ{L&8)6LoPDgd@l&SOb!l>0A-Ws1fw$Wl|T40;A9vt+`2RH*dWY%Yfjrchhz zLgyjF$rD<7j#2{a;&?X8y<=f-Js8<95;m96jR^STL3L8_WWtv{Bfx65YV*4Dd|oP# zI8-7_DMg6T<<c-)*x&53zn(vMR+97AQ0T6mw5;NlG}I)+VQmxW zUZu)ii(>7m+)kvrGzjo7SewHJmpQU2fOhqxy zXdZmrT7iNO0F+4N<)t9U74hX{e;wxU{(E9QYksrbCHtJ`)} z!9y+fnPXntLDOXfT-rdz@?Z-sP#$=rWY6GHCrjI$FSq{y>v4HS#S<_$o77XNS=7C% zXjm=3RHv|(Jg`Za7m1__9V#^*-Ce$2NK-3dWGoGVpCjLC~S9mT?og63uPLyQ$P>r8fKN}7o&>jtT#{h7snDhXL}8Y&zkG1r0~+b z>U*6f*a;t;N6~(}^|;{%&QGhIZax~#bbqe0Za>4L8y*jb$irHo=9d#kjy`K3CGo@P z8oNM?IJmgmNF8)-Sr5SaNxU@IBHZL)rR-U0*M7{Sb;}m69;#~x6gnu7_SQ_I}t$D=KGja?ym>~Sb&9W^4L{TZK$7+ z*T$HY+MCtnsw<(ucKBq0fY*tr2;g%7z4jvlDt{J!Tpc5X40=0HT|*L5Up0Cl(LUUCy^zO6KJ%1OJmg#D3M-^TnNLus32<44DtQH*@Zag1aeMxt7 z;}v<33FGs4_!BLRZJoL8oi9uGGTrf=QA0L|K*XjYamI-{^`QJlD~YqbY$gC z*^K4p)a0&Ps%Dc9S&*HR-A5b>qlttHJH&H5LGpv5=~PZ8#WL4bCVl~f&0@d)xWT_g z0O;*0>t(D)mKqN6NKSsa>0;O3Tw%h}z|Gx30T0lERnl;GwljPW<8rY!YUtY}N2#}r z{ou@KyZ4QiuDFS+mc-PI)Jba4aRM?+Inc&4vjGJvC!)A!~5%PV(e5a!*=qWZU?UHIzR zB;i4c=c*NuYh#vNea@HuVT7^H11wXy3iy)){=)Iz*T-3U399KI*q{sV>pu49jT0vP z#6A-QQ^PdTPM_}a&52%R!Z+1ZpGZK-XlsI57*?W`w?!`jYI@_WpL)`uJ3RXaVZCg- zFyB8e_NP;X{MGHPFv;|711LIzbtACs=I+JPChB*qbNcvX^Ux4Y?FP|VG2AR3X$)pz z14XO=FQ{&xH-{%+-UI6gH=8(Eu}yCvzNA9X*jJWs!>5kcAqO1ZO{MnmBjwGL6D*W8 z&^sq7c2M3>JuC4veIoSQlulDqYaoFuVF=&MT5X}mO`Cp#LXG=1Z$x9Q_+BVB79fBm z&7^olj&JdN5%B57lN?0}10^lQx7`+CIos&Fv$ zdSa}0lSM~DtMKzUOgl zPL9A0WZJq~rU5w>A}3c4CL@v5wUE2-LRaCXRQQHA%}3X0C45y1!-pd;`0;Y;>dyKq zlc@Gu-blzL3C8xXHXL^aBA!=c`X7H>P(6DjA9hyYea8**QrlUg@h*0nPw*3(57jN^ z-3kd|&$&L9)~dYg_Sx#019OLTG~Fov8Tmhn8ypYMX;rEJ$#aex){}{m)|>cNuf1JM zu*h+E8T?mZVPSZXF4-5fiWa`R{Mzxoh=2fz!TQB;l91EzP$d}Pb`$92o>!g?9|U5< zC0*D7AWuxt88I^6?K0v|;&Xa+cF85eqQ@)KM~pqyrgI4jJT6w+%%+PDbF;IS^Q8>@ z48FCqSPwC0O3!kn@FZO(Ev|2q!k0X*vf@(}H9vSUZlRP6gynsP@ z@Xap4;^N>W(NCk1F_%p5o1?|;BMYb>ZyN&{-{nkYb@izGQNd5X%9cnqomXkVH;Q+EZ9-6-5^&>|nWBPU8Sp+uv3n zjO~;NdR)#7>CIIcoLPN7)o4zk#GDq_?A(Vp0cd=QvWVhfInI+w8=jEt$KW(g% zvz_@6zEsisr$+9-{uUyI*n^xscwc^*bN<_Pb^2sB!Gp%cU%c}(N|S6gKB)XPL?s&1 z;+|hRTU@D0ve*nU(ii3xJ2*JmJ2A*F(tD9Dym7P)lE0HZK$%)`jqq^t&(AK- z`;o1et|Fqx+Vms;wu5G^T_cQwSjgt%9X!KBeVU6ld&A`-TR~5np`^I|Ebv1d{VV2W zmqT7hOGk}=7po000u}lEvlbV~UK7h%D{4k4$o#n7`{|pM=k}5FZTJTpeFeGlLV8Y7Vk~jUHRckik z)02s4Lo9q`#Om$2eWFxG1T4t2)lb44_17xuc$^CJB9}jvmV~_#38KDPsGUZNK*YUH$q=x6K%2{H>V-x;eS;p zFpmmIDcbRjRbcf~QyGHyOo1b5dS9vHKw9iwf{vn&nyy2c6#dE|DM?5XZo0fyJ(NU< zx+tl@p+2LX>Rtj7Vbv!<@1y9m*dVYVkkeXGN?0N*pBaVwmpNa?o4Uyk| zUyX++uomx1fKP*r&jkyx|Jt`rVthh-hCH&Zi;OpM{2D-AfhGN#n$JR~&|jtDWQ!n1 zOUOb;pF{@UxdR6xbU!4Uu?e4FAYIp#9m)G}--r;8jM;!=++wMwLKA;n)>$|3H2Fq0MkgNl?7p4+k z8J?G0OE(#4tU5AaY01dBrGK)?!?yZX$ggmq)9c5zJ!|r`R291<2!M%NELth`USNzAk)WOjh@VsIVT+6PWhny z)udDCI~0+b>BoTk7uOu)r6P-nyh-91tqjUuToE2tbq|0o85Kas^`g4rBc&Qxep#RP zQvnI2`w)_^*qtxP0X+kZ!Fx{(Se_)vh<*Q@I{ViOftKO^+0mh=fTvJOU%@tNqi*I? zPV#UI6H4|u|1Ups`w|1**i7S!AoJ%i+8gfy!81(UeH6g8V9I`s>Lz}y6V6#*Pc4s! zr+(RcdV(ZzbT^aDIR3dROP+~llORc!I13i`igH{dJh9vp*~h5=UUeHFDQQ9wjp^F( zBa#7FIjP~hXOe!q|4d2o;6bw=uxUnou;Tj z8emzJiJ&d4{QSrQOX_y~fJ|cx@iR3a4_OG3pd-s%l%Z-uCTVt6m!$W)eg+(NzPs{+-lZWE(K1&xV zTD&KZLj&YE{8c_m47YT$EC0))z}s_0nA^U7-8)Ha-}{p?14Ar~7`N84YvdBcElTIR zwo21x2iMmh$-70CMFZ=YS*!RSBq88)POPH^a;+lv_@FVFxiUOsCDf*NwWJg-lD;pZ z87fz!osoT$y|gqHK~PV)guDB`kg~(qFV|h!8{BFHy%l?NgYS~&v-+36@Q3baYRU{BtBJPyz%sCoa zQ|Ioy_Z%JAbsS1zR~H4Zg7YrMC6QffLI3Q&)6=(#6Cyv&D+4CXUcWcn!5<|j_P zUzE3)Ap`q2)Pna#z5{gQ4fnkpShqjq{hwYWAC$1}IPme1qyPKT;6S9J%0KJ)|7&&r z&wlLxY+L?cTaEv#AsO*}ZI$xPR&PX%2eK#OoG?xfl6_rcx*1RDb=|NyryEP17kMll ztYK_IX`+xrPtRQPv#Oj850jrm1c;7N59u`BP_mOe)165bXG8v>u{gPfZt3~g5C09c*4(eAkBRGB(9&mGKPiDMy*3vVThFh z#m9Po$jifjr?R+;tM4}|`2odZ`;dhieXS1m$vzKvuf;ZTGMSZ|PVtfyH3w%!83&KE zIXysM=QUQMl|h>TVIH8_J!=<+M@z>vXy%=;53fmgm?GdhYKoofwtIVpGo19Q+hboD z=sdJhVAE$r=J~5cO?6evt=xK8z{Dg^{ zT4l+R>Ol$BX>Q9IyTXQiErw@c8O$*ekrH0BcXVUO-y9;@Q>Z&1t9{DvExVl1R1dSHH&7 z@B$a^*L~Utp^ODf8hq1>ovpTvcVZ4SQriXk+=Ovz8t*$DCwj*x;gtjxp#c$(Ua4-o z2;aS=>TtRJ`5kBHTLyh@ah?$>B;fJYVQ>FKDIzS$w|(*rNyUi`Av(@-EUO}B>HY%3 zVPf#9p#T@+G~Ski29z-qJlwUsvqC~Pz7YiFc||tYzj8vMOV<4x-*R$1kK5ftCE6*q z06VpT z)P=dXb*QePJlk8gW5&>Hj#u=QI5kgwnp?TVpRYvU{f-VaN?%dX2y5#3S>lEB_vmv{ zFC}Ir@3gOu$2k|1_m0*c{;A>pDZ~g#6fa2^3~a5^782;=5xnHCj|6e(Uxh)5&u4*!S?7SMM&7sd|fkdZfIeFM{f6 z2nwe5o`ejv`FSmQxS?>)!(|>Kr5R)!4?_jQ8CCPcmoymg50i`sn@g6f54QY!jWB=~ z8xmwFG3huX#{(d8++MwC`RZ0CBsG=ibC{Rs#ZER)YLaM4W_Iz>N^ieSGw<@4j?(gr ztKV16881;S3z@J}gRst!#5{t}fHR6_$KQw;H)Tn-B<@p7P4Uz6+O;~jn&*p#88Vf2 z^jlf`nd^FWiPv3yd`iK&O^RpjFah6dL9jWfu2z7DyRzezb(ZluVGQ*4Y#c1<%4_XU zdF5<%h9@_HwTr8{=vj0Wk8mAcdw%F>Av>$^knrZ4@gnWh^yvo6~i)3HFyhENV|*zR<_5-Jbtpxy;(EVYC0hda1wzxndW+(vh!e zUzi-Pr6Vj}(Bts<7K|HwY--r$b8!$9wC3!Kl<6IQXly1SLOVgWQQ~jRcOG^h_529CQpQf zUiS!8=YoB!D1cDgwa1qW&WpQudk3qWbl50rw?QMaxya+;?!|2iJbBzNc}0%3b9E9x z&>oS*vUit6Aek_MzV7@;E6@!(u-~O~voj|bJ6966!6@15GqUD*ZQJ4g#XN6WV>1ID z-~+vCJ$8yr|3LNYI0;FN5uP(3B0AAw`&TF!+bLM%dNVM1XSC5;rkgF@%x_&SWE_B= zzIqQzVLN!TU0%Y)C(V1$l#cuvt7`@KLDOx_@a1&)TD2?i%0}%E&PfXFXhsEi-Sls4 z#>txS+s({r%*|;WS9%G7@fRZh{2j8w*7;{qkwuz9go}Q%!tfhhg!a_sRC2IPM9@H+ zua|X>G5cO$Z|lCErinGQEX)7(>yf0PP;+EvL1F$NE0ZR_2NUoBT`>FLX`JYT3s0b@ zhvgC0*|U%@zzh82m!e**x-$ECWOEV~#yo<`CB>mGBNG}k~$~4oh>*c7)V0p>`53y_6={NB$0Q&a^!}YQ_Lv|81eIU1BbIr zH-ZNT+?{ZUg-hvx=Uxz$6>F)^DWM#Od=CUVO1dB3F(kN-n{Qq-bbu$5hB7v_I{WJ|KUBfOEC@? z$$ zX7#5^Pa`=%VvVS?*%g7ldRg${#R}_G=(9oJp#AMzT? zF#v=#EM94PBwGDLx#f^+WM=WAbQanlXw#qGBN{8|_JwC0W64Y(@Lq15oD?!=SyYk! zj0jrR;Hys0gC7)0f`J!|`sK&_*0T=ws{^BY`|@_vk=~lsn}ab9G#@L*`pmN#z9^;V z7ZztMk1#%bbz{`F><-nFHeKpU>Aq>uXK#W8>fy;@IXHj64)q6$FVz?8qD~hCmaByn zkRO_zryY*loGh?T0R3=U%?hoI?_b4tAz2^4>)rcc3I%cti{<(UC`8Ja$7a|17%gsR zelF`!ecdBc)6o7OE2wuv|r1+4_IJrrALjk1&3{AS^iSA}y=Tv2uMlx|oTCgheISfDH| zu~bJUsjn&A4r(#)OS^RD2HR`1tB#zd!*~jkzWEgqNGb6|jX4~DolPNR(Utl7=rk&5 zaNmM4<@f&X3xW`5QeGZ-eJBt=Y_ zd7AgmoTnT+BVKq9=WK+lGsH|*KIU`lT=p!D>|fW24}qnMG&Pky1d5kr$)1xC{oZ^C zv}1_T<*a9K;&Zg#%UErG`0@(nO-WB$)Mhc^0&@r^vbrkrDSG!%)%xa*;Z24>`H5Wl zhA15?tHC1YiK`Bwq;{xQRH`m03#^&hWGEGY&ch8Ev(2ueAAi*5>uDX5Og zK|V@5TMn~*%~WCFs=&XQ>20NrIYr}Yw5OYT|JX%_p^qUyqwN~S2Q`IjB$>3Zzaal@ z^|-XIXjDccGl1A5*#B*o6#1R?_lcec$6od66{%&>9P~m`USE-ZA|s%~$2!#Su|U{h z692mc)8VZO=PI>bVbt&G&;lMZGnYT+`4-po9rS>_Rd0U?zE-aU16L^Prq z64AUF0To)h_%*Dzh?bx~4VR{;yw&rz66!$bogf~}DyUXxO0{nWku^P{*>dT;QX9u= z(E}4;8tClb2;(7bXwO~SEDpSXwIDr&3PfgFFUV6&iPY6(`ld*}+3cjwS?8adXY-;U z-7O^BEksGH$)pm@tt5%Ah_bSi5+^~yu0z8b9Br*DlR7gf(JC6fZoIK|6nh~MB1y%a zvBnXo&`H7j1Ua#A1hU%)XUJou9ptOs2-Q2!m+!R3vUy3V1ZV2ga?#x-Ybar*tp z3OV_?$|qN^0}R`v+P16TM&D811&X+w1wFt|c(^{;2coI|)IN%p;bU?bC;-&e&BUpy z&}D7#&S~pQy+4{__Ey$WS~at2|F#FxadkDlBBcVk#)^}i@C6Sdpol`l5h+wSS z%fEWeAG2!ip6g4#=@)!1b=33aEFgZdW@kqEgqCe_NH=AdqZ}&%khJnLl5&d)iAsTA z>@hM}#1q)N2}V+bINd5y!tp@p1jK7l+t}Ek1Cd>m4@j=}EU+oDy&U>7yhc>q+BzhW zHHE*xeClWcZ;$-0Yi4Bi*2THTiH@=B7C##6sxTp#ti6Yfugf1Clumy$vahs9j;T)PadsmT*PVsKG#};%5xuS- z6_*(Jf+}FqUw26hxnB?Zs1}Dup?~djKqqC-0%2a7KdTUulS(-ApnRHgZW*$iA_bizT z%(vs=U;>g_90pRa!yS^Ot;}!vbMDR zY27N?x+~UimrIi7vvuiS6PIUKHDwoOT#ZZ{wmMb z4p4m>=s0?LMK0pPEO5t?Qqlxw4Kt~Rh>})`%>y!m8WajmZVIw@&Gx0?;8kGAJ908pu$vpYom z9!1-NL@7I9!@klm|1#Y>Qkyk;>y^Wl1s}%E$kpqjl82P4*H4 zVN5q17o$$N#K?JCs6w>_T^UIEsRN9d_26xmhzDF&)<@@wQbzIQ82?6lV_8z_a8wOn zLIJUGKXa28 zO%=$`dPx*|*T2@&tbcAw1v3nA>a74|^K!Mi+B84k3?{lKKhbCEJh^&>1=&8pXXM2J zmb%TjpO5kS5;Hx+3DWsKKuA~rCG$~aCO+n549P32W?U?X;D*}T{JJoxVz5j3Bynh7 zg30lQ{`5Xbq6r6{4=ykZ%xLDA5Kw1rjHp6O78=&p*8A3Np|`s<8_R{kqA%ZhdV}ZW zaRs9h-ZmodY|5&d*l)X1dT^Vo6zT-vZi3k1y>Cm)Bjz-;b?Ra>DWxj49N=2^JT4HH zI8nvJs{pSURVN@qU*#QL=TDD6Ja5i)yYe{!9>Exs`a(n0Js=%rse4E-BZoqmp!pN> zA;9ZOg$-=T5;qx7Z9UAmg!?mtT0rN=iV8a(_#U}{2N%;!PAKohef_%_s$DA3>ldjh!1QRB@yv|!-8UY_Jk_0+ew2|NS`3Yac6<6lf>-;9Wx4y zVegCI<1I9SfY2&@Yn3h1o-ge*_g&N;{V`K8E<#&f^%j{}{EUD@MVvX6OM`~{p8wx* zNk9cV;5WPixyHb=m|W*>F**D%O`zI~o=Zc8j6|2ZjD`N01`VP$CteVicTZz%rcE0RjWRt zc4P=eA3m__;{8cejnYCZeCv^I$WuQX8{#nIx?5{u(U61~s@_>{C~0oWeLUG~_4+uj za1H$g6W85sB`2aOa-YvdAy?zlvmp|?hyiht>_3ks>I)D}tQoa#XMkK}BW_QfIV?U@gT<#V>?&*Q=* zobx|_k$tn5mbus3$Q_whIQ{Ml>tPgsj^V^1hi10ewS@v%qy1$xZmWT~a$ITcWR`X| zN(L-y8SL0$z1BkI*t5PD7@%p#QNz>3Jp3m-|EBijV79-W)B3G{RL=z4y^iBgum0pk z>NRatsL_-;*nZ_K5>DN@qo!r{V2RdV7n6z=2=b_4bzbRFO-;$8 zdY{p7r0SM)PxAETyi=C)8+s-aBvz=Ya_Gy&**DWmJaX};O6=)!rB|v5aSpZ89%a~t zWOA}nJMwTeI`96&Nnf~QGc#IOtz^*!zcgQH$Yhmkyb|&c( z=3=TQpGaEyU9lscsD!TcP9DZ8Jl6!>HUs@fVFBIG*XWfKzh$1C=*;~i`HrESegc`Y z<6qrakxyhVEGoN1G_|#PIs_TFkt8>3KV60$sDQ4NCG%sL%s$=SObNwJSrk)HCFk9! z54=rVx{IRCYQ>2+wGGDZ33{dPqAP5&p&4h;rY+hGO|EKMIa11prz&VDdy8JROY$W< z2gg)9*x8YW4@+L=kihRmbpX8(AjuxeVKH7mUYg)>ua#5<-K)V)(x}ItpC+s$8s6A$ zYZt1OaFQ@#WY&S6Z}sNE->BO&9*GYT@m*nEvHXM%cLf2S5%J@XBb|F$F`DlCo3&mD z)L5eni(%pfg%hV9l7H(8-4(b2QmpNu290>$R`8LXt%SYrd`&x*Y9_}QmN z$4w~x2DLKTe|T;6^5(lzAy<{TS*#wTjm8xBuPsAmy*<#`Fi-s)J|2=b(*5^NP#kHyApr8l3cz~p?E=VY@mqPFdBpiB8o>OL4X#LB^~f| z=B$KB2~AXqPQnor2%$;up=08RMiYtR(MjN=iIx{`1Sh_mD)gChOeK=QLzAgv#u6Fj z2cHe2OZF&8pl56`+bUHZ(5V&Vm5!mqROp|p8ODFp&sXa;fAk{5l}W9?idaRLIxTF)I|wH<}QSe)gsFtII2x@ZzQVC>&OLprzy3sy+6DNqExnykjzwK zQs3^ILszuW7qe$iJ9ePK<8BJyj~qiI&=4XSrJ6)eI@0ttGaviBg7+$#Jw ze=u&^Ev@LdupduGK%NpDH8sqI4OT=OVX^s=;vX~!*`KMx4`jlC%GeId^P(s@*Q|6fzES0EbC;@JAn*S`Loe%W_ zwiCzwE-ONtRVvCO&8UZ0=QJn_Mu0hWQxTQ9QZ*M?0;jS-Vii;=!`!UYLas z5jv%)8>rpvjCk)Te09*NP?pu4mswQS+drv5M}&DUfP*1rE_#4@_F^6U5uMyVC99(| z2@#Ru^GSh~XAO-`tx`+!6zzQND}qAW7j?FGj9J!A>{97J_zzdtb88mLTxb#jgC#hk z%J{5mLtAJKfhbx)S%`J7NcSFCQ|q^uhcmW2{;2ge$kH_mHG5vKy~+I>kyZ{^2Yxz4oEtWxR{`*a6~|M-&XKT4C2E z+$$e?;TeydcxL*yO;uQjophXJ5PA=u;}~(m#G%WUgYg+4=NADAHQ7zVr6}k>CT^7G zPU_a}9bFR4p83@<_p{x|*3NHKaJ`Le2XAdVGm zXD)RfIbkHU2p2nRCTILq#yJL6=`Jy$s7r_;<4nZQu0;ae-PlR7pDtKdh%DeuqUq1? z+?X+~DDL6Bw2n#F?z$a>b*c1H>O&`*UYf%5`RjEMhNyvC?cGPcYS2?(^O&B_hm*=9?*l$)evi-ACE+$%MOscIR0kuK3F?RY*x+ z87@hlk+uG=4!-j5Vcr5vMx&LE&+#V)J032L(8r`?$NLZ8_wV~EdGXe7S#lNmDPsM> zI?^)Y)!i*cDbRMX(4E`;w8Z*bw@d?Z|5UPg02SFJM*L)92)shQ=0tsnX=Em2xxc_@ zxu>6%($uk?EJh$dOmyw#Yji}>o14VlikW+6iMC=}(gcuw+?^vi|7IgoyIY{WxyP#C=T&rAbbdwi@S2f`tundUP;N zXU+OjXkeUvMA(= zgiqn;#*X>Jn#I31)wt3SF^7Alhgc5_5{k0sbRN^ey#i=3-B|EiS|49DK#BOXMd{PT zl!;WkVyy>nM)s026PrZ0G#=kieUZOQK#cCASYswT>p?oFDNFi>;n8V`54p=UBu-%v zCx+r))}w@Hx_{m!@pP&E#^UFmAW%mMK*e+Rpu%{B;eT(#NmTofR$^A@zZ^YJcbS;eVxXh@rqlPl$0X)UD3C%18~-XXI8I0M|5EK zwC*({kfjEb>Yr*HakyY;{`b_kaG650olzpqbCvuj14q{0GOYK0jX!WVcjV+|gowN# zSiL-7_bbMGfRd3}_}ABu16=hhG+oRek^vRb86opxIO=8)k(}IWcPsya zDp?@G(5H;QsSs7<4%PbQGV1Lw`Hq>b)8y0Lviu`yqOzkq4?@%Z)GO-7`2vD4Te}&a zfcq;E^41NSBk9)VxoorTy^+f}cGf1ZXvjhKR4 zhQ4vhK%$!|!S3Zsxn-bGM0^2hIoVAMjjg0`K9Xw(f&0tq$)l?F5cU z3M*4bP8*?KI8ok|8NoGzwRLxwDzI$$0`_SJe;KuhR;YM}2^CpNDJ<^*!f=uh$i)-Arxn?tBh`X29>Lkj)>WUj^CcfKMKz3zGf*gn;fOu?V>lJ6N+zPik56ZV{?DQSd~2Z(P;O7hNmk{`28ysjg{ zBY*x*Y}6;R*vn~zsaRBGFvnwnocH-&so&ee5%dR;q*BCz2*bdi>_`LQ^G`M zL+spyt&8ool6(bOL8bqW3t`;S)AM<3y3@Oo=&Mu)wh$ zda)0pWgm@^l5z=XG6+ds2D_Ib`Y>^p#*QJlWpBJu5dBOoM@=$O+~J|+=M8&DUXhsY zZTpIzakB_1am3^^<3(cG@*_-}N5m~OG>YE-*)=6sor+jiI1 zo<&Q4P1$&M*0;NB*LL}PjZzt(Lc1=j%4v3-g?N2|lgvWpg?fLQZ}QVmHitccNw^hi zw(|4}vocr8bw z_m*83rZde0{jKI+MPlORXm);*FfN7A*6#Wz;^+S=oC7YI-}X(!kL)y#@kxd%5Pe|hGY@mq z!|h~KZ9h(8{8-4Q>d(#&Vji2h>`qm8k9_8%ZidW9JN8NB9QWHR%rR2`c1*xW`c*R9 zf4$F`aplp8qKvf?s{|jMG0F44Nn(_YqOAFyS;JhM2>Y{+!8>I5{Sn^-ipTojotVKj zVK{Iz5rss4gZMXI1oJH2e1|QKb{PB6E9%C5O?UuF_dab?Z@Y!(FC}?kX;w8Ev|M%& zmp7k&&?%kL-Tcl*i$n3c_X?2HM-NRxIQ#(byY263PqbjjBPiF&ugdY`pG=yBc|%$R zizXxd`+j8_R*2AAE?1W3EBiOc%R<-PS5@0AF?5I9!T)?<0k?YSQkSkg(i)2&DirsT&&){UJUvY)ZKF+rjgL+r{O>W3Qdh!W9xquBZ03V4=Dz26&+AxEXQb^__(OIMM!?-BR zMVUiS5w+d#w18>*B7;Q@9!Vtk!AE>@!J34~FP89_Eq%z=Z+ZZ<GeseNW3ZZYU{F&FVB#@1t8Pd|0`k71}H z12Z#YgQmH4&{|Jq&Sf(>ulr|;Wrmk8k))41nmq))+*n?{8XRQ$^x0D85D0}HpPixm zXJvVziI#ZZlq#>8N09N@bO!HPYfuyX+wgA}zEl$7wYL^emp7q+Y+zIYiGIQ|0RlP5 z87_;OL|q$^=$EV`#%T&5ZXxTzBHW+7mGtlI9aV6Ub*^45%r~^R*Kp~*2;YxiXpW!A zhv7oBT94Er3#)*^4uzBkCNzbe#yL69cO3O zZ+!@HX%8@Wut@ou&~@dpsi4Edf(wHs)*QdgyEg>SBDm8k&1A5?oDweoNzp<8J3b$! zfKK0rX>$JaMn?QJLV#hW7Br!xg2)aG)E~snkHA1Z{rEIsoknp9Wgy#d%|c4{vrQBV zjQPT`Pi_8|qw#v4>>Bg3J$q$x+PqO)>xx@91VBVpM_~a!vOsW6D0deWc?kSSyTfJC>qXDaJH4GPG$Hhp zCQTLD#HVj%WgE!-1i9-p_mdDnq!|QIl=d>gkgulfkb@&9T+D;Ndr{axgfv%0u<0lQ z__~OH-x=POg)`6R=^|D(^Dqz=vO0ky>1<_H(*!<9ej5Bt!TsI3u2fnd-ES|s5M#7nLJFz9jNz(l;hG0wO?COUu3p4mZK@w}- zQAUc#r>9pp^HEE_`_+h~6|4lI+qq(<5L^nx3i4tc*Rc6=aZ_0^#BQlFYUq5~k+<#Y zU~=#0deTg^55{MX#4tl2v-<|q|L)#4KzAFVrXVT#vP<$2q=_qMNSNtp{+;Dp!ZneC+n#QQBD_MlJeN_)RWW;_fhuC*mX4&g@Nm14Ha5zgMN& zG8d&^p+Wp``GwMlR~$j#L}iH~TRK(op-?*0lVrh}xub`2=iX^4)q)%nrBj@}E=5Xm zbmk9(UeLGk3e4mO77xC9iGSc>KXjVvU=>v!GATB*y`7Syf}hygkdCYRJ^33c1HbnQ}c2Vrb(%nB;i6WoEb3*5-PIFl)Rx8C)M&RPNBf9HTswRMA{A zHD)$$WwYWmjcuM4dto2LRqs;;TYvFZ89<=!L2%rrZr?Z^`)&U?svvuCt!-qLc`FFm zYENZkX^@Bzg?F-b_4(lqZx%Kz46DTenQYJ0!Q>RzJKYbBg;;-HOn}7?3qmSxXcfxk zsDm7k+1sJ#eFf4|PEoJyqQUqty(u2vY5v30rIMnR+j=$3^L#OwA(Yu48|3oSbCS$b zQXZ?TpVVEWlLJSm1PkGDd8lh+*v5Bg-Ha5ogjL#k=Y#@&1 zM?=}a5cN{?4&Z0pu37H9AL;qxL#3!p6q4-Pf(w*opEihX`UOJDk{ojZlCuVS~n)B)VA+vaXt)9edM^y z=i<9Ku@WWWzh*r9edo2jpp#ttYN)GPSeVRq&#jg%Rk9{l z>~nB9h5KH6rH5y~;xGf>uRV!?!qU%AuPyks!ugRpRkiUAV8b=#X8LI>+_bRx!K>VV zBW4g^>NZUc(a64<`t1YUXxM8c^J(f5hN?x4aVN(Hm z)Ov0eT2ZuNzWl~U0BJnkormp?vr)6WFk*=&Cb@OAi3r_okr;(4CN))=OHKiEu3wo`xX&ZioP@F zYdyp8{paL+rP$Nt_`81~v=NoMWEYA03esD@SIE=9jM)QeX8ejTVSYF3K_Nm#X9Tqx(J5tn_2af>z z;C;HF6+U_Ng!*#y@a0>}Iw+Md2=yJowJu;^X1GFTE{NDmxFg==qzQk7FLsHtskN!$WPG+ot^1O63Pe>44IK-4xlM@_65`da8HPd?QPSz2V(X z>v->0gG#8SqwU#cBNZUy&3hfM%Jt`sV)u^eIXy={iRz)?DZzFAIOR%vpdF?lcsi-OCISgQ8@9T3^7E6|$cmco}K*`lz z%2Ah&6;z73cqH1oY2@tRmRV2-TwB>n(gXH={1 zZQl{;6O~G_%sIDZc_+`ZH>OkhQojm1S|IIeP}a$I>uoY$gC=_Zwi$Sr@$Sf?sBfC5 zAx(q<)m)wL=3#+S8@TiIX(Z`XThGe4=ELxQpQZ-p6hV!b1gIjTEnzJ^%)i%(`T1ue zDdtkNzxY~_;~efRU3TN_v|JtpH3sJ;Aw@a5ar4@KgGUMb+nxHgQ4-Ld$!(v1MnEZ$ zZQw)aDU3kk$Y}o)HH941!<&u1sc@VS0ua(|hAkZB6*Va##MWak29di-<% z(C(A81zh48c|($}*6PYOtMQu>0D%F7h~05ox|hG85KgkAa6|5LE#BU_v4sj5mq{s- zMi$^my(#z2oy?;g{rCPj_~~B&r-LO)sH(BdLxbAY;N@^qV;Z1| zfM9dfH$Fa?`|hHzVr_X=GjTYhT(eO7FG#OMeP}R_BO(5Giz@W=Vy3}HfcdPUD|U;b zRa2+;hLr-Wbo98Ufv+cDOVX8M^*8fw#HGIN^td3hGZ z%xSOt;Io;T${M;$n2_q{V7LF~d-{Ae=$WcdvmUCqpn_pzp}vOe#n>PwJZ;89;u&RG zq~{U`O@I$Vq3Avg@b#>hyx!l`RNmv+f32+na!?FKgCV9D9xFp6c#!}|EkqD?*3AmjJVy%ho2ks}B7Ex6K6dCG?n-Lq7n`kvn0 zx}N-(5GTF$hrLmTVYNuSUwzz-rn)LFL^c;tNOP&X^xJ4-d2W}Ou;@R3(yw3BGION> z4T{Hpf^64?4Qq>D?^{)J8xxX-cA@YwkhQx}2vJe4|LNV4yJ~E>Ze4*0b{3sn0*HK@ z$9}SMpqF-1xS<~RW5~hV{pO!>wmcU6QeHdA%vP|zV}#X5$g(95?}dYz;YGdeZPT;q zsZM~_&_{zT8)(N%ijQfM)av}Xk;6(DhWh=L>nX|l?M>Ye}zRS}`msh3v7sr@? z?K(fKj>(?-lC=mS7|Tn{$mm*3)VWTo%;H1?$_kECFrQBao68U+UJ)=g_*UIxr$CUv7R$UZZrWT&-}?!*`Jb>$zU@ zS2cCrVWG>p^8}|;rz|y^i`~K87171EvU#uVcR!f=^I1|jP7$QnxG#yN=8>7cR5uRr zMU%w77uIv%(=da)p-g{1uFHD{7uT!6^~oVdlNUbRQ%}IIahdu_-7}=0-zF5VIc2}- z^@2~pXl~}i0M3q25}<~?VlEyScr}K8NC@!oRO1MA1a@o3`b+-~Q1IKub0%c1d@zJYNI!4BZV>i{9DvDHF z6r;@q!UT;m3&SKKC)@OX;#l@^Ea{k%LTg^n11BZR`b=6c6cK&9Y_Uui*IEj})^ep^ zDT03Mzux;S2vGDhSwB3IMSSWQ+$qF~cku@FSmLeCd*PziV4cycS2b^H`pG zw&8IcGKn##(wE5&G+N1&b5DFghgtXU@O@s(n;W2ld?@O6QTt;-*F&3!*-)U$Y|Q}- zJ%|M@SNJ}T1d@*MueJ~qCq1~|W;b&Sq_=jqQy|N-Vts%#2}}b>&b7$9|dfZhWg`fpiT+?pYS)$_+TjeF;F1+R{1Nl@SNcfYUmSSjm$n zHzsTdNZt77<{#}5KVv5hMsqLK6OhSN8)NDncr{nExgIW;Kh`#HGx4?Wt0#70GH224 zzytA$Ad<$|=zU8EL2r?oU-BeRX6%&Ge*ren2Y&|>I|V#)FI~BdkSdgx&P_!qHQoVW z^`HnLXFXu^1w!A?5E2(lrTp3#`|KecW&=R#rUa%|Q62ae00kjnTfd<<)6$VPS0uA$ z#wY!oap)EviOHH6CWRYXSW;$V8CN*5T@|(s_+cN#ZYq2Qx1naJLbyxE%pjDH@xLH} zyvqt$t3CVjetQ4W&Jyj+u8=<9+_kXft`K5PkxR0nU*1rIDV0V;nDXX1C>*}*i< z_0`E7?m7QLbnXnrH)=`gZ)~UPEi8vW`4`uZiSTIlA6#T?ZkMX%iE=Z=c@E?3Qmm|O z8#&l;6)2k8i#~wRb)>4gVw%{%lqEc&_=GXJkjP%X=x$A3!i(YZvikzRVM(6D+x?u)zn%?lxPR9E zc#Pts2pKTL#{Rr(#GudLd=d8o@;xmHq=(Y;Z?pbT86$jy&|LsTbDCfrkQ!FT4}r(2 znv05dcpg9L`ugu#!Vsm2jor$sWt01F%UYfB4m+7=S?@b9q@QKs2YPb%e(k~8vokSU z+25mFUNfEwWVvtZ42oFFiZWCX3;mboV^NY;a>rZT;JvmNc3#Iax(@{7bqf`}=JXXXnbm?31MTl@EBv=m?^-vrphZj=IscRb#Up zZax!@P8@>&WGgWyPUbSJfzM!m(iZ!QcE=uTMyd1szy+t%)qCto`*V z0<{a)zzix&uD!3wsv3zdk^Bp8v=KuBrxBRF!=FYy_0sLvCJd2>@;eSDbf%ns(`&F) zu{W0S7TX3XB!U!3H>umT=#;*9s#tN-Ma_?K7dp4CvSNRDK3`0Y}6bo zV?pdp@*NBohCcx0WM+j|W}%4#l+}Nh8>WS?I|pZdj|zN0v{KH99U~~@H7zbxi3!_( zwexJV0Ig$`XGEBw@~|y^DPJ#AoS6RAzKZ&F4L1ipMoO?Gz%MK7&x_o?l=N$dzM|Y( zH|jsOOZYShApgHrDnr884xOh#uov`tJv!eRbVJh3(-I2|9K1CMpStydOfsEJLW1Vz z(yJ3E=NI5QnawjbXMR-ZzkWT#N{kII1hCc{IldZ0Ewev(SVGYu?%#o$`QD-QW6cX+?c_=+cn-bzE@b%*`5E zQyD1F6hSzU{9JEGFsaASq3)_R@o%h4 z#xDn-0ZZy#3{F-^p9>as_H(G8yXbcCTk_>bYAmH0OF|V*KMi;5(}Ri&@UsR7(2&eH zp^UR!t`Ymb4c!OU%d3{t(NtNB*G_N6vtJ4}jVyNesq&PbR02$l0qowRZF@(ZBH^T8 z@TW3GH937li(&cK*4xXby4nWCYK+%cf=`O+eEROq#d0LG&H|{`fF{ZH9P{lYHm*Q z!@tB5{>%SwrTVHA-%Ni>}-Jb3m!ze{6HlfaUvUQ$U@=HARZEdZ4H%!iLA5%UiUJ}2pG35zxR(fAb)0c6I^ zueN%s`w&g~rb=@Cg;OJx-@1uc(2jsvB*7}~`XCfnQz_qR>%X2t794Nfx`b|%!7@9r@6x2n%*Zq=b zZgY#>>`lv*fAZxQng25U7e+TFC1o5X5GmyfxB2L2)!iS_+)>)8QgDP0et&N17X!hwC@(V9W~6s> zk6C(&kpg7zYi_|nE9l5$4F$4vJe2Jhk)v85qDwZ?KiIq29p*DyU}G8cX&~uv8GBw` z{Vhe4zP9ey@v~RK4rWm7l9-m5uYCL(Yn-k=2-Cot`dZmxX44zfwujuEk{i30n#$@; zZu82~$zYcXxtPAqRKkXim>hpeI_jGPHF~on*H)YAc*nu9?V29?-mg?ZA32@l;MjV{ zAbu&i$LG>ol()DzRpc-{BEccKHMqq8V%_r{UwY5UsU@lBlv*qzCW`eK@*}Vrmpp3T z`S{1q@X$L&o{Pbp?=@9nCtc#t9k>S?*-u_c?8nh137^QR|2X_JEfbT4<*cPG?Ino@ zIQG~(OPy+Kp%4Ewz30!aYAjP!WAzEGsII(P-OK+xrEYiTuk}?96m85)(lYYBzE{Qb z);soJD8THEAVU)-J};d0tRG@)`*PbFnzSr!XBQZhtJc1GdEP)FOkk)vPeL>{INO_7 zR>t;8wx(e$ch^K!3pE5LUxX|@Si`PDMr**uscwwBmlr| zfLOE2{`!;}Pq5Sls(*Y$Lv6%g=kfu%M;B&*oIfT1(C)1&yi+7uSNaNdA(pV3WBj4# z=>z+0Ff!|he_#6dD2d~K(o7W6P50~xgJDr0bX4UvK@~H0WuBsLg;?0rS)6^`X>b zlPt#rl)?~=KN8EH?@Yd7_4GmHfX*9e76QF4$QK?aT$|~oGSFc70~!SuMx^kXD2ncc0ueGz|GPfm47UXR=^m!LY^ zqD+P83tjEy!Tru!_#JpACcaE0xb_e@n5%f2e7EfBxeoyhAWMyjDbA5hGVrFWQ=A6xLpObWRgnr! zkWY!!1F#W*?u~$--R7t%We3I>_l1zq$H@ z%6R&Hz*A1Lv7zo5O5a-GkovY8&)N)_h>j+$2diG2Y*CRKczAa2Lvg>gy2n0kpC31K zw1q*EgzQH^-%eI~h?5XA_%yuHr6tt?7cl-nKcwAx|K|K?e0-~%B^&+h!e2iB$|4<~iM^Ns~qCH@119eEy*ZI6U*4MYq zcUti#%|22kl;O2tJxtBf_3d@OustW?!;h#pS5~x$ENCz>%0&~gPY`fCqNP)4e?5lC zg-PUb>8*-BVDAy1bPcC?2$YExer2WM{<%~P-x1#&{`9O`^0ws~aQ_Df`+Bo4?dF`T zXt8j%2^-#@^*SdK_5+C-vag`hcucu2nB#EP{3E7b=yH5O9?;E!8p;8cm2{rMup6^Ju^`qTQ+?~14CqLtBhoRoeJXBWZG=`o;=8`ScJK*&mu5zQa?My^@29pR(lAe zCsiI~d2M5L*9Z!RNYTpa%cEs>4liNZsg2NqBu2=@hil>}%Fz7$vrjnWyu8*OS(W^C zsbOv3N|bGyee|RvkZ+e-ygZt?x%xf=XLA16i*9k?_>Xh`jy-Gr-Um^G$w_P*Uty!? z+^U>RSEvG6CIKi$yB}MdVBh{8rj!y%Xlv`rC$oK8q*7$b&y#E@P0eix`nWjn5#GJK z;I_S*tjq4hoiL4+@Ikgo!0nY;RDR<4XAfG;0LK%@it75K6WAsJ z`E%N=K`_eZhl%q$B7Fe3b-EsKq80=FsIHE+P`y+^5zxVEnBf!JqC zL!h#YO4-wO(@`7%mwxr=kMngREQL-6V9vC)9zaGr^p#jLl%EqHxC1pm7?YZK?7*1b zEqP+^V=)v%mh!5y%wESKoVmt*&h+8z;!lCSmE+*`spj^L%M1u&e?VNKORag-NbB!n z`V7R9-ztZ+CvR5)OAm7HHFNmaTLHtZq#qiZd4ZnXptd0SB1=*nB!3_cx)t9Fla1FY zRFjENC*j)u5kC)OKiYyqv1NP@2IrF3FgP9?P=$)ra+`--vWG1YNIn#SP+#(b7V@BQ4r$Epu= zWphx#6H*Ni0XO# zP#%Y6EZKo^*Lgwj#njIH*kSiLLoC+)D~wN>(~~?cw}Xc1ZP#i&EICm+SclD5uOK!sdS93 zt!0ArAn&(?OJ~p2KJ%bpv`o_Ucq=i@4bwebK+dAJiTQJ1fHF#|Mx*NK1Ds4SV>ZJs zF*CzHTJoK1Slu9X@u3OR-xSLSpxC!ckw`v9+DdA$&5eoxzF9)06Ce<0!J8;}w0bl^ z)-LLpB*fjarhy_Nx@$vWOLu^9QGQ=nT~cDz&To3GRa|1_Qdj+R4XE&-p&MfHlK()| zqf|;;o@3v9XyXAqnDdWu)ILq({K|d^cR)NvLv0;(fKup%#s?k0zfD~?G%{wkzbyOE zzcC_QaVw7Iz32l+0dJ-Pt)vTdQpf~QhUQ@cqJ9T&L;SAj`M;O5Y`lxsmdb+Kak2vH z`>R|#P65^F5QVCmFOK{9!`W&yeSIx*exc2p8fG>o9c5%A8>10Y*Cqvn|9FhqgJ8ps zMaSIWF3|Cv;|DkHPIdj{Aq44q1VYlHH5ZY(7To2+x9AQ?yMbnyX${`RQts{9cyPqk zrl=Pfz5|pd`~rt>Sf%uA^Iheqern9;f&N)KJ*37F$zod?{LeDX!hb)Z`JI|u!=?0B zOw`6Dke$FTlOYTO2_py}M8Gu8(hLEHH#c!#1kdr>+S*8(C-0)_hH0`_JOdPVcgWD} zYfpKAiA`YRQU|q?3M`O9jZFjK?@NmxM%fWR#tAuas%_CUSX(uUAl5tPeZgD~_$WSz z%@sdApqvwR;6F5RC0-B+G+)Ay@qT}I%;RN20}KpWEnUtZf4rfPvxu6lyB&z;&}`6) z%uiXnDx^I)_TE)cyuuW}<;0fBGyl!`>QwuBzgtt?)1V(pd1oSFHt;QnU9aK zbesv>9S4X`tM1-y7~<2ZXqE5$`Lj}gndu###*w$Q;gRH-RC)7@nyH3mJn~w}*c4R( zH?g)UJ%VwQygP{ckGT7}Gj}8xnE0jVOi$gjdI_*7GWg^dyok@qVzpf6Va9;TM6|(L zQh#wCk@e1oky@tcdr9{sz6m*k&AGg!dr{|Ipic>99l)2&An*imz~Fqt5lAZXgZ`cX z5kh$xxthVFfR>gP1>XtSFQDt0b`?z^eu!z}lgYV!MHVm7#eFXlXQyq{w7K9oP(D*=FUuz_1`N=%47i zF{$mv^uR3uS{-9C&5Ugl4FC|xA8&k7azR-p3=4!zVX~lI1}|B{vEh&)d$-^r&lAuU zB+AvL6|av88v0?R1PiQR&&*xm`a+?^W@5KQs_6~S)PzC93(ED?b6(Yb*AySp{emB-}{+z8KL2-G70oDEre zn0WrtuX_`KH5A?eYO;})M(CW$Vqex;yXCDS#438^8`2x0YPzlf zhfIP7fVLU_V-%CMVD@R0Q^a6KR~`7S+tuz4wF-=tr^p5auwHC}asF|}X57^5X|M>{ zmw`Z;=wBE_ML@teMdrT!ZBJ6HZbieBnG0;kna3s3ZgA9p${XXM)@!U%+GfN@G=Oq% zM^u~k+n~U`y!akv=~mzSJPC(9XCEW$GU_4&E!CRtchbL~sSqjgsf)E6HEV@g&%Tpm zen0{>NNp)uOk!*w0tVR?Ja+mRwS}+ju8;E11v~!OnEns`iYLHT1N3orDw`@27*>rc ztTUr6*#0-F#MTCX%@jQ2Ggv5ugcvEne6}<~(GRgwXTJOgX50sm`$R4Pe@-$1cc1C} z`R7q-89-*0>CaREK42IlJ`Voa(WlAS*u>A%5|*E zBDw&rZ~BMOBbTI*cU|uojK)*}`W=!vUi&fCPn2wr{v9VEY4i_S3fA$NG*>urV#d0v z&yEuO7d3x5RB`3*xg+%8*p`5Sb^y^VXq+)H++wh$^1u##4uJRo7uw;@gsb=e0)ZX<3b-(; zus}}Wf#JmH_sIXX$RE>8cP~w^@9aVD{{IJ%>D{EA!DOCG8x{zi;W|>mHvztkZI_2hh7lLV1k;^CU+6p8f=`0e!OJ-@CXG3i>303e|V3 z#X0~-gaJe>{oSseDo-5+)==^dzbF=5O3cRuU&;ScA2?WI;I`KK-{@9B$WH}l0LSiG z(Fi3nD{+(DX;ryfxI^$~Zd02bSbqQ}9_fd-Kl+a;9Haw!AMV#I@U^?f-&HmUoIUbv zDz2+S03~&z>j92+&<-vItc*^q?i~vP9OJ2sJDO*n(SPm`PoQ}Ld)u&}Nt6t*Sk6E! z+;#zMq=oEf1LJ@u@dl*UO8NlM<%#CR^FK?9SPHcV*6cq7e(JXEMQq^MV!#4Y<;E%- zp}~_3jesRH8QKVa)uUAICK&>Dqp?zTHr9^40BR`te_7HnVDpKR0!wKGlo>MsWjCt= zyPd=Q;oX-HjDQIPd_Ku%;(19xz5Pm23Y;rH;C+Dde0j8}>BIl{gO?sULuW+i2Z{Lg_D*<%|BZbbm= zO&X59-3qYIso+}|4baq5fL$+ZGUnXByAQl5ky_>dQK%2_Yy44g%Ki5PSgrqNpA2T1 zfO}wtWi#C!2;6JAcH95M(^mks8LaIFmlpTpZUstlcPL)mp-6$^?kOo^v!iln#zKB7e}DtoWgs9Mb##keU06oNQi<4o3EM#rYGg+!SPu{C2$@I0 z2T&}PbihV6pJn~r_BSam?b66bEBpEO9qT^nn|fPONzY&9ixbKKc0hdfA!xmXj?Lvh z;fDi2DXfGtY{)lfcXB#pZlc!?5>?r^7$85t!c+Eeo|;@bY@_;`h0et)w7t9}m8Rmm z;>|z@HBvwik&cVaJ41%1V1O9D$5&q)efl%WoFLP)?+CWArjk~|?%OrGL;fcm{%(sq z?}pK^MEi`M&Y_?ownpptU6q-9hki}o?gXJB@&kigK|w(Nyl5xj&A9td$wuJc60m(a z1zTMSCaCj0o5OI|@Ktyn>E%l*tP!)WPB3g*o=`>N@O08&*2xG{L(ZahV_hAhS#9;ZMk+frUjoLu5DCU*YXW79>(<(VD zi48QvIXG@0&s0%NPCq;}UTPZ+LeP-~efcufo|-IREJw;`=?MBFH=-!RqWQ_4OyBRX z?^sK?2B*zpMrNj-zS4JN(%VvD;-)8yb1&_;3Nn&lOQ6n3yVj0|WR_Ob zTWmWd%SXyWTl5x)$DiUYPamWMMHHPCYfiUM6)SDfjI!bS0^s|wD58bVro6z6$w!V4 zV>NO6wkvY2?rc1?Rb+I3o6Mp^GX*H%@6N|IzqvidK-NlIUF4m2k$+POaVC;t8Jm!# z$l0GH^RgST+X)rz|vBhyy{~o6aHi>rvnvrJg?IczP#kn-rnVu8?v<_vZpxN9UK%H8MEl% z5KpV{b!<%6)pfJ}$AdmU10JS(3GcS8j0>6{dM_mZInjDLzOSL?xg{-z6VSJSrPFV!s^rISFcc{A!*0_eo=9gh4f;|% zG_&2>Evc1LkTy?Ahni<}=G4Ga+_!-bUuu=P^A{jZa1&kQZkL z#Z<-_3l{M&S&5v((C3W<8#*o0(gspO)J?fu5lR+Dt8?XCL`qWpvQjj*w!Q)B4=(i$ zqs(+byI?BmUEG8|@rT2{yQp-q+BzNS679^CZmf=~3q-pVnB5fTEt}88*f}HjhlRP! zCYF(kBBvt3X)%HvRBgW=tiRa-wZ`mW5RkSL_DWmDx1g;+K+v;mhdF(PmadS@%h10h zDjJeC-n*V6*m|FLQAu|575>cQumNq}cCAmYq_})|aFoaA>V?#j^K{`QEztWo^5C$} zUP>|D+BIW);C&BhAnr8MRdBiS8gy-@X`Vd^8i-mA(f2%#d-^H)G|`>wDeXEn|I$7? zH|KFbCq&s3c)OQ0l7`3Pd%N(M@_3}0P6=#Vt%>2#^WcstMY=iRZhd9Rb;q3 zAwOR$paq)6zlR|j77N+2ock&-U(rM~JDWNxH~V-^goihzV{0E65K(1NkyxQ!!0&~x z*-~{BhTQBZ<$goQ@>%(6oG++>qXR9Pc=vL9?0CM(2cLtZ0b?Wk10l!ZAyZSvwxd9(gW=$I{)F~3F`-Ek3o)QsT_t}C)#HQZY1hhi5l6f&bBA;J$2j*p zfw!&`T}+Ozq(xc0nu+~uUnPy;WdzT@mk9lY+ zO40?&1(&xDMl8xI^O~y492Ua)MP=;?!Q2e_%lVrEk8N{N3@MNI-7o@7V|`kW)Hj5b z*cZXjf>5ykJT?y}DNufEE1{50Ku~h3Pj$766&M*x+Q`0Fq`>85RBf6@zL*Mxq)kR9 z8N7uOuYQx2lObkxu~A^oB>pnc5je0oiK23MCUiG?ZOb-^(pXxWdZ~h|*AbiTcv)4F z_Q@KFueGbu^E@VaL|>gj&FzJ>Vxxa=%-L~o(D&)rFB|+U>s8*xXrbCXLf-rL_h%e! zkk+Rqj=agZ{`++e5`IJ)kGoPVEJA&+n2+>b_gk#sG$y8m*C)$?eU0_Dp?ZH#Xre2j zHxntYn_^~zN`toM!$7p;19%UrjZma)w8i*n`KsGr3N+fC!i< zcAwFfsrJ?4JF}_c#3;+9L*4zgQ->W>MRoqv$n4t0^x;%w{nnHPpagjn#Hg^V@#xD+ zx38O>vSI+wk>@T4h-~NDs$vW(yHP}4Urngow)rO&+qDcuVB6AaQ|&M>0^z$#&Wb>? zKSOJ!<+Z!-HyvAEJ>ZG?d`FghFjxc*I`@vxeRP_B(7rC{GNcGP>rRkh05bxmqO;`X zWZ?W>y200pZRox>z9T7XRY?T}Et6^q@$p%mPQgAzA29s}?xfX}wINf-q|PRdW(Hm% zkOg2orLh!B3a@*F9F36I%}p0&5nY&txs}IbWOSvzIZC|O@GC~RaA_>9vS$S*sgqo?6|pIWr6ru1vocRY7a+PM3~PXFc}I7&|#~j(6&W>AJ5|;EQPg~G8@o@hhJU@S+FNG z4Nirhsv{MA(DAX^T)3wQQvX?JH`*?jZ=3$}?y1N;OtEzO?c_uu*TtjI{JdZp0Kdtl zU?r-mf+Ee!vF_1~8;=qYD68jtzv|==3y@HppeTex)=-D_1rRJM8ZLR`2XHygiz8~m zqx|Y#bv3B|fmW?*WoZ-Yd+Ei46#meD4H8J#dU@iy9h=GYK(hi70l@k*21+VovcxBu!Jb7cf>#Fza~JA_>r6yA~{;v6^`n zO?Q);d6#x@6VMKDX8J9@J4i@4drPRbYv&=|*u(jiw_y^>mNW$S&QH^CD%e=Jj}D8j zj1%-tj+H@?Nr(0P@Mh!JJ85m~(%$60tPf0C7?qwFM0$S#1xk=w5V*+vK5=216&)R?b-Xt2hG&TzG3XT+bn)`W ze*gX;$?tIghk{l{={vhnfW;t!%(MeNe(f)Gu#;DVh4mXYnVYVeaqu0s+Hm+pJwL8y zK<(K-arO9`vkjP(l$1bZ2Cnvl#}+zYRy1@7VN{CI!g4TRY4p&?&f{`4wN=z`>M!a3 z#Jv-hu23GA*#de&g_hZj8R>5>dZs$!1K#v7BE$1CvRSh-2Pk1_i^};m;&025xqj2U zs3S0QtDlNhJ=Ot>&JeHzGmDuSK@sVykK zvw|s3TE3C1QeKZ~C#Ssp-2Tb&SOLY(Oc9(}=M?wk?J$T~tjbhbnU2xswW+)*o;W(< zLzeFg&GkNja2nc6mzG*9__S;JX(CB~l=@J4tN@cv66^ML!gzfj50?u~vZet20s3@>SYs z!2{s~GruydasL;=$6kwb{mGX{Nwcr|ZC`$reZkz@i)~sn$^{yM*}LL(K3N>gpFCcx zs;M2z4|I6TRl(Yr)A0dij4%E$!Ev-rYi#F>fwlw2B5^5;ZH6$f3sz^k3J6C?2oPH>YU{D z)0o<+0SycJ{r}4r`CEf|E3UWOG z5frAUwE-FpVL)X|P8>qc*w5?*`>>9=%$r&gin4j{x2*PS)VSr=aR}6>_H(PW({_zU z>XwsyO>vx3jpf?!E&Wl%NmMSW8Qe9mi}pseQQ<2lTD7gSU&65I@5aBcuX$EYzq9KU z`V`nT`YjP`1=h`6&l@0tZU)_Lq566537l&^@6{Fw>0bVb6J>%hNtrKi;$N@3(|PE4 zbqK*jVUzFp$X+zGEOTHKu9A^OZHx}O2ClP>F1QB%MqHKpa;_J5E=kr(eh7w|^yd2V z=Q|v(e#!z0qf9THeCpCOlYJqR_Pl>)1508jjt8BjXf+T2#{N@Ip(nB^$HK;;f zx{->O`tBAD`VRsriIJ9ivWetX2%do}@2gOk_uaIj;X3n|4{6$OyPj_Z&BKb7|=-GN28|EFWI09V#tMec!{Rm@2_6&$A!olDLgBIluWb$`6pjNAXk@1$kcK*S5Qw zpvRIruoL~EL04*J*lC>Zch6>IYgn|{_iH0>M4JNcpUD`_>V4ntV+iPuCcOGRuc&PQ zblu+At*$z0f6&KHUY`1Qy_Y~gzbiuu5YYpH+^LXiqsqG5A$Un9?XA}j z7YnLwi=W1{O4P!LU6};jO7AKJiV%PIYHq)#C0=1*vG%o;L|S{RgR#y<28jbE(O-!3 zI&!`bwCj+m#!m`;g7qKHc!d$$BApeJC3^6A1t&dD;Cz=*lVz;2#Us(Lx@R+Z(GfhR z;$wW}d%NJ;#!`}K3yIFe6vW&44kJ9)G6J-RvHEd5I5w^eHhs(ui>)q}QgG=<>%2cT z_r&Tp!};Fl#$;0$qk>f*o4}<1@l~?c&HmFLC6yio?u9w^&xfSOPBO?Dbh~lXNh8C< z{7@lEw(^mfFhtjc`_~iC^1{0gr|S@=(Q@Y4-&vxEPBFp$eLe+Ok%YTt8WU9J0V}4{ z+e34Hlaj6b4@usUooJQDsnoGr7)p%|3t{7L<9;|9aYXdx^{>p>(SvW_vq-wY-14 zRa?Ke_+;~kl}C7+3J`@cPZT-@R=Zj_8ZrpYrlgw?-C_TCTn4?D z&u!#=ruQDJy#!F6(MQ_L)ttEoF^7tBU0WV`Cji=Dn-Gj729rJBzuk8xRkB|wHXFR0 z2(f>-WrvCyuiU80v$wAy^}S;}KgAs5>OeECJG>Qobr{;JO(A;nR$5kLOxkE@&amT# zrIePbDw3lasz@G{o1CbCVB;w49CYOuN$~}k=$QCy@j3RtMhT@Tz5Y`CtEKgcZ8GG1 zs^DA1N4Y`DE5-sNV-ABS%)9FV@vn9dsgw?;T1i!xO)G!tcjsK`oZYD6Pmxp;)u{j0 z>>3U+p7l)lPxSLy(rG|w@2|JLsRL{9+Omb{P57H4~rlOLUsb$zjZJ)_Th{;T<%qjHJ^KTq-}o#90faSJce&d0+<(INQRnS(8lCUbziZR{`LT2VjgC7(@M^>5 zWFdIqm&(4+Q)lO{(AzDZP=nWE?qL%tA=*QFT7<#NaFbXr;S0Pm79WZCU2ln_hQQ5c zUXlJw-MUUrHQ9a+vFrA3bL2+h$-^2!4d?>g=&&vA50kzx+fhQ3GqMh8R1b9AH3pFd=%Lr0{b{ppLzy9cqI@ zBbflo{Bv~lEZ@C24~=530l4!=-}|az-=ET}VXI!()I{@J;7vTNzwzIIKHsh`%(ilSjgcng1(b+GOr z?Aji8#=!xiB8bou!7bo5pG}BVCXRy~EN7(w(4t}J-sgf1lC_8b!}@W;_ZIqLM0{#O z@EX?TuzUL)vMJQs`V8_jOg4a=Jj)bpmC8G{{yscFgPiJQy+w2u`_G#CUSaw6NeK|4 z?vv_!y^=x{c#Vwe_yjKxtD+(vP)3FBSEhBis(ME3Jw<*Yn^f!RDbcdPz;r9#IFUsL zXKLwOGVsbEzyG`+Dla^n1!2!f<-KkU=%LFUVg1Wn` z7*hI`%R&ZFeZb>KB5CChE>yTsaG)8sAK{J-HNfmq@v*^9gZhRp&Xw(SSiiXKjIE3) zH=+PSb7wh^1D^sSX3>1A88D2qs1v0k;j`RPEK%fQ-{ZLa9VDly|LA(bE7R9zNuxMi zQHh}H2rN>$=-NZd%{8H^=yhRQZnD7!Oo8nAA8!}OSv!f9n{Vz%qwYfj5z&f*FEjh&8Ta9VoaJSZ z=yM3Me$+C{AHz=|`RfAx7JsMXn^CiAiI4Y$6j|;RO_G*#z58BQ0IS%hI-S zmzj7252aHW^Nh|W#YAEuU80@P4Uw;-4|s({D1yQ%1(aMJyddQ1-QJZ^!(% z=WuCeyI_n^8(r`@{3zjiq@PP5^glxXtoTJ<`l(+-=pHzx@#EWJlh2#Xb2BUbzF*`* z87`k2^H0p;D9I!#6W+AKHY3=PjIk5u~n97e0) z(SG2fZLEtM8i_+xu5UuvXYfZ!E-(LPmtTj)t?;=-WJR5(!4Y;(WEZ>3GV$~<ftWbJfPT2WL<}pW&L)e=+!_xrqK~F zZzLjG!X(V-cMSsBBh=v!nqbvDihYZq6AG4_c|3yI#MC|$d>s3|>K-78R_PrLm1lxk zhBGVF=hFeDrrPbz73${P>=Fn9MmAB}iEsoNoP(%(Z7F!jvO#{*S&aH6yGf+)c7S2r zrX}=h%CZzG?p+vD$Em3|PvOn0abL3ycSLofC~<>e3s;^?D)_r$?iErdscg{9KHKi4>Jo`!-N`5rYA5%puj zZXbo`5;>wP0VQP~q!%lWwQbN<%=mbl^ey0P$oK0)4&RqC-?CYTHryt9z*u^LLInW` z_Som4=M&cF&%8%I*YcZLVMi7@M`7h{E3TW+AawBR?bS$WwD)_8Qiq3e1aaXHk>$D2 zd|o7??A_lo)s-nS%0ixz9mRf?1t8*t!O!AUh-^H*%Y8a(4aW zV+a{~>4IpQ7=xWXma`X-3wV&cRfZc%O`?SKXDL;$>UzK#4$&t+q0_0kdT84~u(n@T47YXG|q=Z{Q7 zr7JDM9hTeMSm==wYb!h5rHkf64!Yr`mHsyWj}dX!Q7~s+VY-*$8wgd|PbG`b`x`8{ zOb@{r$~|z^VaR}F8kz8cfQy74cmMrJWxk~MY+_eEfqkDkRyQ|<&YNvzO_qf^pT>Lh zeea$Z&9b`3#bM7D8(D|8vJ~1nJv+zF(5qe#Hdxoput8zrqCO69c5g9b_x$wYT$%1q zF-dP1LinrA6-wngv~(<9`xD@GH_DTYc}Nc_GS)X<`d{=P-#4ySi#(ioTuL+wnvjUn z(44%Tzrk_o*TL^NoLs=cjd;L7ebkbG(_iO%5Hz}&dwKT;;J>;*?tP5jD4p*VY>kGg zkb8$woJ4W%C`Mu6q)f)*552j1mm(SGy0RLH-?W~8opX_{2&`bw;DMa@XvgIqtj+5h zOyR~ZEUV<+BVtBaIP#)n7P?-PF?<=E(Y31$)i?+W9vA>WG>SSIcOPTtGS~x#gkR__ zDwQr6V-t)qNbzeAEJ6jS7lyEu2OGcm^Pk10GWqB5DRZtc`QBX6t5Sa53=D_?qdaIU zO_40Ki-6>~f4h0D^4)bLIHVWrq4f1S9OHVceFxpyzg}leDK5U{d-)QMZl~t9RYSax z@-FuLWqUqXjib}8MFF4ceyzR4Vv!;x0tvDI`-Jz=knb}@5h}Z&!FV8V0&?NGUP;GT zyG-nPM+`aQ>ZCl`F;*0$@`9`zKsK{Fo{cx{e6Q!T9=pv1IR#k>Tyz8Vqx(E;C=cq{ zccXwlDKEiqMb}N8yONTC**|H@w!C`kaoUg#3nP53;Y$s{kgl;#dv3pffkuz2d)*c) z&GgakaH6Nfw(@Sj?!z1E4I*3r>U*TJuzZcRD{wEK=z1$8bK){D%W|2Oa$?n|=Xx2H z1NmiX%>=u3V(6L8gnMfyM0gsSDHgKO@7L3v7d^$wTHhCdx5b%BXgPflwCmNS@mc9y z@FAl7f`{e@lRfJ52j64M3yp>%_93~eCtRE5T4gY6`#Jo8eLXiD+{Rf@Koi2z!-SBPAp4oU)hDxovRgcw zCrHDO&e?s9%M~+v+#5LH;(OtV0RCZ@knPyKsKE&<{LH~BE#uv}j0}<*;Dywk9+*v+ z-F&779XcpLEU$fZHnJIwrcAfMA|W1Tx`6;0RCN%FW2^mF`45SqSv?O;_y};bLxcWZ zyHLlCsi~y4hHKT=WR;xXZyTQLVG)Bq&2OQ}5|Eqt^27GmUvAAx6V;I^k4QVODKD4a zo))j)ZtM0bqo0qn-Y#lF&iiB?33DJjwCx-mK0;p-ojY$6pDUUuxKykbG4=Q23ONj( zQ*VzA_KArGXX3B%I_+eLMX&ou@RXUgTH861Nku;IA$h z+y;D{ABBRW0|#aEKGgmmq9Ol7KJm=`ouPNUQ^c^;?(}ESxn%Qw5#SNbO-xa~Zm5yJ zQv%`N^ZG70JcQV3jtyp5eVtS>t>#ZqCa3!lrT73tbSY!q!O5IVPiamO`p_#{`@_#K zJ-0Kq;bL8T#-q|ecQ{?ot=V=sf%cs(-PMeO3F z`L=^lH3;}?HJdCo4e8rIIoXu_(7b@Q=B;E!wlulOB+g~>d6CrjdY!QpSBmqcQ`lJ( z^e|eK*_$ce9r}y)%xAyv2uGGobBdL!^)jK;Ii*SV zG&sYkBLC;$^+)7 z+z1JKr@+`Dytj98jVKh?Dx$=a7|C34#z+H7x$AGz-%u40r9{5?zzQXq(jDE0ljsp( zVOC*Faa}dozv)+}AnmkidY_HN!Mv0v6uu{Sz|ila`t5;{YlQf54KwTBx8Oc)2jV{f zb?B(mHyLT9*PVqc5R*Rx=gk_b2?)Lbq%j?GqpWw`aM2`*o}zGhOhG|ZDS(p?y|iO%1syVv-|%cD6mGvH09!v9d~DUe(X!pT8}y``%}D zMCm#03m@J-y}c-o&3E8F>aptv;4hcR1K(l_q!hzA z1U|2peTDK1J@4$0*;&aKriXJ)n#o+%BPh3hX72>#o&@4)q=}ZYvDAytgg#b16q@*J z4r>bkn6AFxlQ%JT=^!NMP@|I>p!3o1*sdc`qka;H!zr&YRWBCGYS}8FRx~j;g54j9 z+t$;~er0fcV(%c_#L*E`2vhCLe=E8AWqtWbU%J8eMRF3ZwOKL$qff^cMz|=UedGKQ z7z%SKvO0`S<8n1S7x0k~9)O{Y)=`vJOrmgz9J8nb$(s1gj$4PXY;J93hz8u-*9t2! zK$_ZKf!~_~#VC`Q=LZH->gw3udl2hyJ+e)K$b`;fF1F_&?h@Ot?!%P{Ghu5YhHX zx4Tovmy3`Wvs2ejMzr{O5xd_2^h9+qPNH|Fux0>hV{D#I9eY*$5yD`CF!o)MZuMpK zV8q(L41nyuziMn)bP#T((r@)5+kf=i<_;_LM`zhgwWf>{)Trd-)GxtWn(`-jaQ$%K zDe(0ji2W;Rh1Yog*N_JrbR`r#pSy94u)^-bH+H7xFieoe)V@VM$`5>rOiq1~NsX!$ z%v{_{GpDc9z`ILQ=?$&Lytyj%*@Dr-3aP!g5RtC0LT^^dgz0{)qvV)J9C(?Bp=&x` zX@LG}y+#tCVhW?7!iv~1{6ex%622Xg6cBX zfCz|Vvul5ZH&<~sVCAHoOBTDp^a2Rc+CLYlr`>9WCKANu*Z;=zjYpUq(SdMH&p*dM zM}!=KAn+9c*8ybLNTO{V{xZ1K)Y&4WmL|B>?NBhNl6{)$h9RSIC)ggGODN=2=rees zxrF4FJWf!kzdwPlIL6lWA9eUD3X4ouSY)Sxilw& z5JvpRkcdJIlub4_uKeZ^v^hQ00B%yv9Iyh7l{oa29toi|X5G3&q1B;wr1lXCVXagqIifdq$D!be^ zn7m;1_nZu@7uTS(C0FrbJs~Ur7WW!lU@BX}!Un=8QB0t^9X2kFxc)8w@39hebAfmY zAGDVV3;O{U@z)lZoMQmhJ`WN5TS507NIX6HbL2UE=q;Hzb{C@KQ|KOeb6(4@ng7_S zgD^;Z(ndG>{~~D9Pc}gkIxkXGP%5aQe{FtOR}Y`!Zd}wPrv&_gp0lsUZxcg@75VpQ z)>0sX6>ktFqY|P}McIt@7G}3a^!vJs05tj$72p#dc7>txq86|DX$M>m0s}%WG)s=z zJ935e+~3k0UIEtrLG<*(p^fO6n8k<|Tx6=gU5^~thTeqgfw-dA9^JsnZGR2IlJM>B z79yLo2{O>>IJL&z_>m}KDPh6pKFS1Ha&_OrK~gyVL(6d$yjH%RN`{*H!!i_v zF?2g@rP5HTg2_wRQzXIU%4UGdi)}^I--pKNAoN-W@QOLpufH~-Pl;c2vp&twhRzVj zpdrfTJvWa*6A^{4%fkXm_5Xj-QRZ&)2OHt!b9k1zTV->!xh zBT-znAbR^}0g$(aa~(xAcSbYeY8-LW#;^WdQWG$Y0KRZqM>%@(;u5VVR2rvk1uPfa zp;HYBU=sL$uOC+A8?KsaCE!)eRj|l+FvRU3G<0X2-vdL&O9e<D2n3t@%YY&0ZatAMzR6+-vF*X^uVel_`}9Gmh^i`_|G6R2Obbm9Pq!z&ipJG0DA;m z9wAo!B@QAyh8;#3ggPXLG?%*DfXOZq_qQBZn;)h~%rYK5`v*DDm!CHDQyJQUAXNfQ zdXTpGUm3fgT>7YYjc{+3VxL9ma{5byd>Qa6f1*EygsH30{7%9Ap!M5|5xMCv#2D^4 z^Xt^Um%}ez7>@VfEw|`7s=he*0T(Hp@6yw$JnR~XY>riUy_yYJ<-&Pd4>lK`sI%U3`+$dZ zHQOfi9KLEb6tJG;kHJvF!9TcQB_e{(;i-Y^Z84)5XUoMc4cImfCM2@E$_E!DoSqv` zPbH`GFAn1%x4h7hoEf}1Tg)=_wcnRqLcFSVWwFKy)v75T8;NaAJiOio==12xg=g{|py*PX2ldk0TEj zc_$ioJZbaCX({rX4w6Ca?*n+eLUt%JYzfDVx{v_1!k^v5CUk`@4UZl-ex5X z6at8=(ULflWbgjD$LmZK!UQj;Kw7>utqxK9vvk*O$=yw{%#oyagBM07UykErZ@zU` z@6B-Sgs`RdWi^9y$0ccXRL66HBYZYEknd9*8(W}#%g|6YeG$d$n{KD_Ps!EPXmhHE@C#l@t_C-`Ijc;+)aacB&oP`y!v z_DP72U(aD7fp)=fbkSNOt{=|Hk-W`A)JOv~RyC|1Rng8Z0v;6}sGdEimn{PNfePNV zXh_lXMZaY`y&Q-PwG^1mde4164h-)thGPq+*)&Q7&eO7fX%kdujw3;eDJxubtE}eH zeJ@s)fE;0?3sAsRB*my}&-Uf;&ggq@t~Qb^U2?2rRL#UZ^RQ_8(Z8-eRdtBh+7 z_==H9oa0+E(DT$L*r4u?1>i)))1Mna%)y)sa7dW~YVaM$pO_?;ZOg(?*0dj>W>3%N ztY8J-TcoKC^nE8`Q_}||Gt*DBQJ(3jgClY6_nBn{!DA!F5BOn|Uo0DDMp$^j;6(%y z)ghCaE|@a|$nf24)zPd4KIyKuju#TrP3r7$z6mdLl%V?*kT&4q+0rk$u9ubo`o!PM zdkPEk@N8ax>F=;ea9Ca~9YGYvV7hi#t6th5F_e6ds*tY3a>N z90|Z4h@ueWVlD??%&zu+BatD&LGp*z`3c{3ufXhwTRAm_e*t#epL_^@Xi>TgZKeFo zl0y6K?CiX^N$o|m3~wp6no6mO*q%iwIEmXn_fP&nE>D6)O4C*IIVm^SXHJP}Y*2D! zt0xz8%Q&%uHgVOt;AM#v=V;UX`f_U08c(fvkI|+A(8RJVdRJX_k638kz4+lsZ1VKBz2W}GjAVUgis$d&rRR;r zQl687O#ewBrRek+cQqx@#Ldd$?Q%p|Nx!O!j@J2yRwH-4{f4Tw;#;vOvoZeDnR5a_ zP2b$ME>b*#braLkRn%fe>~|*4N!x9=r+A{#$Fj_(ySH_%pMzUb6J$_f8>DZw3=#XNoL#45so$^AA$( z8jRyUHf!YI(cL>!lYxEQLXfc3G0=ww|9JaKMj4Zd<~aZQ%l zmAn?Pf?FJaMSHH}%(!MFRivP2)!{omwOkoaQ*l=taC6l6=z7I{ctp&4#4$z;)5QIU z^@lTmyYU#xdrAD;)Cqncyt)2X4l8Xfmsh>jzf0iqk5ZwLbDXZ8ULA{P`E;}epZMUa z26ekIt|0!7_vHrZ=$7AjZ1(*f$B2*GMyY(PRirv+_q_IUoI!Ru9ow4n+l>tgct?Dk z6(1ubCp%xxCJVmvBoTtA;n}XfLK?;B7gv6>>d-|Wh}ZU?$m2$g$TTC?&i-dOi84mFPQnBYZ}}qe*$;76;^otFtuu% zJiaAf^Q2}SD(5QY)j^oIVs_?fPa3bMrusl=>3J2V@-i9ur#uS)uh}o!zkt*bGC+Wl zFGT{N$%h`EdKZ{I_!1kI;I5q!yW8CVZq*va8*cYUPCM-;xGT%rb{QQcJs}_TdvLPh z(FPq9TDppOAcAY^m)A1ny4l8MMGgRqQJoT9DucEM2BD+E0#oXAicVouc4dxz zen4pgK&?`TlqBuo*!cOm1yD#d9}UfsL1D5xo_Ec(w9(4+A73r|NWaA1*c@^kMAW)RZxB%IhQJUskG%$={LQl zSGozxYb!k8T${@|%_cS$;_fRQxK~3I=5JA=1_nN;GtozI9D+8Cy!TsLT_R;_^4a;g zdMH}NzZnf<7|%4iptK6CjmAHugsbCXjuF4gjyNc!+osp@Jo3Pk@0iOQTkiWQRh7^U z4=TvQ`Ze8UR_e$59ysYq7)lx{$XGkx7yM+die?&>u4I^i1A%+m?+^NFkaRp`R$5Dq zf^~6Q#QEuS>8h79yaTss0%>M3nbVQ@R{DO9Gs^1)32XUyNGQRBxYN(P2UyS|6Vtb2IUVKEm@iZ-L#~TMA_tD40r-Y1`k*heVS07th@c}KPelVOz-xP} zMm_Y4HI{EkM!tFBZ%rEoFxDvwJo7gpj^yR1q`p%WrPTOblQW71M=79@pl*9Lb>=sg zN^@mVGT7yl_KKkXECik26eL<(GDgp`_v1GJ+*@chPF=7FY?d^m*~qn(G5j;NGsO$J zHZKCZ#co(wTX{XK54(E8J_(P``JG!*;@(9_^^%^{_{=>@ByI19hjYZ05_dzHmXG9f zAkcgH{d^r@yTPE4h@3|$P-o(V^ki{DkFg3vK>+%e@nSeiMzpm7LCd}|M1CRe?P3$HN;X|0MIgetoj1b9@ zTjX9mBX$^ymf2W$FP;`A?aPL;TfWYxB*o;<1_?E!@gbCR?#GW!uCRXNJS-h{bT>5J zv6S3-HMsiqt$`0MtArFkwYoQLP95hmuo~=pGg^>%N$depWJxy402IV#VkWGft$v&ow`l#-*iK|pN5F!FPcUs>`>qEmkgbkPnip31O+Xw z-P(T9vjXOmLP$|b<1$f^ZN+)qP)dDyP{fKjWPIJO#4+1dwpQSEnpvJpI}sAtu##M5EM=CkEHhN&5CoK5be>1DSP zPotSat{<4O#sPwON`NVEg0*HLo~Ocd3PEyKT(+}){si@9C{%Vt9^`k4VL9DLlDHc? zHKrvobb9OEeoBe`NBG|DGWLCj66Gn3s1$&|FHSbpn4GZJQG8F}acyuCz)fWjZ;4fi z(mZ9_%y{Z!b{Y&g`30Y872Vo$tAF)~jAz{L?RySps^7@?bvCdPKw|u8j0mX$djx#KZY!buxtXo>D7b>k*8#_N|%{yo5cTknkz z^c^xk{jf97*>F$Y`vG1GC?2$GaqZa(X=JvwIzB!lg^SVk8s5Wh?^{BIilXF0oB7Bz z^7sH_$t^mrZzCTTt)-oaWjkkU&_qW|X+L$uZCBgqVc(VKTIJ;FH88;eEo?cz@wjvc zE*)`MX{gULGao)e9xFqjmGi{t-CwHrfom`RChZwA(NRfqy&XZ5Nw zhD6p;0BnH1IX1&f(EuVH?ZcwH5>pH9858tabHOnNNQz84s?c2+|OE10WcEUv9tq%2thQoV1h>P9_ zZA01KM;&SsEhXJUEB^SmAJTgILYhF?w&tUIh>(?pgv4y+L08h&f2U@wLrR*ct)8f| zzVv+8FV;dfL^^YuOn5>X{fGca*qbpsCw+43W~bP}&N~ zx!t!vlw4HFkTXb~o;T&lup`vB;iJD6@t)E8PqSI~?Kk5w<7!p$;dK*axw!t^1Mj%fE9#ZYj@cU^yXz|4Hlh@ttdCfY=n^i`A8o&ab6hGcuw} z^?j_@CWg;bzgV^7<##D#WS*p|XQ~`+bEwQKY24r0{CQLE7O4&e>cctQS8S-CyT^$y z;Ltr}rjrf7S^cKvQfzBf?b>ExZFpFFGM?z~zh)0Qup+3|S)C;e4`-OFnyIf796!CP z=e$v?VEm|`KIzmFvJFVT)uq204UO3*(x%h9B#Ga7qQGvo99>4GYq}Ppv-*ay#u&&@)Skb84gZ9s ztbCkFD|T_6jdMx}2_%o_SsNCITQx>Xkep6bM{U+OKuv%(J^Ecu>qEtq?XU<1k>Z#9 zbIE*};Gp??6#5TXGqE3cKvK$>V{ZdsTUg`znuuzPJz#3_kJ|&p`{(sV7K6LU_l|hu zp1#*@f!iBhAuk>h2_J@scb@NC03*1R0Sx`uWYqS(Y!W zd+PgD42I3VXJsx$iXa7EVXo*JFal5T#Gd<$?7Qc7-v$!igFOu#yb+<5V+BPsCte2T zD231>p{GGT-GD2Uox4BB*Th2egKrwkQz)Po0_oG$z!#G$TXTL&YW)h;72kQ~I_V;H z`r0W>;KD0;N!MBnKhp{*^?wRpqzAyG15e&`smbSlz*NP)ipt!~O^?rai_^e~A5?$;{(Aw9Ndb-d%&?j) zGLyZek8I%oF(|ZrKP32yOC~??rsF6JCyG3?(Xhy^FQa@ zd%nBYEZ1TNXJ)^=d++D@)s}8Dw)#Ol$jEJUB+8eq_{bWv2)O( zWG18c5NpeIuD>_~p9m)X{qX`tBKvK}NagP~rm8C?8nR)Ni4%PRJuP90DF`GaL^ar2 zRsq3DNXxHp1LF?b{v3>uST~QjP$8&Fp@R!1>z;99YfX`gdN@BOIH+P@I<9Z+;^tdv zxE@;x5sh8jDQcsUXr~wrv#rLjtEa9nuRFkd+AvUpFG@s%dN-A(3EhcYo^(wbpjW5>{%D={pWTrMbgK~JG@m3 zQ=2`c)Iu`qDq0$8n>-x<8pk>M_w|YP_DO=TPw{T!=9|6lJoXJ@;>y71*?`2&8Gv9| zF6&Y)zA#5e@a3G$cBpF-$cl1}Pp@lQLbY%{JP9?4#W>)wS9U}YR8@#gdkln~GFO+g zDyc5cq-_JOkY6Vo_5EkPVqrkOf{S+VBKl92$79_yoh?-maYk25Ogv*AZZW!Rc=WMX z`pde=CU8u!n_XMfH@rdhIL5I7My zx3$JKzo9j`!u6Pm zI`$NmjPL8#36eeecI1f}zQaGe9SHAlUs%iX4x1yF9SIM^Ftx`E=JWLpRCx*5BnqkM@RWu z7iS0Y;~*t@EYcgNpdj7rXnyn8(Fiv%NpZeCg34h47+Z^~1{gwJ2vp8$`%P|hh831T z16T9k0$SiEOgg0F)+Cc2`#$d zO^{-o0?Z}oFQT{fhiXCB`6>mWzgzp~KA?PBH1f`_E|}9DKJHB!vD&+iR>zNndYRZ7 zBNfB~kJE+eokCM9ktkI^0#AYeyOH213oXtAV20yFXNfsN|9G zm$ma=f4cn@gV;d2Q4R(!J(EK32UY>|aLxGd2iB8?}-Yo*I7j#x@U!_HCL%&p(AMqb4N439TT<2 zcsQwV5>cFjIX%G`QLse4YNFHackjXcgv4!?>gulr(eSD12)>dzk!N`Y3`W1=Tu9S(5#4rdliF7F zF=y9KotsQ0lj%!IH|ERq>-b|6Kcpoj<&TnD2g?qAu!!wT7~l5^Nq#XGZQ|PQ?6~z3 zg5YWSBKb|t+`$AE6aPBD$#Ct0-0DYCwP?OE_k&mP?XRtaqN><2pteo14V%Z+>nTli zzgz2mm(7SiQ7>f3hvOZ|JkOQjGP8StC!)%gMDHMsGLln{JBmF#Bv&yY4E7PQ9jnkK)hYe2)=`{Uhzk_4@D8Lj&JFhHRZE zH=9_cia5z`ofmY%b^6tOQT>(%26tw}Tq4-CRj-z>vw5t}#cke0Tu(DD&|iYy%ZiBA z?q?6?%Escs$w@^b01Eu77Xcia6VbdFC zkx;iTYMx3vr(a@Q7iBH(dU#9i2bV$7gt$DK+R!`m&%bT^8fW^$;j}InB>KHRcpxHv zakX6M_nL`_MnG@KZo1b0;Tomx3%*SyvQ6qknP(Q2;wk*42x$ zzh6-_S3RRWtzK%sWA;~djUncdus$~xa95O7=3|F6Hs9&~2Kk-nY@LVebi)%YvhgWu z@hON9rYf^l*@3LJ>ix>z9cuGlnMXZGJs=p#nxm( zyvJZz(wsZ8=I2hD6r<2UBReL&I#E-dNI}Gj#Rn_>roN38R#ctgH(@V?vaIX+_jG(| zwJQ}MmZz>`<>m8W6~G8SwHZZQnziZOISueI55#4TEX9hvdiqVQ5=zg-cGx^jp!v|Y zHs7q_gj zSy%`VPU%uvs?R=*>W9_Y9obt%(5*c%7p}FRs6NwiP0@4H+wDjujpT;~vVhlew}_-e zRA^F+7%(Tqs|c7!emg2OKOMb%249NiHZXQm9idCh|1Oa!b-&O=MRqDbjYkW4P|rda zO3=1rBku9TEUqOrmGsIm*2x$WnNjsQo3cjXkG|2r-xRR(s?85bA`-gbnP0aOIzR`hHj1AzdPd z=;wBx1)jf3Nz80LIH|V146X^GGZg78zK?1sX!;`Bs8ocGP#1!nZ+1EqG$CF`l};@! z#>i52b#g=iFjjD9LGcz6U&;!6Zuzs(Swb65kQRPXMtPJ%z0c60ZEkwB7Ig-IVTTW# z?=St^6E4u??D=+PIcO8nEsXa*I-49B@dpquqMM9zETnc5ucp|ZBc>FYp^>v@f9_b2 z@y;lAA!TW^KI$X}6}!2r>J30Qk~m%&CW;3zO;(*BkAPGuP6kGLEVjHR)LK~pT*^}E zLmch4P7WVsVq{a3w5;kmBPIBS8sA_0qA7L_Pe&6EqT3;u(Y=OQ+n(|BtL9$3FatY4 z*HJ;U%K|}}8<~eQ7?-PKNwJG)=dg1z`K;+BKqve%Y(`PZf>s%nBb3X|TI(VkD*>3~ zVJR`eNL{Q!gEO$EFJqNL!(YM1ZPQ$??9eihN9 z?zXR3IyuI44Q~^9xcnqqG>wlhKf6Jp4zDRIzLNe3V?bR~ZTA++b8Mr);L)&b*sy24o+nBzWIv#8T;Dn|`YaGv zM#+sC-?A-IPIqgM{ae@?UIR&1Y;M7?ai5=b6c)Z~mh~LYexNOtW6o>aiB)^~Be5M# zQN&$wlu?huUzo)ANZ-xGqL5hel!@^45w8w>Q%tOyurISWA`_}EpmED4>13|D6WMI- zZeO0Tb~yq_-1?@LLXQ{XL+uI29R#+UUaFEXlZj>I|N)yDBFp28hGYzG%N z0LdV$=-G=IT}m9`2GZ@y!fbkwy*u;04O6oJ2+L0|hxW_>btZQGnt z9F82Biu?XDiQI$lDy{Z(v_Zruk=}4ZbxIM^x|`z*it)^ed{g`Pnoca%fu11$KqKL9 z>nd!gl02`kqNLC;QByoFc4MEz{w5}+i!C;o&NxnKvqvvvCZEH$o*GP+O7V+m)EFnlN0Qh0Zv1XG}*z!&~+3L%a(|w~^#GKX-bD#Mxcy1~x52rM{tQ zhiVyP|EQn*2tF#4p2k`MfS0Kk!KKb4P~ZD@PXW+1RdadkswU=c{4`u!E2b~*3fhI& z79YlqBB<$KdY#8IwpWRlW#-$-6Mk*gimK#>FKt za_hC|bhX|Vt}gh~BsWhZLMYyEn2h(5C7ms}8Sq?m` zu%n@>ASj3a6yRjHW%c+#^ab4v>K8hN3_}Oc(mPkYdlNBH`;G!aB#7mP>*p3X>qNFv z(hhx_nO`N2!GW2cYoZc5Eh@#`G|~lXsd6@%$|P}4YKxV>u4@Ged0dW6KT3)-P{bfO zCI4zNTE0Kg2UjvBt-XlnTDd``$oAVp*X2Yx_aJiC0G0R(T%5x9I@z&5U96~)k`UxH zUF>}vj^-9c5*=OZSzL>BBj?{NwL~NuG;w|6ak?7p3*=FK^VAl6Lf8UhFGO!nlV@!X z5C!gB)wBy|%x!+AV-v^&Qzw}k_l&pSBxi3!dpG%8~6D<&GXi zDLwRWgCC9M3ot&`lxCBoK~^bqCGuv!>=zV&i^&@y%c;ci$=v>W;CJmTG-7^Tp$@EZ zY-C*B$)RO4of$dv?I^l@baSW?|LEvtmt&`9Ks7I=P6+v3$@(yfJHBFD6pbKuQXQ@b z4^hB@zd0jml)`_`WJ)ce--K-N#6XjuIH(2@q`u%9zkfGREU4kNr z^9gOjQUnz-<;s1Wk)!D@pmn(umewvFz^ysNSxLQriwbRCs+3df-2Zpuq!&||IUFr| za|>>T}alj0Js)M%HLeX?*$4|&uBG>bJGS}bhkR(HpK zrB7pjc6UL0TN&dh?pTCWHJtZN=m-t zj&ljDb~!VGeq$I--9;5Ih-cSE6b0t8$=E9;{#FHaunox)uVEnF8z)WJtq7j&Qt5Hy z!J>C#`n{M%<)1%nz0SUOpiK+kU?ouMzPCr`{T92%N)W{$zsyJqshKPK+WT?|skyl8 zAckVyYry!ofe#rwyf}fNO5m~orw*BrWRhhE2r=a2+ah`T%tQDS3g6$9XnYqtqw4PZ^-1oHt>0xvR-gPY!y9p{JdWr>OOl2HY1Gm@ za&x$(a-Fi`AN6!@lU&!yd!|CV2Z*k)Zlv-^?{ED(lZYyDlz^2TQaODSnJXBZ#S1sg z*kR?>?72#a+1SjR5e;9G@W)d0w?0Cie9zya$`{lh+lJAltkix}y^Izo{>--lEd&Qz zMpRkp7noQAcMoz8spv0w1I(}8s7VnZ=;CZBT{Nsl2Y###g09?ugWnNnb)=F&1VJ0_ zQPe#Yv*z;UuLI$>KkE6yGAsX3r-OI+@BSOwwr5j49Q11@q8hh{RnY!4@+|{gN@g30 zU1Yw+$Y>y@I(87MSQvC`1z#RP2TL|Jsh71FEGqz;_zoJ|N2N;cKeCwvfTvjnk$&;Mbma9S+`bT*y{}f8xAR%T>JUH@Q`n$1}sqV1<)Y>4XnZ-BGQCmEoh8M zSL7d8B$a)wRrU%RUj^-?Uy~rIZAnq>JCi9@AgM3as2g(Nt^)MMD z{cbGxRzD)X!en>`0Yz@65lcxI5a%xdSCOX?$Rsn&4axTc@A^vg*1TUB$kB;^0Mp4I zhqjhvLYqe$Ixd$|>w9T}*I2kK|CZNUNActMym(;!OA+sLZ7yoUl6}S`IEz&F$e(Y4 z8u=0}v4%f)!kkw(RTQi={FSJBg#gjD+m2=23he}9~!M$XeaSF6)*31yvGAnOIToV>p0R2Nux_F;itiV!dk zeQO==-;Tk?NS0(XSbFU%^7eA-`C0+DRc?le=_skL(&^Q7=3~_xj*Cu{+T3sAAGk`>H#~lN-Sx-U(oX7jcvKk)Fv)#e9 zC`DKZF3;5X1Pe&HaxU03FFh)5%IlB-ikt=5p{2$Q%uZMlYRUP(IQo@io@|Ag)?Cdv z^LE$fmVb6XK0ef|oBwgh+7w-D&v(OKLMmH?+U$K+t^gxnDD8pYR}|*8!8v4|=z-UA`_4w)6u7GPLoh4H>n zp7vS5Wq0-n&GoOi{07d1wYhN>N3yOS>Ih09wuQSe`d?=8&cl)YqO$Vtc z7QHjk7IHkfI0m$eK)}|(wV0E`mUCmo%50c;TK0(R71=l**(mQ`*LUD{l$H4BXAeL& zLMbG!3)I&ex^n!a6LW7;ag%?~?ndSVpaYqD@*S|z?k)MG`TGb{8iIjBUODSpp z@_P-_?Z(k@A-L#`JSB9!fSPbzr4c^@h??bpV zG-9^gS^^l)^NX+sTp&B(V%Ju0Dj46mRAZZ?qthS5Vaf?+sB*@@*L5AAl%3l9T?eSW z^4C#ho@4$vt{Ruqj}#;o&AL{dzEQo&X)Bkk@K0Gj`7CDl&`6D7F%ca2f!#s~ein&7#a@6QOhD|;Jb(bD z;&QquzS3E@%fr4>6FGpJ-)s01yP2n#-R^MyM)iX<1W>K)N^|a4^+MKIXJF|N z_iY4hEl@)>&DR@?t(2c86B_J>r6O|F)sCr-*fn5ZVLEhk=!ITE=4e?&@C! z09ObE!ucNEkcmTf%TolrWq>>YCE3~lND>LGU07s@Q(-Qp)~q9a@@{*t;eNCYI0vBP zad$i)jmbSc^#Wwg#P~>y&X{b&SkvC}O?_-CRZ*WZ(AHQ|bCEGK3*+4+0|p#0&R?q9 zOEfj+IT+oKb7}`A6cG!jR^x0 z<-YT=dE9Qts1U2svl9Y91yGy;b;i80!vUMM)x+s32z=a;paO7WiH7W_k4g|)Bb)1Q zvB>4%`0|kTYp}eiHoS89$a>Y@Gywtxfl{owLiqD9Jly7pR9u7Mf}`WIpUKEs z(R~_oZkgq@ge(kV@4EeYl;)b9?CQkHmTcCw0Y+$LUbx=i-?pIzEd_YKO?E3FiW=Q@ zG~Ba}n`?OT5ezGySTR1tt#w!f8(_oM@ylYBgd{Da9b7~6qZW@b+2`MC$MBXO5TSD< z=!%i-6n)bHV9v9ugZm>cuugwb{=nb_l|{A-7D)iq+PgG1yh$CBlme;ES`vmq;G(!H z^WEmg=v7fIfLA>3Q;oxrd&c75TKZ&>sc^P^hEzJfl9tOD^GG+;(wE+6RyybyJk3$I zuKV>UtMrgFxY{dOIybk-7?F&kTFx2;0h2LXn8KE$DNecugGQXC z(@CQTtRBeQ*OZANjADQ+|87u@CH6_?nZdT8!%)b6d--KN)l9Rlz(=pg z7p>T6=7c!7+?m~9zp1V8wL5K zrBT($IOeGqPAXTh$^u?6L?$UoYoss+yeH7M@K6{zj;GPeMkX0E?||{4t%W3zoxqoM zW;@DRYa@Cj5YU`Y`wZ+|D9{W}<;OT-#WqSxOrywAZZ;^!fQ;03)+m|M5B~)6`e~i3 z#Pp;GGCRKLeLWhdwBDm9DP!Jyyp1j*>N50I(U@P+*h{!rttxvM)c_Gk=~H>s`Tvn8 z-G;Kg!!X#bB7c0l{=`^2W>+;1L@?mpXc%oDcMjSfpkSlCeysz^LWN9RT0*;ne5FJ9 z&Y`H8TT)?Ph_jS-vXydzkC(SzT_}ZkDERqTnX?t2fC&wR@&77~TF=+WXTO@7?y1(1 z^3V+$j+-!-P-5T;=XpS#mEl6ITDzE`SgfmDlI6h4-8nqMfSWsni&cYw zHK-p21RlLhJJ(m7kN`Skb?Ube%F^z;?e>kOCihQFJ&pQCKN0p$2)ez5Pd6is>8{>> zIY$iH(EpZ9J=A(E_%!UOm!DeniK5QK@cxShUSQ}508qz_qjjRH!CDUbeXqm*F6%n1 zK;WX7F#`X3gTEk=h34uVj-&y3^z85~&igEj-E9xsJA_7i795?{)87247d$wX{NMPT zVVWj)E=4sA{W5fPyn4>8==@3^e-1+*|F?odOOGiN=_B0Zrlf|`6K0<^qf{C0)>#?Q zrLtB$1z2N60i1c@{f{9rl;+ojYm@!s*AcKe&uRy2mydnFaFze? z__?f*5CI1X0OKj7az1E_18G z?UMnh4(`^PDcYMRv4PUa9=%w31|b<-EyAH*?w#=+1uuSlI<{93Q@N-$!pXJQ05t}@TtXwj%K97A zC)(Z{?gTyY^_;;sPU3vnpTn~O4>ECyHq1-CEh$~A~ z_8_nZDixqutD8>+ec(zNnM5)?|JgB138lJ{!u%vd<=ybj*2lT*2~s8M-uI|ePJr|Y zOEIaORp-VtVBQ7V-^FI2oJMrJz>5S<5X}WUf(}%ZK$e2C_;>RNMZU`h1)8_~%y3O! zkwXOlyKBgI4dluc92}`Yx=|L>d$|KSzCDc6GRfk)^C{Q_Ei2w^Jy6x1-A-$^l!xOj znmf>nuj;TVN8fs}hmx<);{y4^1Ea@XN`Kv~eH33Cjxgw8o)w}>If1TO5sgjVn8E>Q zGr0IVyjil(RxRts$UbTXL0}+2z+uHT*YJx1-od8qPjo?KU)F08TIPQYt)l6(N#|?0 zPQ3pOXbH<_p zHc=w*P@SdGu-HqjVLpLAe&HdDJSX{SX4I;i2mvab_ z!C`h`bFN=t1?OtwLPAJGfOft)_n6{0Tm``Bi7Wg5EStV;;)lkCj z=*m6WRqkAj05OIUVE>1p2iFw>2(tydW3}~K=$3c9Jal?nZ`t*1F5iTZbR-?Kixb2# z0NDO!wn+z#IWc#fe52ojhECY*s+Dx9v7m{@bo$$>WE?gJOmoJENFifiB~Dy#@1^HceZ~{APqWoa{ZgFQLc{=NJ>or zwn|hkbPWb#&U>_9E2t=va7Cd6B?*6piV{#kx<`m69Cm0xP+bO-T;_P8>KX^YmHZk{Z<`z~-+%aA(s+I-lbDOBaxqzj zF>=}HY_uZsxx|o(JZS*~3!DhQZf|gvaaP_Mya|wIu|-^Y@jCH>b1%VP7DA2%qZu9Ggd!__|z9W6lmZeBtm_r>-do*Y&?$;?~tR641;Zm~c9WWHo+T z10LVLA#sh0N@NH*0t4_tNk|9$*>mLJ&VzghnrdKZ>(dMA+Ux6+L})md5U&8l?%yFH zUy*NC8nYR4RquD%pY3hy+)n7$%1(Tp6i0Yd`55|HVKg$Jd5{A{bSLa*1#vbhIY2TK zcVR5uAKC?TbJ~mH$AP9E2%?24#qoTBqM{6buJ7o>L_WH7jlo`GuOS+7&z!{nAz^8w zMnD?{^dy=~vwLSV zDil3aQi_&|p|Al`AwW0re<~#sBFX!aDITY<{$JFkl+2D(V4QSS3U=Yu&GdQ*tFQRS z;(sC^nTn5IK`?R`;A}%cXa7%V#ny79=u+rcDly&$6yyN_^G1N&6`$K?n>Rwgn<>21 z@ctF$Rb@ibWu;MCQ(*D}68kQ1X*#8WOQTM*^XZp!MoHVDZK;YZ1k&WKBQnU$Y4wFk z@SBa5Pq)EW`JR>2{1|HlySgd%|1aq4#UB)UG<|m)xVC@DLdv_(J^-ODn!O6J&}7(} zt`lxjRM&_I^Io^F3kCI0USF0hIZ+y|53+wBVJ&UH{qgm;$*na4|FpR^Idc7Tos3t1 z4-z3z5Qvx{pM2jzlX`#NraeeRQ2Tf!8QDQ(K|>v`L>4FHGGOV_NbjeG$$pD@OovFU z6aTyD3u{DQLP9u2PsX+mTkJ+I9_>%>;Vx^+K5~pxqu65+`66@%w$M6ke5@`HM99{p zYXXR6I_9t)eU51qH5BfARDWN{@{UX%VY06mgI?<$#eUQpoRAzSUEKsTbiIsG!oH$! z*t=keE5}=l?62-Pq@=g5U6P}hM_?1 zxAF#AK>0A+zg$_ssTkITZY+N%QCrb50GUZuhxINkoXakwWABW(GXZ!vI=K0eb@A!g zwba#;na&c(pXs-${NX?q2BBf-7pHWd&;955AQRpAfr==#(V9DUC9NZ(@l)!Vf?x8G>Y@N}S~-gIaqXP<()%=+E{m zDE^x{en5iwx0|$21ry>@1%>p(9$STd>Q*4_7bEKz1A%SGx_n?4Qy#uT0W0(-1IWSx z5m_K18aXI4=)IoL1lNfP*8PPPf1@}VT>oVq+!Q=22z(-C!a1}-!OnodT@BVk{ZHB> zK_w1oc`8QC1&zf%)gQfL0TD(|&2*qRMUMQ|jS@>p*`=PugD3f{-OTII;sjAfy!C90YML$4>$<9Vn7Ae8>>UGVAL3^|vs!t70@) z$}Jrz2xg)zh5iAv|9`@6<_*!p0=)8+E*9W^A?>~fIUs_8RNyMEjQD`h{K;Oj%nr4> z{R*Ggw@ce=_Fpv@l=sY?Ir7NNB9M(y12!o0yM}yF$5PEtryo;YGir-_;pRSntlKw1 zC;;vy?Y{@ws-_f#RJ?>T{{97mgJ(Vg87#rgOZbuZkoUQfaAV>Dvk14)aKTJIyWG5- zXK~$|$2CZ)U)oime^f*tgAF_dWwRa|tH- z%*iTPuz04GWVLqm1NyRMJ?J=bTBb!YKjLkjUz@MCo?UZduKhbWD&huZ1KEVd=UO29 z$j|465At#hH1D4fHx{_S}_SxNo#-)xfJg5ol0!e}Y9>@Q|&RXw<>m z$50F!t3-}|GgIITpp)x( zr#lSWdQS43)y`ZL6lm%i14Z8gAh2d%z^)3)El9Eww=rR|HJe3x7CUse-TqmzH5xB8 zvc<*D3CX1G{3jf+hVD&XlD=UKKlhwc7_iuzhJ55e=G(lyc*1sNSq8k|zf$w)89-bX z2=!h7ydWxeV0_F`XC;%I`E$T=r-Kf+A&a@Qr_Pi}o(hMvQQ}~aD0P2dx2V|io%2Qc z=-^_8-{#7x2|;wWZ?@ffAXgm$Gf(sTJAh> zlxW<~7wx8o8}mG_-3ldSL)HLI}F2n)OtME@CMX)1<|KSCb4EJO)ntS zQ#H+xiz4<7az!#cwnMkQqnu(qZ^9tnCrHm6bX^LYdvi~^f|A1eU}4PMo{P!R&Jbra z{PP7m%o|95$BUl&N&DaxeufG>YT?2sAF#eb3T{dGn`X9|Z$3n9Q@QaBx?EQt4HT0d=+oJo2}0s5fzaW?}&g zWjQJ+*xGrdpqa$Kj7hF-H#zc@~Q| zK-+eZ6dU(W_vFcSBPHBc<)X=5KZ zZ4}ybqeMHj>}uJlXn<_e@P1{8!-ih&qsMYdN$QWdrP-*Tk@1n}Ppc*kEG5eIrZOWL zYg4x+BitDA9XOI=ya z)q@ZOZ91`zX9FBhcg#w!(;A%p zBdN+N76gp=6oZJR8;KYOA`|rM@bfB>p>Zh_G+x@Qx8K~=6g#ao!Q4k~UZ$Ri?Fn3& zr<3)nC2DFU1H)nVg#DHJ1VvnIVRX>n`4F8v8Y!unwKd66|F+)lXZqgSB%z!Q@Eg)! z!Z_?QZhj2(ovU1|FxUY{_N$cKLIM^lvUiYQ_ESGAE}CF;tmtk>z0QARoG|qTfttIZ zoRneF6ykY1sR2;;eAY8H^(4h&@_uP|aG&i8-2g$i0=ho>X13b@$A=wTg#UMjgd;xk zi%oVmx6S`O2IM<5o;o;!0_=Ow8;fxO4mcyBaKTd<9H`V4q7TF)ECUYStshX9Ys;W` zQiK=gc>2RLiS=$;ZdayW4s~bc(cp2p)md0FG7OZP2`E@;ylS~$ud8qSOauDRb%Q(w z8Y*S^L|BMLqlaOyzQ<+Y!9BCZAv-6X(cO8}T+*D2hU;3}ko*3k(h^te@VOGtS@)Iu z?W*6dP~UqDx2qNnOsu5+518hr2O4#?wX`e`SEX*pJD;mxX9V#yU1aoaI2{(al-&B` z@~Ga8jMzL~PlVsO?mIl~`GULMa=X1FxB3vwcJH~#Xbioxqz~M7JJUOT4+2?O1+fZ! z;=Y^rWW_3q^;gF;i;pY!`;}aw0#NNXI=WZ(KbOrP6hv`cC>psdq#KK z<#>E$Z3{!ZqZ+ACiKaAwZkOekO25VM_+*YE#ejaB>Dzzp#`BDS^p%zZrncs4%jNTA zKCr32<>hi(+69KIhb|f(>nns%70@W&$V==4iRxm;iT7s{IZAzQdf*PZmsT?mZ`*-_ z_>Z*>GeRUKXTsA=)Kp>ttTP6}rREnso^o?Q_3N%{yP!#`8X05U{=7SjR(PyC@BY07Yob!2Mu&ns2sPKH{7jZ#YNQPRgY)k z?lm?~JtHS%`1MxT<2gJnXCsLl8=6n^It5}UPiGA^*Va^@jg397dJoJ0?w7jWuINh4 z(`dTZHht!tQ{->>r8%XP><>lLOD2PaR z>+tlE#*Dg5@|o|K{oy^vr>iapQ~S?P@0+eWK{nGl4bR6sYsIBzdr+$a}#%-H2;74b~7 z3FveUscAH1MtU42OsxEq@mJ^M*whRf*|A7%EI**{R%`erniFl1L!3?AVSf=CA~oHp zp?R_D8mf{Ir`6M!TrdgJ!K9^~GgWd7jgLw-WYeb#*9QE0|AxetKtT*m_vYl)^~X(6 z*FySwzyA60=`53%628Ae2t$m`N(v1%lLkU9NsN*kgIt9)nS}KJ)nUHF{N<}vMA{n9 zF;1u+Riuf?xfO71cwteu0%U(*&Y{9}%CS`OyZ8Q~g{PVOH9V}^VRX^3 znV55vN=?VNss3Gg+B%4LVdL?L^*ImglI@&2Z4t36{$BVG64)5m9#zPw>!3Ep%eq-TPmrW?ZJ? zhl>Ac(d|mK{f8|mRw3I*D~0yzcl-G*KIQ1u`*FB{Mh1N_#V0xbJ0aSe8WR-#KV9BX z*Ciea^EQB!Gx^MaANlcILcL}Y63USc@9n~)7%h^xnd>-SET;VuQ2Xa6bBIuGJ(R+wB(TWgyf#n4k3@5QJGD&SuFV6g@WDZaY9<5G%D3i%1uOJ~OQBff zlAysre(7YMdgN!>)UDL!yF%8Kmt_a_#HN1hw6(PwryKM2opp`F62+4WSN^^jkyY{j76f*fwrrF6x@jEv$$y zv0LVlmZ~_01~Ez2<9*EL&$6EO>v#+I75EfkBnX;Zb>w}&9R)eA^py+V$EO8~28q`d z*9tbGju=@G3}Pp*3t zO$#JR2``*fRDBGuA*F$VC{j`{+8j$NI?LKSk0u0%dN`l8f$JG~zdyd4lXG;)6`Pi# z5)q|1H-0l0=ivTu77oR$uQK{$?fvD40%a8$%Uf4Bho`TKDx(TtKH(3JPtQ&akH$nJ zn=l$eeLn~ay1Gi4z8EQJn52{`inbJpvRa(6VPs-!ZX|6eu6TNQ8$Q%{01GQ!V|Qt` zRLjZ5G=gd&Eq(3}Pd!=Hd^#wid2`<8q+CFf^#-!-^i?NRi!@ChKgOpv-lrDRiV=)J zphy9x)dsKOsmkHh#z*)fLoBo+}yLxbaYEU=Od2`F$W=; z^&?1X3QsE@=#$>?eyPMG<97oJg4=;Uj;Di`r*5lu!(r~T?aBLnc}T6n7(!m(!@UH@ z2kAJKocn7+)$0w_DHMh{n=(t*QDqIeM3>87Dbj)z=eX6kX!wEabSIoKfU_p;=il*v-Kyp5|)Dbn0oso1o@D~msVraf*-;XPxkd3f~_ zS&Dz=pF#v+`lMT=oU8^t+^YNZkV@ zo#}4QUDzvWDpjXH%_!zSma37Ut>*(qEd1cxnzf69xRc4$C%k3a?QuMh@5N&WG87p6 zXG{{WZ{7}Zm*ZatQJ@;Jy#WYN0AO-3!m}5~79ary&~|It9)5y`%~U0940C zh=2dtyP)KK47!T17SaLi<^^QP84D5rvi8YJK!f9+YjKXA4;6!gGvL?~`e0r%uruv* zkyFFXxLd_hUCg}e{UaohY;Fz@w`wNk|55f9P+4u?-tZPAR7w<(PDM$jLqI@EC8blP zySq!IOS-$e8wBa@4(aZW=UaHr@qh09-uuQF&tSmA-Ye!>YtFf5{fM1yx=`Q=Ff2xo z*yDEEWj%ttU&M4IqSIr({nV+2Lre(wvz0ACXLu~F_ACN+#sBWhmNt(S@pSCF0Z_x@ zNs5tda3Q$7^pB3fPMwb*3%K^RIl-LO-ii9ah8L~*6UC;MzSFj5CZG>6Lwm)sLyntU zVk7UOVypIF1(aB-XxhH0sN7@=IQ)}NL`WQE4F`<;f5UL}Q7C%3-xWd*z*u4-q{vfo z2O&RGW3)fsgZvSNCx0cyBx)T;fD7_-w2jsUIz4fsY?LDg^&kUc4QIPX2#60i35CBkxr1>0H#`_U zpomo|eo}Q{&bg6!yP=L)g_wvtCL-*|*z+hJ1NpMb zw3O4Bxyv-(jG{?G1orhQ78);G8tISJxHVnY@0akque`T@n^rOXL6Ho;+=rKUc(D~- z76FinE1)hY8*d28kLoi~II@yW9#Gx0iwAe@c>rXq#i*s zG76=+#h>m}lD6n_*K-`=m^Cl1?O$ z_UQ@JpVIh|B?&Akph`Wjzf1dX*j2JR`2Shy`wf@QYg7wri66|!pUFt`p^>X+M|}Uj zq%8#@)>(aa5Lm5k-C%lhgy*hmUUQVn*9u9{_4N#zW@0f^p`_s7%4_g}GtXPZXu|{1 z0N*lKvcPh9RG{jyX6jtHNzD1{kNjN>om7=XrCC$39-lEY3bV(W{4I_-Kp?%Xc7IzK zf583$cVm;f^7ACrrDrW{I=Hmfb`CT`MwzcYq^RA{w*T(Rty?Bao)qOFNCe>d8~|$f zgY+Bybd39dmpUig2Gs=+KWqYE2LOyy*jZTuO6`N~z_(fGacOi{ud=%Zm|Fo>2qW0; z09_(IE3hO8fGq$>5|gx2Ds~~{E==OC^GbabnB?Pj9mUpu6!T4j5C5c{L~++Y1ZuL7 zhIlss2l-EJ^W0K=bAW7n=5p&8V(RH}zj_QX4i4$Nc_mBze)wVDTE4)?6=ALA4lfQ0 za*jR21AvF|-vFfkyGy}(5pXtO18cwfW;A`oQ1lN8K%@f;kJmT5BHjc5t&}nTHkmeI zgil!5bS%*dKJ%LbmjE(le813WBI+w-@4cCz8znYAgvDnRG@*j2GcMoUs(vU0o1}@H zaSKe)VMy0QSf;gm@*gU*ymbtPg@V4tlEA&CxkjF03=%f@W_JWb86*<6b zA{)iXM*xvKzTQg9&axNYr0+YkZB_pm=B_6!IM)0OEtV?b}qooJr68+ zpIX7e9JJL14bS#qHr-EQf831r!Z!` zQmx#BKy7-&|A0RPdEVb${O{I(6RfcRSpRh}_->`mgWG18;_p4hbw|F6Bm3>A_1gux zO|3Klnnea!!94(eM)YoLET`$eaTr`<3g$7uCd~Yc9en(U>zira>frAPH zf6mJ9?a4(YXDR&rX&N+--1N|Go&=yck(hJyG5HZdg0(Cdzh&~nVWYQfveRHzRD3nO zZUbL`bp+YJ7{;S{BO%26VTCH{dDtc z=wyig!Rt1UeA@+^aL|;#M+>zD)USc>DpALuYDErqO6tu23W9@|`cBE|%r`bw8yYRu zGb3cQth|$lkg&ws9V~#J(v4je3v6Ru?kc88wNf_F8`6jcFbxmT2L=H}`!+M5PpK)? zuS0yByaIe+!r!oe0hTRo@mG}5Ezm}L-oea#eluVg;8cS=9E>kyv;mUP^U5TvJ$2r*3vX#=o|3g9ln0l8wJvq~kv z^?HEuBzlKm>h|XSuu|0n-9&nG=oP?L37QaKeeN@ui3PnhvaFnbeqW`%a(eb&4m`v} z#qPXbpc!Q2Fdq5v&`8^#aFGquC_4vSp+a2}~ zCe*`#7$7c#?Vo+uK;Z*vhKa!72hzJ*!4};FbITVF)ZZA^V1;rSQhOYNe(xigp+H(t z&SMnP{z1kcJ!P7&%tGgpb=Pr8?+)LOk|IsmHhxCsshsxxAza=}Gn*hbg~uE7)0Y7l zcaiQfw7K6^6W%kVxIpe0h?I+A;3Bv@^(U@mqZi&F1SxEMZ{w41@!i3;90sr|9y+Ya zv3(Z6obMa`VgW!_oCyFv-px6ON^%!@AM=Eh_VP7B4c#-&_v(TOAfK~D)})^)4kHBt zikO<>WOJPlm+Q`N zbSb5t9jo;%HIV<)0U`TgU@~VS2@S7DdUF}RlwmVD`Hk>h!Uc2E=yRcXbgYN^iSCN` zoGj&Ov5M9OQ}Or!exXPCkMsT{Zj!qm>ZTt308q|3^()$t(KmjqQjM`zos7x ztI>0AUMr04$AR(zdxvh9*!Up@hQGJV&Kl%p(k0RUgrsGCpItdV_+E`{nlzP$jf#gdLOpO`N5b@de$HB0_5s#H%^eT7PfBFl>Kwp=*047%JvYa)UH=6ia&hjM+%r+$ zXGRIZXBQxgeC9<09N^XY#kG$kWBe5OkUuMot{#d`#5F$>yLpf&)oy_orkcZ~BV&f^ zKDK7nw5XYf7BR9@&H;?~fzI6&kxX`Z@1BLeLNQ1E!n02jRmdUqEbhw8|6S71^JBa; zv6L2GGkkxHm}X{8>j?rQxlbM~F-%|anfP+8R{K4ConJLhf$d=uG*8lmgGoTjs_x;y zG;lK3!?~S{0}YO(3$%V0Kr-y(#@&fqI!%>Ql z%1_v~NnnlMCJuozc;rV#+RvyL4~vKz>^x6uyb#sd?(husbI?!>FS`Fi#yy#&7dufa zKUOP7J*ozn5Pi>YC}Fdft=;-W6t`*siiyYTm-68NET#DoT7=h6-{O}NFCuM11=FNo zqL_09-rpxNt(^X7RnfEl(;f!*Chz-C{E<$44!%7Ww~B{=?Fs|=!D{bu#6}5AGKVGY zTW!sHHdROFI`@r#&t_3wCAkGy{p3P^);P}=;H)*SLKHEz3Ovl*0n2;TXcb}BH0?S* z!2?uPAJV?-%G^YFZ?fv$$EP4FFz(zrDUR)HvsGZKZI}^6=BHlv6Qmt`ZafM$=s(2g zbps)Lfk8u~vyVQ`;B3RIYioW$?bEUKsbXAS&jqh(}~| zLr1xZY9gm;dSJmh+O}}rYU}azRy^JEC%{A9$U&~6`w|E5BJo`Xwu&d*^a1JXg+d72 zj7AZ@Pfi*ui~8>UC2zp$0}=XLyd63OO%vU@^`}2QS77r0nT)X{>%qQvujpkw0qY{W z>t9#PTY3R82rii#@#vV5t9Jsb)6wc=L!-2scwI=W=lv0H8~j@)V}RSJSxFVvPu+~% zfTUpW(O%UpqrX+!Tg7&s1=R!;ord0+3(>a)$EX(|i$!Qhqk_!eDaY;nTCs>rJF&i1 zbw_S&NIo1GipR2kRBsUb{=Pc=zCc)$RFDazm6eFoh1zn}@7yH$eQ(j9?K_37J`G=n z-XsNSr#{P9mI{dvfgs~;?%G|Go|3IW6 zyFpZJMr^V%>LxY@x|*)ar24wMRq-m8CuoY8-T1P!RJ856`a4$x^s4JS_;4=3J37Tm zJC-RkRx%CcDM?t5sXstcJjMj$54k^#sT!cP8XL8<5solPc zez@{sRUC&JjHdzSyVth~Q~&3t0q82xbf=_Od>z5XZL4(up1!%zF2EZY`}iIhqijct zrJ(UjyZt$b)m3derqrjD8tDr8bM;KrT;6kx5CNCtx#!ra{I8z(orkC#J-~P`HWaid ztR$B}Zim-(ARsVi{so?2ou7R12aj?4zt_U$PJqI|@MzoL&9Bklob}>xJ2@9WHL|hz^^=unYi&o|j}=ttoha0k zG`H`2P_RpSSJnQsvBo}-t4jT&lhwwpkC)QQ;I(D`j+En+_|0;`&DDt$+>$!F;fnR_ z4C_&ioR#GqA_*^VL2mcA)VjP13nl^0j33TSL1t?;~D|W$ib=)R}x#$GjFbW()O8!Cz zJMS6;K^nkkQegKjm+8H|HIH+yYtpO0J|qAStxn%&>I{<;2N5f0Vb(kwJNV@-G1dku zs1SAdV;;NRi|?sy0YR=wMRV7-IHV?XD|$Z3t`OrK3 za!TksT~w>>B-ZKFE2tWlHm_P=3^b@RHn#-MRA7hvs!sUVB7Dp&*5+#sKQK7omQTea(*!_{`-Fa zd!kEds3wn>H9gY2pf^UcdXDCl32B4Vqj4D8(X+E;A%KXWB=mLH4tWIrB#X4%*E|`j zWi{KKg}6)cnjxBBlF>(eDJ zzy}Wwd9Hr8nPCY`1n!Q5w6do$s~Qyi7A5El=D^tid=Mm(4^B4HG-@utBD8;w3lheQOizU}=vYhlbHcx`&Xwr?EKsv+ z$gy6_7Q!WptCX1f@j(0y1^WJlL*MJ-s(|$|gz4fi5bP({~R+V1^e{fk>7td?6Q7vnq2yw9q*tt-{oc$RJ)bjHQ(?F8rU!9IcgY~t=@!2Y$(dn&>_0`4ZnqK zoagp|JFV;3u&r15VY&D>UtGK>Hs>^UnvJ9}-FNpH)SO`w?}c{T$Cq~1u3a#SGnvra znEtY_-I~~*%vVk|AgaKB$g zL&I_CscmI(itf0a09(a}UHAfH_vVG>Rd(Bs(%ird>>B1+m0~}it$j0J&J397O+`KI zN=T@WtJaZLErzAnz~Sl!6-Xne&C9-qqQic``@en)oA~jo)=v#Q{h+`ZqdbS+;fs)< z-Y@5yjWT0L*m-ZfYXSGE@D~S^0Np<-#S)rFwD(Lis>fn`ftpj_<~|77DX-kp>OgI! z%;U(rc!nidHc5ce3@Xv<&%$?^g~}@V4ZM+D=rTmpW>O2(IdjPE+8)pyVT)e%`OD-! zj{b*No2))(JEOs>47mCpg`qw?m%4@s>h?!(dK*DdbHCO{8w+wnI5 zBNbIekU|tthoLxm>Y>nOnT;?0#%x)!uau@-oew` z_@4(610U99^2)!oQ+%IOyus5;j)R6cY1&)&e zcMIFCDXN0Yi2i}Aj$Z5phBnKmgnve9*0p!WcH=J93q|{pfq?SW%HKh%w{tL~6c_*f zX5BjC3H(2kV&lKn_@`$p(7lHIuYZFygNNH48W#?JTQ@4p=hwh3yaw)XngyLVwpSXW z3H-KpRyx8Hs0Q|}9DS1eX8;Vug&fnW1?aa#Z!}oOe`G~zh44>jhh8Ez`uT7Fepj7< zg%j@&$Sp%4z+B3_U39ISc@ukut^5Bh(+au~y6kCt6H&_KWu!F@dcjDC~TWa|pW`gc69vokEBP??CY{kH<|baRl~yFG&*2m`Xy zhRaz6#P8iI#dYxHtjEv)J!S$#wv8B0&T6Dl+JcvOrO?ZlOedFe*2LVl`+FU}^tJWc zpKMSd;7P4s#xjg^M5R?>^m%cFrkbl?Cox5%YP0fXarx`X&TP{96k32E41~WKTUYLd z{6`5y{^X+mRXJB*CMS$f>z(%QC%)Kqpgmj30O}1J&*-EN@Rm`iEm|{5OYB*gm z#RyBVg*887)Me)WyiJU!$&NN4sy}K^g5w79myH z4RGTCw~x=-M1~bW-zccRl(e2J1UNwuaCk)tRS>;)a!p^?PNrK{?8czl$gdtXgl)=TdXWyYAIYMXp5^G@1Gr^kI&4Y_-RVRs$15l(FY=Bo}Ne5 zesjkF64u-2SFFLntP`wr=di2?XhnNffpe?-HqKXFa&dIxwvuAUgHlkXvH3A@m&>&; zLoc~?x$IUBKBCVa1DOWoHHad=3r!pC20ESV!RFT(0}buJw6$KW^xk^S>#MgHK1QfI zs2lSdT|^`}X68P>1ece`Xcs>=i3whtnqH=3shzc4b0_S!HP~1h{Gj6A)~V4{*r9B2 zqMg7z&7771?M_N!|ED2|9I~fi@KDoB0|2YCA8wkurctG|aMx}1uWn}vccD+J1&creU4l8APB{hn)=;?V#P`OJBdYk zHO8Nod=sW6LlP7~;3SB;Wvw_pIzoqU1R*^@k#SnvVFtk>N~3f$BN?=&gobm`Q<1(N5eF&{7x`B!)u*8Cpxsudcl3s(Wy*&je zvY10GE@!URY8~Y+-G5FhTx7CY^GjSyCQ)bk=E(zN(#Z2O^z6 zu{ra2j2!8XoS+-r_!dKmg0hu8mM*8K$x9gVYwMYLx-Qi#?sPQ`Lb9bmpg*6}ehmF} z&JPr5`WIa|3G$^gW*(7#7l(4uLaompEvna_ds159G0$m?6c1XT63v7;VdO%r>JKuus`Rx_#Ss%H&{tb!O(i{^lo#1L@%Kf(l2*L(&B~h zBk4h1;BM1xEu}PPbIK*Ymw@~AMR%V{mD&27<6%MAyPt%Xb@dlz&e5^4wGIn=M=@11 zL=|no>|iT0lhoXnV0+R9XlA?J*U+E!yvKn6vDke6RoXUec>8|r8<84kh9U_F5 zP%E$cJv2D_iD92-)%r8{or;1jI}n{(Fm?(~G$3Yr#xuCa&Zkdzx7eej3Di`-&x}sM zoDw5_RWn|^Xm_~2=6{ybtI=OqbIL~gHrAc7$B2i`q&ly}__B3*Jt@>NlRu#$m*4D`$--NAMr}Iyn=drLbuv8Y$VP_`0(@~7(eX;D_uTNV- z%~$hZJ7PNBY>_(Foi+z==w-Vjo@l&^On5wVX3{)ZY$k_3#|v*yuk`xzBl^fdQ+}D+ z1EN6Z^8J3gI(J-Za?HIFU91eRUut9U0YD54 zL^f`J_c8@Ovy};b^b3mvxsS_lj(Ii?de!W8)IT4oiicP0Ol3=!b+w`H)L!?WYi^#t z*JR)#>=9|MF=eNLUJj1!8xQPF&S-1rzaB5wvlH#eHklY|JDRjz`{6cHBkWdM!a_Jf z?;#ihVNADrwc*6q+MLdN>*MKBaq%neayofV>TMy)=~1=aYE(o_-9-!$E3#uA42E&?T4Wh|Ljc3(cDlFud4ZQ?nocRYHOn9Q~yfo75OH#^;Noh$J3#sK& zSs$Kb=46{}#BU8SvW5;8YX|NMVUUD%-dwFFW(Cjo&xVyWbNl*C6~nqiaQXd@iu$gs zX=$GIjPx$y?@H4}yr&4MEQNy#E0{d!HjzTpnFS+9*( z2$&N)!(_W)%B#PARXTLUsyYf4PHZ{Wz>;L^ZO&Vp_+f&A0-T)e7Mqhva)F(y>SYF% z+Pe!gmjM)%8M?aqc``DtzB1 zsH({3$qUosGVWA7h{#XiG;iXMCH_4S7B6xkUd*hhoi`{#r zJ(R!NN8bHG6q`OeEi0=?V;!dYwvCN#yf>1&DZ{i`T=5a4TI)AcY}nU~^!dV$Bkx-A zLjuFsrcY4gR#n#^WARE~T(!kSG|s>)F)_5mRZ(k8qr`6iyr~mzo2%~bag(dFhtBzD z?dUF-&@FU(Q?vXXA$-0_=8^!Bk0lwbpoUb3hso3ms1T z6^iWE_aY)O4JMjPz7Z>0&s=ZnAGHN04(Q0k|K4+?X_emzphDI$&6iIoM1F|B^u6!d ztaZGL{mIbC;kb85ebs2j8Iv#}_MGFz_07;)e@R9DoTHYu=3s+9$tv|xf_DG98s-cH z(Rp2ews6N&eXI1*KhsF?5l5V?y~Sd)2Cjvo0((JjEE2>QEdLx+KQrq&Pn{WMcbO}e zAZvdGMc6xfwHgEn5DVHnkeNPz&x(j1he5Q@_blwr8v|uNK0eH{gLB`p)_{bESl5FY zlFa~cYfg)f!(?wf=F?k$e1-`cEHor2(&B4$HI-M7m9=^P{Ql_$J#2n{5OG}Ya`B)pb&WlLDhUV-s< zT|zsMlzBH0xVMO$u67AKmT{!$o6?*Y85wHyz0?1&z zG^I56DscHw3@Ba)XYpyiTHZe~mz@p|9&lP9zqU2#^Wkw;E3pgy@T|sa8#_*n$4Vn3 zqvip$HC}x(9vruenh_EoTxNbsDkqnr9}%!Sc{5f&gHLU91T}S zuhsWgIHkp8ayZPD=ZejoBz2?e1D;iMHu|Rv+HGR{!*oJ1JT^Svl8L_WBSB6UAs6ra zx&wcCx>O(4FT~I9xN>xlxLmQbr%SxA{Xl;vHriMK4Ae45ODHhT>71&!=VwtkYR*WG z_G;NC3o)CG!*pa4rI;#)cZ)mX>DP^^$o4b1g&BMFJD>L5qQEY=(Gd~qJknZ&$K+Nb8(5z;XqQ-oOqssgggo)o**zjE-&?-!K zdPSzwD$7eJzAru%5kfX^OYcWaRmjP0q;S{O&|RzN9Uzb07iJt095Q2Ln>{UK|m&qUBHaaHitCvvcvYDQzmMFfio*v}lRpVP7ttTaQ9|9^@ zna+y&ZquR`EoZ6GNOxa><{NyqTC3l>SAPN4yu_fi+)n~8y=Rg0PUA^mI}#U%3)f;^ zv9MHIt0E`x&%(98a@k7JnxhNZ>{M#GN>(v~%$ z#B|x7=c$@l%OHPA+6e&*4F{s4vM~;P#~){xl--H|`LlZGWM={NZK~^3=Bz54Frl^e zgxfC#yAXB^ z0^~r{u<;|w{Q_z%Ue;G@5Zf9``MAwEfLL)_QTVdPWC3sFXLIuqD#URYiAI4{l4bn5McX^VztHG&+Y;3EX(_#(Q z7T#qHWqf!dK&Y`AupPsqyR@?+bty|^)GOfmQ#}6bM`L0hTQPr3IA|SLL9Sr#M0fh- z(O$p^HO_gN?!Darx4Y2rge^=MuNuCw?lR0aBr1$BA!uvkS4+0#+tlGBKXM`QNqHrM zEB&8~_7MaG26W1mvW6Fb@%bk4IX8IHBSr*nMD(@eQ=Ta#G$P{RS=dUReSsR~$?h2c zL`51l%V;U>W6c1PO=_ZOqH#^3~eebFXFH`o7?+_qr`IE2e0flSus&;**C~Dy0VO;r;}+s zRUg>5N*~Ed2u)U;PSskT`p7shFXOz#^;4-q2M<_pPA^a|%g=Go7){r*e%c#%g}2w% z(lVZ|?P}^xcT{Satk{^VX!DOb6%2?Q&5)CW*c^^L4#=6Yu%K`L?_b-Wm?0#<8eoRm z)t|u)2#0YJ~X8{xc?DDltFvqY#FgPo}A`F z$cSAv$KmRSr@{=B6^(Dy#65jO<;iaaC21oz0df-Yl<`oj=o8l0?97Ji2h0PniokJE zsMiovVbNf~-Go(03(2ka2Rmn3J^HR23bN0fW5Thu(uqY=?JEK}swXpgl|P8~0o~2s z8uqBa)w=H{g;9(4-8+#>^YhyIlN;!hfrib}JPW0e7b?Cr&82#tzyI>wCaiy8B%Pb1 z)Y%t|dDPGzcB5UB<~iZYg&)S)K3ekzCcAl4Q5xHpz^vWz)t@t(Wq-DAb2sqh*S)<{ zmGf0NEHv%I@R_Od-Oag*8nZ1KQCk0}543#*lJ`Tk=@pChE{=+-IgBY)@K{RKY8ppP zP46jLZ{gHV^}11XsBqq(8SOeRZ}jlU=7zr0$dRSlntqXaLOw7$Fj;d+jOfnobg*Um zNLw#6%W%37t^n>gxsI+$HU>ZAlS=y*Ml#89h8ov?tWu^67XCGOA8MQ(+-vA@?ann& zCvUC}tdtC$!^xYj*==vCi%~2$xSznTm`%Z2&^X+()*MJ>&`E@eC}Ck?cP%m0 zS!-+Y{&f^V^zYtvMKc*2>ts3~ZgkKGhW({p zd(7iJF!_Xo<#HBq5e~Q0r9-x*%P&?iKZ442Tc7 zWjy-PJ9Cmawcvi=o%xUpeeeJM8>z>w6X&sm?a+A1^VOc2%h<(1&^Jz=rF8atlO(P;^x_oxula3z;}v@{W! zzhGTq1%uvbe^O@Zug*H*u*}qF@m7c&c=xi{rCs>x;BnYV8x)uFa7KW=~=EPk06N8v&*cU z(Vi$yLpS-9fqSN+=#dD9%orsyA63|k$M@~2$*Dg&;?)&*q1`ZEADj8)%s#*rN;szDeUmTp0Ui}V1 zTo{2(hv}fX?mrvXX&-7k_8Pd$yR?MEs;^U!{sR#*#@UQK^J5%qt|SO|4;!%GwC7Mz zttBj4ZK1V)PcBYLjmk_{7E6htQjafEXSB1N*r^E*1=4qR()Q9*b+ywT7%m}0R@h%p zf2eA%JdVO$mk?!VqtO~UI=ufr3WWm;+_dpT?AR2kctrc?Qcr#)4oxyyHVwM`v#r72 zg&MmhyqXeS`5wkZE*oeA^!6%(@RB+OX#>4CjB>wbRzR{-I{5_cdx|KYI#n*!f=V!Rz`H4ovE#)mpOJ4PQvY=GoRVh-=hyIk_|FQKvz9*@LF*<8p-OCrPY$=MoUd%;D|PA*Ot zp%jB#8&Mx0@bxVf^>ez6+0Lbdy~w4jWQL8r{BXRo2XaW}H244T#7{2nWRFG8;0AI$ zK6vsqeJ+`gTVTmn;9+@n*gGW0SCpE|M-tj0!$z|_pU79_aS__Nv?o@8om07#YZf15 zr?0LB&hrkBy`g4yU*gd0do?Bgk(M`?8+Do8)5#$WvvHIK@dA`NS!S8ynhaHD^alm6 z#cBU=mU*G|WV5qrM@VA1xK73J11b;qX13a+h^|vI>#wsUB0qY6w9jUn1%wsfZ|d#G zm(Yxs&m0t9lC)8_`M|)8g5=Iy!Z0E(+;d*&d>_KNd$;1G_J-u*N1lndv{r5bR)2Tc zwbrMB@zmV$RGLQJFAx9jIEh%niRY!!h^ooiq2d`5`nOv&rxTC4|Cx3!5OptK)3L3;0?=JVSQe z)(G{!KR%P3Ty+#~QjRaKTR*xVi3^1*#XUrL9j07t48CJ|#`ePm;ZQ!^uRX$|oP0l# z53!Pnt5qR4w7aOtEEpDzbX35^=_*e%UL)slQ`_l=z{JVfjqc%Ob048ygCz6?1?DG) zd)N)}ej*YAuxux0&%^xQvB&tH5cOPRyq(KBEGPhFWqNoG&k!@Fa zhq<|o6O52p9m6f*m0MQOyL)Iz8`B>igO&=l&Vp*!Jl9r85a|848<0Ty*|oAR!Lv-MQ<6GLi`OG8c@C+GyVRQ{jUzTu?tg z$_+cm2DyixLE9aMTgm4noSY-an*>48?(i#!d_1h4@_r+5d~1h#h`K*WAq1%3g6q`~ zm<&(rom=7B6vze%X{sbu~;Hg>Fl|F^4qU;T>l1Q2qQ38xQqH(t{mgI?9B}Z20aj>wmtg5T_ z{p;d)T~zf6j@~~*e*EZb`26wtV^7cHy}9tVRUGV5^PZ1Qi(MMUyH|IA4`^+Z3**9) z@Yk57FrV3^J?xwVm0%bAA^kyl=3|Z1Zg8IX<>G4o@TIBj-dQ>Kwl>|(+*p^-_fkLC zMJ@JH?Q-Sr1@j!aT}s~6kgfgwiojcZ}LnM&<-tV*-y0P&fZg=4}Q*m0fIHpga9 zq_Rr+8(ul7c(t@rIvX#uka1Ye9vsthqLu1nKAyHd@-~-iP+&i|6iyq=v*$(^-&wHSFx4?OfKTVe0@UHRLy=7#LG^w;(s6F{$4-&t0%r_3X4_ zT35_yq0`cy<0w*Nd9p~eW?_?+=rOW~+Oif2vw7pUb1{EACOs~b$=I^vK~Y}rAq0JEEg4g1nnJdzQlv>-}l*m4XhKK z*B=`O+%#iowZmRw}o85@0o2gBJJXrPZjj<;zj*bZ*p{*D7(`%%@k;tVZiY z5}sXI5zUoOr~B?14<8N`35mtS^6wiuNa?NeJ}TegNzY4L*xn()#$|Na*md4z`xaq- z9bKi-v!$t@&|ou?ZmXUpUB21xomijp!1vuvsQU{#x*5kM>9-bJC)aKD2{d+C5gJ34 zGgUbiISp<*uK}*=K|FbeMHw^Ub{_Fp0kkN#(*zZ-`h>*-dzp_ixPdqi33GldGo4t- z+zhOjD#CMpmNVj7BN*12E_AZdyuMq$&5pZIW;Axg_%v-b>rE4n{MYQ4i}J9&yWj(WdT;{&*7=~mLe+PHpPi$nkmH#0C4 zq4nX3maY~YB$ahkkaxKdW1%Y|(v^AE`RaSM4K~(CX=M)WgZ8LLU*X?KBn(&+aZ%G! zk4eZ~o*=0ktJ|)xmG`yRAq=&R>IYZ0YcSA!@aG4Wk@lw8LMR$SjU*feMR9!Ijs@%< zndm}L*1CeI+a;Y^g{Dpdoek+&1bkcHHn&5uzL!hfW;o{EJ5U3yV%_0<1HLtJ{@fQ? zAxe5xAR+SuPWn>5{0f!Y&ZVvQQts^NqNk$6k{fH~d`hdnwsdaCp$K|lVrIGP;;~d3 z9*0P$RHOMRFaRd<^I$?ow2Y(d5T7|yj!;hQg9wt#fVRg#rJ)D-u)!=HtQ&@+5|L&8J~ZD=w2fQL!R{TtFkz5%B%TosK}h( z7vuVEJUMx=ssS~IUGpVWy34W9>%KQwd>_?vguZTii-s=YVijLya?V7Jcw>gvWVn9^ zGFduXe)aK&&GcktOP7Dc8b|+zy}!m@3C|x9@)p6R?5#B zTl*C4_FHFG2rmj|YESEsC=yN_S+-u^h0LlP&a3loIi1mP`P>?=bVURwdULep8WKd= zt9Gb6r+s;&{+fF(!!hA_>O?%Q;YVkUAwP`BJRvFj-frA7WIDs-$;cmSk2w zp1m3`-bjec<3KOg$7Hg*_+cNIAQ$5gSSt7SrG)7InDNXQQ{`^i6uP1nfzHnQoZ;Hi z6ncVej6L+yX>`zqsQJ5^Eg+Sm2TGytbUrLHsUkZot|x>%gnl03b2WqF2-u|XvR8HdNfHv9u(E3x z>rdj;yXEeb-QG6)K8oj)+empeC@iN(yRUWJig&%GhI1-Yhy7lpAW9CPLWM6GXKT%x zS{AMkANYKqb6n^|6{F>_D_t+wIwY!XUEnN)0o%PgaKN`?kHr+xissHizP~ z!*TL1GE8e`f%pYqQDM~jTRO=z%Ef4nWT$6O7Bodm2-z&|q;RLCE7>8G?=YOT&IkdA z=h4xRFmMra+?9lH?ai&TvMW#?F>~S#lqt5kuaC_y3uB0uokKtlcvLKz-~bg@M&02an101pdD-$PgE~QA%=qk}0A_2Hok4B95%JI0 z>HLf7d60|kdsdbc{3DvHun*5T%@@QNiCL+tdAVAQR)W42D>{MJ z_Gs2zp)K)>118K0J#QlRy94nW!Uu~fyG_B8hO|C2uQmu+=&Kp{GlwBO%*S( zZiRXxkn6)6(ewz2xSdJTL?Pk%q(?Y{VoJg@Dbn_k%#ek(mCowe)zY~>D!d(yN)0vgD z3PwaE-_s|A_&gUC0)%i%miP3`R|iTS%ETAXaucXllVWpw)LqJv1ryyQ^m1ZeFHyV+E0uqp=ZKP z+wQeE_o;19WT{llyQpgySl}{vZ*-^)g{clbUHtWFsJ$5hs-2DnTEx)6fI~(iw=-{u zhHqPJ>nOwg%lW9KZGTZpIHix~wxlR+s72Lew7g_Ft zH5Z|c)uI}&&` z<8uFhbbV!599y$>6C^kUf=dJo9z3`O3+@CP++lFn5FiA13+^7=-Q8V-ySsj!d(Qhl z_xo}G4KNSWy{C8Ws#R;P((T(luL0h+q>*z`>P}{DzB|;g-<`b!v!Flgae#MFrbDLx zFtED$XO_BGRZNVGl09$)kM-QfYrDCtsqMHz^zN2DBjsm62!t+&UPp2mSiZUD~(Cy996?Tfrbz9KB`%2tZaX@1Xguw~itiCYc zyUzy(zN*?vVnDkm+x~#}P(-Tzdjzjmvc=QQN=eNAl|tr}{So)$*=2yf*u}vL?M-{k zz1E$K7ql_3KCiws@$B{xZDG?b%BaNAOoz?WU_`zA0~cj_k9Pu?fs3LZtt|}N?H#aH zy%AP%e7chk0MhEhhybaiCdbWsUIrQVb+IegSJ*50Bb68pC6mz|#{_)8D@sbHpV<#o zKfKO2of8X%?BZ|iFSa5Surl}e55szEICbDMtc*7X-q-WzP>^SbJzG*ZB#l9D+|iSo z{&=ylu}yYMLj*ximf$VaPQf{@KLv_ke+EKApP{aJuyu{q1 zRizEvH;cJWswBJ*GzNMYTGC0zgc}u)6vbkVOq=-l{aP}f!(lK+1LJAg=C_1!4VYwC zNgAE{K?9D>)()G!Ci>IZ>A}Jp6~SY1km5Rp=Xik)ANVrR&lq3@J=jGCCM}OTa$miC z=EYlGuwQt_jUWd}RSS5oIg-Dh&MBN2=S~qtK}A#XC_d6 zNJx5ncA0vf8$z&%0;sc^-fY|k1s7@3OJ63UuO>eiElg`R+BhvV>w8&p|F#-vmLR)h z{KcewyDujlJCwp&302)AXb|c327|4$%O}O9ND#M&VwcXo+|CQAK_>Nr>?DM@swAm0 z!g&uLK8B_?fai-*TJE_v`?A;B6Ta%ewv;E7aX)Uvh4FgX?em=1gGEnuam@qt6##d` zZnOVKCu2KG|~em1i-b-bKK zFH@7kgbQQD45H8r{4A;HvEILujfE69Q0%Is#Dd04QmiiXGbDSiZKzN@(&AtjYtr~4 z(>UVrA#t4zJ#`!f%!3=Rq!7GqgzsdCxNEP@R1T};4)b4nr$=p5Yv{vxm!&@?cCo;$ z?(9keqlJoYz|LI$QmU6_%QJbSpKOPENj|+>7~#(Duh~bAq#;7Kw4QFQ02IkD`RZ$3 zg`W&zrl+P-o_io+DI#}OC;5*9p3Z%6m1f}6_^ZynLNeUzI@EGSgP(<4RZBYN-bmnA zg5>mK<8|%X<@Y~!lwn1;eOY&R(geYL^&V&vk=cfuVlrA6*OsmZ3xq)Y$Hr9XwqPlC zWFdRIf(o?@ykAuo(lG|&U4(f!)+sYPZz1!^pOtZ{JZZ^2ht!fb$!)0@AnINX))=pt zY>JcE56Z&p{Z`(U-;HP|a~JmR8=^vz^yvO#&f?LI6yTLu#- z()`Fv{(CB3u!*h-)=y{*oRA83Gzncky}TrN{75&xQbVo1o_cuXdoozmC@%~qS*2D! zZs;kTXUEC~uh7F*9dM2rh1r#V6P+QDY5!o2DG(-+U-~ z!0j$Lho{rm$TYeCz4HQ0S^b3My&+LQk=qhbY8w1+9FEs801hjD7=U+)&^)WS;hBwf zl+(c(?eBMxRj4u1tl^ZJRt*oxas-Sv(TYdXm98Fh+c!)0OzQ`Lkyg@feOcHjmCwtq z|K>?qk-OfwtE=$3=7{TbCWmbQiIde-DpkZz3>!}V9*=-OW4kgCHgBey-6)-^bTEaT zyd`aCdg(We$G6(!&=7~4o6X3`a=Y|>&0iKUY4XC`58vMBE4e=FD%nf5C-Ud`S3;2h zy+G$fe_t?QHu5I>2ZKGlpM^?cuIA6bRIahFb@>zr-tYu+IbY~`r;c2;Y|o^KfI%^T z6-kCvTi7p^XOUP`T3zL^+34x%dT@nS>}3+4jllDA8xGIYQzjl4!mZV#IVk{Fd1Z>j zy4D*wfMOKldd)K(+wnz{!41sb?QpF=+5NdHZW!6Hy=`3aXVjLLhBib-A_L*#2Gc4z zGs6~GK@@O;C(cSZR8!*$E0tE&O7B5xU9TbjY92P&J$uWxrRM6s#38X3M?ulDnEX(l zo3I3+P@U=5Z0#6R#L>d(6fmN*RM-W`Bwo*4!5+?6TI?M@ z{W(@uUa7WF;0%wc@GY*66*U+%2jck+D+S&@taNLks9J%gZ3@4GeOTyWhW|!!MDM!ChrC&mq|ftkspq1RW$Y3rk%~B zECI6Gqmy!P=4>Z!0+=sS!wGgBY%Hjo|=vC?COL8+GuV6-|B50I`(W}`! zJe;W9_Fi(Rig5$I_t7pCn1J;s3o5rHyfUP!Qe5KI`?3GTJOBqhU{6uY1#iGeQFU>i z-VJ7T!*4&AL0eX40M2`K0#D9jb}RZ*84H%Nl_Bds|S<8{9-ThrpN zJP8**RO?2k>>1BK_uhdeYPvH+Q5Ezlkz__0Wn^uoPuSZo2stAT~vleZ{(RK4u=y?6To)*0XBuP&D{KmC6mcu~vx-o0d6_ zDKr~_UKBb9ejd-WEG_U&`2cD7G%M$#XKbjgq>z)J4+F?tu`3n5WISQCxw$a}emI}r zU1uk4*unz`oX-Bp)~r{yy37Q2xKN8XqXr{wcHN?`(<+pIhapB=I)ev0%>feE98Rq_P~&6!bLjUhAR5@&+0=-y&|k zfZIO<>k3bQXSZpWxLb5tGumpS_Pgo;*`2Olw>BTGJl{ zjzdmnNAcsuIHz*R;<(2-H@MSrfKCckcGuuQNgn$(cNH0J`j=^yrX#PmW0UjHmnlUN zU|k)*alo#dnif!H8_G3({P|OIB}wExGgqu@L`nh(A@AwvBLTM}T`eI*iDw6UL)Z;d z%F0y3kG>;#pVTy72nZ=`{=vbGA?C8t=DZU)q>;s7At6g@FVbNm9SwfDf-Y`&L_f_{Ca0?IuLX|$P{Y#Pd=fgQD8 zuDtti9SXCWigWH%q?PfIN%(>XH7HBnM65-|`BjoYNP*iQ?s z_arkVgN71o$zBF+xo;(iBquqb!-^cwE0my&>Y~WuoY$ZksV)CJw-6888h!c*E=VvJ zw&V6{KSk7X9l@;4V7`2q8wMHB+NtKHlZvi%oD}By3Vqv>wwI50K8oDsV54d@O7+lU zh{&z3(FlmIgP7)4V_Yd#62^kPRT_e4V=m3t~}z z^blw3T1%o-@Ud)s{!m_9J2*W3uoj3WA#aR3Na_Mc!b3NiKT~KcIq+h!X=_4`wwE;| zT%xz{1%!==Ty$Nd~3)gq~fu zg$G6SxI@3fVTeahm7{cwv)Kj?&5~ITim&Arlf`+BtJorX$9~Gp!lYSy_9pOizY$Yh z@k0BiwX35A7)s5!0K-IjLXL;Wkrt|gMf0V!;Az3DO zqE1uhcgt~vBHoY`YBJHRs@4EnNM=n zrvKqfH9Di~@K&za@0qy_iTDJKwH{wwd_NhiEwaQxjkdRDBKyF)tE3I40V9=|Rd*Py zTOm|AblOd2APgA$OkeN(cr-|1o)b#2NYR^mw;3|939^x@5eYD73wD1=kj+UMO}Q!l zY%Ur0=id%Vtzyj^i4Q$gxBGM;IdjbCic5esTi}zdJY{>90^(?O&*Tpm&0a?IT2T=( zZtgR8Px{6M1qBCc4RD2V7(=OCcc&G3HWhKpt|wXPN#}((S^CBdl7{2*zJ<4A&9VQc zEv38SLb6(L-o~n7)IDl*&Cj#o6*6eIEYOqx&QX{t73*!>-0vAyTjZR5?q2HQ#&~MD z^a=vfvSo!8^*i8cIev8MB}i4fKe9`*L~Vue^1EiM7W#nafyIJXQC?Q1TYx}813|Xk zJv%6eJLYp|X5pS`F^oEB{I+gf8XcqhK{e0RiERpcJT^9sdSdCi*X|(ga7np*gjcd$ zVpufIl_PPx!zLd1BNUC-L*lj?tocZSRF=%C%!a@mrc~w-?-@FAkZt}#gN@tmc6xbq z!t0p{sxuPmz=KeP#y4_1a1E>;E3>@3+y|grc9w)6H+oNL`Ibxcb03fZ5L!9AvNzL# zn(AtE%D5bt_yj#IvYWR-EEiZg?fwjdXEl3K3L7|(!BRCgnF6p_^2o@`DsszZN4VqS zW`9^t@7V}#%Dvbj*3q}TTeX>N$t~50CvZSBMFSpPt5O?wQq%SEoRH6WZLUN?bf*&O zv9Qj}p7l}V-eTDXEE9Xi7o8t-e8H53r@pxd-1LV-0@z`5)OLdRwvMBOed9 z>TApC(NO{8`9+7I?cmscgY!5my^1+mE6@+@vm^O1nBpfIKh4 zP@}7BR9S?!^w-JasFfpF<2%$OZX0{3k6fiuhtIs?(Hxu3W_?qV6EP8YV?b=IE0}qS zJvZs;6&XYIPp`p|h`1GE+t;)qvNSZ{?W2VKbogBXRxBmE_zc=j{Q6H2MXHNq!nGbF zmi!}n&N{y#*Z}zI(*$l0{G=|BExDac!|;yD<0Rfs-~ZAY1j}^0znE36#6h+1doGOl ztngQF-p|+-n(|q;DIZ(tfj&|Oxj9o4gHJ}<^O^0SG)_StuQ!WR=qVr&wbH(w@HTEQ z;fyVV=ykf<7b=2T)y;*GpVYI}(q|ii85u7CL}g{sOwnIsnLd3Fgl{;Oo9-6$mHJN)uC~1rN(EqHQr^;jszz}2HWJD zq)P3JVjeeq2S%*8qB&GR$(sxW4pIa@ZqFD(&iX1=B984Y^#Ay88L}1JU5d^|f zvWDJZ|IS1=L^Y!AV<*5^q-OtnS*U^gT7;0FVfg z&OM!&Lmu_lN+X=?G?pH}BG z6&ohvtiGqz@qpz=B6D31bY^nFWBV>UNX7Di*Oo9ubRX-W#q19h_?RUd*BMlPDMVKK|{wwA@m>JMHuKhliMK>2j^c`v~j0 zUq~HyL&?kqSI04l3CWQW6j*_Z;}y*1wj%FsY}IpqB458OAvR#{>j=oGFg83rm4ZNq zqp2_BtNrWeTN-8<)yn>KH&IRQ#E_PRN*YUFcusKd^0LMJZJCX&YZZvzXmwfG`v$ z+*ogi;X-29q*_6h=C0g1Yay80)?e@Jx(v*4oLT1+uD(Uo>qtEZ>(F6H1B>~tI&k9X zv|MduW4+R!o1EyVs`z-7uH{8f#OCoQ9eewVm~;2=h{siKr1(Bm`8i8|n-!*YZ22y8 z<}E-v525%6rEPunZj z@r>V?V)!~w@hx*?_X%;Y!mA$#1QPRoj~B+rTl>5Et~Tb9XmMqUnQG5LWQW5FgN=QB zpntfgjGfoTI;1Y)515R(xc@1EHLgD5N^jqM;4|Ow<`aCAym?V00eel##qTu6A414Q zu(MzLX^xctx7mwzxK>jSt2dOojX~`W~8K0TZW_7Bx zZH~D& z28digS>2nHIy}oQcpYvtz6_2pbx%6ITcb)=(I;yX=6*&zV#){e(m0t1MMYdT%Y$l% z$Hgw%8tJ5p*bZIB6z;uiLk%-Go}7tXnH_$Yt-Y2S(yyP~CWk{>K+Jt}i{u#@PKaCM zyrUu3t#P+3<3fT{DtBV0I9~f+m1w+0Ur6C@i==1f(JmZ(`r~aG4$@;bM??KKUlZ(LTavcA}Xo>)bOGHcvzp>GWYWGkwXQD z9eH`IPT}7ZN|dXix)=D35Y8tuMoz1aM4OF?e;df~3UN#UY5OIPlq)=>;Zi zEx`JpiXZ@+QUeve<6KAVA~<+s^lx*5C>XlneR0LFt< z`qH#;!Avi;!pZUm^}QO5(r@L+De28eVlzciS7BAwyZu!ey-fsTcCWmI6hqsP-vC?ZP3#2`;2w;>{9e13+GnqKwq zYVS=&*WcZ|kN);ePgk($cZWx_`11b!^V@H>*=MI%EtWm&5azPhCF?B5#hrkN7=*`dM-R<7s~?5qiIYE$~*nT~4+ky)bz@$;M>Q zWZ#DcmCNHHoB{GwJY&gkq?gB?rRo-};y#^MDQ9U<_KtJ?%6FT|hFa1nR7w6%V}g!I zwbj6%UyT_nxfo!FS@DC;Re6YlsiBx2H_P813^m_ zRNy@5X_Ge6FaP4BJsD&CyO&lOgRjEn0bEjjnHrn+W(RhvnA9ySz$1APt((~eB19|<3@97>bTxLV)@C!4IFI;+|i?prhB z`ggi(#BwLbnQc?Vy44eidO9g#y?vgzEfe{Oc`wdoh^JCA=FjBfc0@OaT6?A^C*=xF z886R7KGd^Gp=Fj_y&3WUDv3)#wCgdZ{9N{jXP+a0_IW0r(0v?Fej4LVGjNch(DI!* zL4cATH)x(fy)!P3{FG*)ZzB+{wEyQC?N5G|$jF5K_1&EV9g5e19gt4wyqoKVcj)pF zy0<4Qv&-eWHy@(gyFBKK*PH#tRGT<2HWwnxZS$4bE1^GV;$VS;M6brkzD?Fh|GLMJ z6y5d?A5mDs5N=1h^kOui=x8aM5%R+OBIzZl8(P5_@AkJe5+x)&Q!Q>^6hMRl`q&I= zgR=>$Fqe{wFkic`H!&u1yLNszgdyos7|HW+tt_l|LJ$IVP=dM>Cghk2-+oF7iWut? znWdu#9Tud+0`+u`_W1`D*fk&7EDpe;U!C0%RLDyjNWDk+v>I>_s^zgAEy(Lj$`>Rf zGoZlG*E`&D|FKc=KDK9MIV<+{>saeqDSGLu=t>JRSQ0RkpT8378GI7`q~BxP9a>!f z`ECvV@|%&t#kmJW8ON%9UGj3_(}Ng?aer^VK7#q9)1lJXbs!Eg>f~$(;yXA1$dX4H z&w~em(>IHGE^b`BEpBgFXj^{&?i?O2iY3kYD=!nn!`46#k-_{p*#DI-u5gqf&UQIL zXVX+(#y_o*&r#$ff&HclArf^0UJ3sfsiEbO4)raUtM*LOQNjYRk-HLTG1@cN zX`NrhA*fg;aKl`6k5T#YU7LU$W5y zCMD(>9cu^Do(b>r^6nYdqF4~WVM>xSLUKnsqmlUs3Cza^1ZMn;ftnO@a^rd~by$I~oQ%wrOccC5x#^h|P1)k)Uz;{R z_=*xO7B(r-aJz18LAalinW{MiG2OznLY)&vOU=D=>ieg-N7#?Ko1E`3H?0K?Hy_wE zgwQT3xvDMwyHNOa!^gOa9UqSrBh#a8z#LD-NU`tCy8V&}<*--0TX-*mb+ zMq}v&1{r?q!b<=Pm(rC*>0QS{61OGc=WOVA3KQ zgl*NQo2VG)S+9eo#fSQ6@AR(_c}b)}0~+?^W@qfiWOA?r?T9!jEb;pF=UMfE7(Mh4Digw1vo?qIt0^U8KLyxmKM9dB}{;_xe zUI_il2|r`Sf4JCe2pW@A2EPQlC^l&{Ww`lM9X{_UK(;b8BEL&Q0#7Qlz{={6V$y(S4#&BQ(ynxNv8{* z3}r~BLJ_slZFYMuQI5Tpff)&qQqk$R0Mz7DJRk7zIf`?n2=uO>Cb8MV0%f0H0Cbe0 zz9%HQ@bG2dz6qpbrhIzGh2hX7R944)(k4)DL52Tm5^mnX%r@|E7H0^aG( z=#aN`^xLL+fA#&~G$_V#XO<-SDGB>vH2d2Zx-Re#=@=A%(?tZ((aS3=EQSGY{U|8? z!TDx!w0hX%!DtSwQ_3){14G)1S`G_sb}ZdjE>Ioxi?MFLH-~&{M;5unu4HVy_gjzK zyj)dG<1>NI1YT)@cPjWQ?~s5~uQ}rMb8--K4}L2elKKK8j%=408Dk$iVOA`9rB8P!$~O$g z7d0&(?`nM0dJO>YN5y|PI=?nbsA2+AvnwUR!`;tMIpEpn>!{%M!$Bjd5w z_)J$a4*K-QPa%+!o1#~5M<8DIPj_U%=**PGa&NYA&orO|wPY`Xo&=&e35_ggjEO_u z)TFWV0cri4pbMA&OhnMYGZz5xrG$p?5Q>v4j}!L8+XR zPoW?@kk1Bpgq}8M>Ox*W3;}!+qNA1b3aksBQlMs8H9C7~$SK~UWSkbUwk~1l#jf@y z%53n$yoWAPFHhiw2t&H{njhN|`V7GPl%R=1646s;5CeG{Suim!Uvh_tXYdB5snR1l z@p1*GNtg2Cn$qg^t1W3=F2qxk>Fez!?03f(Ds=QaF3$gZ)l;R=3t#p)(UDhYj9XbI zALG#`E2B|_gDtu6H7XNe6YK$cYKk;bQI%ASbXYBsX<|ASF$oD#A&@DNAVjvR=d0P97xJF+bH-5Z zHay%Il~rod9jYiTIl7V(d1Ec{?DC=qy+Psc;Zl@wUku|h5FeH3Khf3h$8v?~6#tnJ< zvGvqawlI;55;e_7KiLnr0!_l$MsOZ&+b zQOX%rZ~gl*?&OE1;-O2Jw-gmR`+vB}?kg*+J_6pIlZ`_GRt)j85?VMK?qqQM?%rgb zvs|paM@@eD59K&zvP9-Yd>?whj z9M>_epcv7&34prVP)%3NQ?9S7icR{ojK)MPzy~^Ne%D(;O|$Ckz?1-AimItoS`5oU zv}3;>vx0n7)YA~jAwG|DQ%AwFppdUEtGE`p*dWpGHh^&{NOH(Z#}I3Bv0|^Z;nZ|) z`-tbw0!z3$_PYy@rL|GhyLrOfu9%iuO}B?N$5}~`AypqC=^aK}b#k|kSJR;fCX5X^ zN0X5c8RZi-9lwgCWmnwq7Sb>&eQkEunrbKMQ1qKfVWg$d>;VA=RpN%T)wx0g4@(EH zH>x8DD*ef^r*Il!S|AJm+ux6TbjFGyUfX^;-ZZ}T+jQkJo2+s_ne5nRoS?Z80<6o~ zQn(r|1?6ue>}0VN&MgKn?;J12rc?$P>GR`N zt>Zd!7~^MepC-OvH4pzK9$3&_P@!Jn1!kooXB&R=H74z%*j9_*xj;Q*XB$WGR@Pv& zhaP*J3<^Kz$P6_dmMn$UU4BwYm%CxJK{Yx0PKEOBrlfmyRIl7EVNMkSmPQ{kiK_4o zcC)$+)^~3y^og@*lH?(oKI7s-F+;68-Lg{eqr|$iMH^+1njX@G-r81F0N$em7)ahC z`mR;bqq6J4!;Ep{1kL8#SsYlBkS={UHYcY~F6-1)E;gLUvr}Rvj$4*V^?0$-(EDpM z0qhwOeK(M0rj=`@P{T(Qrp-Jyqs?661WOymYivcG>qhf|VZmliRJBDEw943V!%m7M zAc%84)xPoVo$(C$1@rd6aBX7ed*9llBD83(U@BIsO%LihKMmH?U*x?tbp0{WzHz=i*!UlM$=76PJz$Zd1lx%1VgJ) zRed=3iZ-T?{Y}%srh)Gm+V^G-y|N7lh3X*Rz__5z3B10^_JuJ0pf4^#xsIfx+0;>e z_!BF#lu=MF=ZPktx$<2tOZp2Al12%%!dI`NVv`~4Q1>4-g`1(H4ZvtkW|&WkYfUwp z*!3x__r<|`Y~jNKw@MHnnvjngz0bD%_jZ$B+oAo0rn5t$LQDlE>g33eChN-)K8}w4kQ{*VzK0ddnpjyVlLA*p3&WI&X1giLZ z2IXp`_3?P%!B2e;0ZnO%n0D-;ctN@H)RXNOzw{XKBpsAPq55ueAMov&X=~yKjH)dx zO8X6Kpqt%zKh9AG0MH!b3iWDSZoS%aS5u*X`&6WU-prmbKQmh|Ef*c2*mQT8GV@Fx z8m4{qlOh?GS6O+sIph${eri3^EEr z%S1IU2~x}HcdES&kZ=cX4&K1$QzVq4y1io5!Nh$+qTk9Voo^%GigWpdFv=a)(rt}0 zcmip1tt$bHi=Mdae{{ZfV-G&_c2kdc9onuE#t-ZwZ--*Bd`_eLrI^YrK#vMh|yO1jk(pMQNKVEsq? z=8xpH=rv-nb28Q`S9Uo|=wlIis8ygH3N7d=Z2xbucD_(KIYqd)w7SVOjSz_FB8MgZ*% zr4Y0lkiQNibYW?nQebAkqiN?YLF;({8v%9 zucC5Fx)A_5%x;84aP9AoUJ$>At^UHH*kCnF4Eqia;zq7$qGK2to4iu43(F8t<+|5e zFp=LV(?^rPO1%=Rj2K;N3RRgA#OIt=BT;PB{xc>fLEuonuE-E(hiv)ZsvZHu5bBe%?c2!z-iGspY z_1=g4Rq)CSZRfBOq!?7?=-~{Z2w!HV%O+cy~d63g3RB z+DD1NWluPy1i81de{tDaZnQG@s~yWuIC-&syz@d6SUvT_c)!jk)z&tCV=DC?@)pkf zWY&Pvx1>1T$SN->LL)vw6%N?sY0DT&7n0u`?e!IM*H^4K7HjMt6x+EckLe>7>r$kz zAf}T(^6ya?5N70e#>WxUx&--pX$aGGudWmrR2$>ICHPob$(w#LA_X?^V!9}eXA=oW zO<8I69~=IZ=IwOXKW;0OpXFa_xNs)yn3H^Rddc!8{rJnx04tPZKtlLM&($^2!U}Zx zdw8yVAMjguDwAl(7TxMCQ5MuMM|BS5GU!xqf;)gQ=k_ad|~u99-3I zfyX3HKCgtU_w2r|_so3fM-$GHiX<##;2M-i2fqM%8R^2L2g|FRTkHybtHzRZW1J|# zQ70}pJTS5ZLMI-71-0p=1-}?If1iE;#5Zj@G+6kd#sL1U(?e+}Oj6MF;xA_~S4QDmC0j)+%J(pHBkDU%U z?2-&|P8cRaY??0t+$g4M)dl4SS)yIjuj}H(h#s;}eC`o4k$U-)N)R`l9u?3cdED+g zKS{EhG_K!3v|c^=5rn7$VznD&m*N}#VEW3ia7`P?Q_$M-IH&(rDMh!YrFcFa!YwV(|_f`gKijY57hKcE7c!rSjS?- z4R^na@ExgaLq&07PMPh#&`CS^Us|;3vWQ)rE!m$?#tqTXZ(r~42v;o@sSJo-y_Df^ zv_0NzJbg!Kwul7#7@Fecdb6k>`PRN_(*Me2IBkN!9-pHXDz-yXK)Ab-pPv$X=eBEa zvR+MlakSPlB5ue`#yiAd$$J|8?qUwnPspdvdo&I)NW!j)<+htUW?&OM))qwKe78zUV<~Ydkkhcndn)zk$!x$f|-wE+A zdwH-`LF&{&nS-t0T2n$;Cs^$sb?^YZc^u@Mm8&3_p=6$9`sk*wQ%avwZ9F8i6#O*X44V1pgy3cK z3fiC4;NdNBVNuBM7)BjhHvS+22SW}7s0b2~v)@32uRWMJ#Uab@cS(Y9=A;9@dFyZDdFLKy!Vk6j37%*`t>Zn(I_gElW4;#hxuQjDijxk_T#ghddx2!!}KzlHvf zvs$2$zM@M@WNH}bs50W&Hu3u(2NVIb20_CG2GFDhbSVM;dbKnQ7p1*Tn}89(B>^q5 zMrA!4+I4jPF?jK@;>Q;UNB-E7>gK$=h$5T&$67_%I}pk3L=H-q$|6SZoeMi9mmT2*% zN3*Fm#rS-+)6$2nMvi3w1GAy6-(Qv1CURGGo0CMXsLfz(4=j;QEPNOR1Vt)I%Gr zqW&d6N1pyeewJwZ%mD~cswyE;VC56D;Qj{(w1QByMo{F{h9^HzP;2(e^kFHj?%q!Q z$hP&VeG)ss`;n~|Z1b-v*r@Dbp?yVNN|MUq86}r!NF|!Yx7vs#QLOK!Db#@GfV79Q zijw7fSo-7>)V9(|7LgB6>gTVJyA-(kZst9d|Gi|ywvpGX&YJP(%UHBHmmmUJfVwpv z7Y68f`(?g(O|;ella`ckNy|IoLCxfzaMASHa}fwoql@S_&_pMaR3o8&{j2AZikMBTOhq9!ZS!fSE=)IJ~MdSBnDb~_dr z3duwOQqYi$(oTM0o!qlThz&k?;1y%6<6f{wwNPm1K?!RjpfX;KeR_Vm{HGDW{fLE+t!n z7AaSxP2mZO0=Z+2i$wOvJ7RvE?U~w;hI>}3QgKDCD%CjPCDFNA&w4nmxBn^Hzj5US zvG2N_Au>&;Ehpe?PJrLUjdB2%;WCu$7W3QRK_`Z0%v0ucyL(*F^dF>#moD39k%oOG zkIgdL(yl$NtqfLmxb-6nQ)IC_NB&uMF-extc*n&2K4TqJ6Y5DAu7~OyL$TmEEiGD_ zm*)AvX+a`V?*VWm05P9KRbbpeW4A(*&hoYVtzBZ;3=X247i%@^_Sc6t&V(qDSa}KzJwEy|O(ELcOfqKV8jM znCnUkiwR--`KAAu-@|7!XSvT{N;c_lm&Q|9!rlVwvf4P8otQmnKo=Y8S`D;T-MG8MamdRTO~c=G$XWX`_tP_NgDBlUI7UzmB`Juch9N!t1o} zphpa6j4+6TQTb zhZVpoy(q1*pzkb}xO|pc0|!wIL%fvKG;@BDtzT^3*N}d`INIQ_v}g2t zF>QsG9ed1YTUPXo-@#yn$(IX8K#_4fme1-%`i+-H7_!Kkjc0ZDr}M(M z)}$^2&F0J3z)#76WBx#NtMv{eWm0m;Tg|51ywKRY;4+W-dp171&9=wfF}duJzG~R* z$cgfMClnoK0@DPSeJ5fLw&`a}sbixM&8H^o?e0fw-~;WpNH_VD+mj5L(@VUUv^OFz z35xF%k!koSa3w##X98ZwL^r!94;nGMI$Ul4j&DFu#R;N-)c$v!@K>D!0%D&qX}A03 z$pz5?kaCeT&tVW*ncO!fl)xIJ+WpRSUWy$!F~EAkr;FK}qdn|3Ncv}2&+U0Ph||l8 z-+ixM2y{ThFkbk&e$U0N1_FH`J4;FhUGB;8 zu~Dk5X&TmH>&JKEYb}Y5XN6AkNQ}cvF%RR4k|U}kMN;o= zXC~d$qdO=~L-)93gKVd}cwc%4I;JE_O+Rb%J_cW~O)AyH-#en6HJyVKn_5&Y>7@x> zSi=W47tnvv(r@SITaznL19C7ZV%$L*81E;QYDFjv!4{#`d=21zQN#nN)t&xkmbR3> ze8^DP)MzmxojLmMmr{32M^ge(^)fuh0dy)r-8gpj8=fAcGJJb=8`HXaLcC?EY6UgT z>5Q_%&{(c2a$Z_SGH$Oq$bC%Ggh>nxC0O)>-PlG_Gb+rV9EV(_)* zyw8*?DfnG+61kkt*{A*ALW*S!$Un@~g(q*MV9gV&9gwgwXbrTJglTljY`QmlkLkNebMyHJ z+rD7k$=;lE)gvX(tiocZG>z4jhNr5sk5*%|F@$HZfG5!e5e-;ScO?bNn^r;|ccXzD zlj~RLNz@Tv7?<3O(sL3aN|6yU`$q;SfHo=mNQNGC+3U!}+~#r^n=(q*N>6P<+mjg; zLHd2vxt|`IGW&GyKQTQ0nYHyD0zm2eWalVP9r5Ev!PH5yVat_LW{(RH!0Hr`%$1y@ zR#ufP`p^`W3IoSO-w(cPFTS=euvv+c+kQ`7)X@_j0!GSsH9DKh3IOZ?gZ7%_SQ08S zZFPkh`IqZaEV9~-`+qDJs+BWke1>>5E%G-*tG6^6%#X_kC=7AH&MYlE>7DU)-}Tj0 zV?+=X`?^`{!E}S0lM+`F2l+!OCU^wd&5&;4#40^b&b5_8X1qOmN>0LK~M~^)wyoP2y4qt*LSvmD3A_-Y3&=%5YeBB96u|d ztu$Lpfyk9#w$7Pmy3T1Nq3sj7ueB$G^Hoe($7g!z^FlDRVP8j*r~7+SxN;?$~6i%_#~ z;`BgyyKsJ4ze9nQbG2by{ecW!1Tx%vGzT1Kr;?D2NLvRs24C&lNxV~L-F=@5bG*>? z-(Qj8iTONuX((;F7Ulb;o!#Gsh|(B~`^e%G36Wz-f-U_0T2G0ueg((@G97~0%aOes zFCs3?kNr9_SWGV8tp8J;`#^b*gN48uMA_q&i&*L6{klxQib4=y1Y!NlxoCc@jAx80 z_j`}@|G0b0s5-i?Td)WO2n0w7lHgA8;O_1o9D=*ML$Kf$Jh;2N2ZFo1ySqzQo+o+V zuY2_Eaqr(AQvR)wPmfj=bAG>l$m}aYkZeT)Z_j=%&mD!=fMO6#EQO3I$Y=| zk0d-`v8{g~9$5c9nh&8tJ2&TcHXRKdM!&;<*smj_a!NuV(SkR(Uysft0#{P$j#?2XMVV)^V~8Ou_#6NCT>r#6n(7q zOWB?B6@hfn*ITvl$e|UsuL_;7Tw5qxTewEfU(Pi7Vz`u1J|E=vhuuJJ6JnN9YrJ?Xv-PBm3!qQ z^pu1{8r2WVA&j)SMY;3ez{!Vhp`sP$TU9eomQi|GcFHBlJSZAC>C+oa+)bM>o~PQ$ zI?E^ZfJN8}aLe1ppif; zziE}0U_E@VDoBvd&)WRO{YNAP?y)jAT9f9W1ou{*u?`4*|Nt9*eXr-);Pw?q90Z z+Kxxx=;Lb4CKfLBwH4Kul-t0{`Fg-UufE5U(JvtgdO+Aj=J>1doOeuyoiB>?v5)xq z)O+B9+oS#dH1WxK^~y}*dwYEL+w&UESe)T#v93865YqT1nq}jy zd`C>yvk?U69p8~fztbuskElO!M&U>E=c%@`tVsq#t+|>co+!S+Qu!K`n1Ly2A95!6 z)i)?=P96kF{uGUFZp9IUMWb41i!#XHvf|(Z9_9!3{=~oRy;~ zI&Bh^2@2nQvw`ntn4AU8b0nZ2UB6ko#Q@#wj)dqYc3pVlq+jtgVQvq;DE~Yr{2PCSlYDea zXatW6KzOgwHitoGI*^_s$%*NJ%zsnX<2Z={^7-fu`!$Aq4|3ObZK) zv*m70&(V$n#k=i?wx=Cu2@`{((EC+zyW14&A#$8~NW)dxzBgTd8l>kIrss?m>Y9?W z2MZ5t6))Kc;GyUm``^8?>M^|o%NNzjV-OB8>8zcG13O$DjHi)-C^>qXMJE)j5wj^@ z?}mm%VQH=Vknf&5yv$_-f8er{SDR{3EHexkaYE90AM2x{O$I>wz9l9VV@spi_8wKA zb}$vgl>JfLx2W{tIIl5aSd;0}24s8&G#qtC+C+)rK-P}2X2ypJKYK0bl&-4~_JK49jLg^`T+B|fH7nOZ5Go_bqB zs!XSCZ3FJs3?mfKIovm-SWqnrc1;p1!HZ+58Ca~U?z8g!MEl5AstJyrPohUXqNj(;-)NPncCvK$-PRdh?N$QKk78Y&?~ ze@t{8!kX?Ln~))ilg6Bkmdado#N^cw0V$OALL3z10u#xBE)ACd%U!>E*3iaYwH?6L0 zGj2OX8t6?POhz(_^>USgR~@bow3cR-LKYyadKKPxLYOaInLN(>MIX6SYUCLb#!AGu zY}6MAn13edJL>P}g2;gvttOqP_K;XmJeIaF@50D|_&?-o>)nvYURq*g*_^aBD-*M_ za(h?)LTL;?6d+4(cDzTqVA4Mz8X;QL6YDAH?js|ol1AwM{#pgu|C)$mAakw<9tGnxGov=tDG}D$NjvzVr;Y5wfa9A;B!(6kJM1L;@ z#t0RUmhgCcS5a}Pqmy0JnF{t~R&wfaMgk$_V2DVR(cU3JOrOnpa9+4ulFPvR=~lsa z;nCX`Adr8}AGUMG(lSf8ixURDX$=p;0IVd@(fdTYn|3(O_t9 zVF#w7nDDwJ(fDx`W0hy)m1kO=BxLXMozA}*ndON$gVfvf7AX~HMg)i*yTtrRP=_98 z;uF4=%V$k_8pBOw`gf0{tL1&QOqPirS%#YsZGE8uAOqgCU>iL~HNNcBCGRk#o9M*p z!60#p(1vdeF2B?yOonvtMDgxa*p8%vhEPve$M16iFJ;Q! zAqpsf3SshV#ux|z(d)XSQmc`~X*FIC@F?|<4dj{1zyqKWg^X5Xxv)=|_h251fKDLY z5Z@Gw_eWXA6HvA1jFOz1C@nu$NZ;rC+Sr->d>G7)%k5p=hdtx%4OB9vpspy-icPGy)^NK1}f^qyKPId4LAz;XmMs7W8=L2 zedEn7)Rb^Zm-kmcr^XJR);}U9WfvC9%J*@rz#~Qq_`m!+jXb^y)SnpdtHt$S--l)? z*~)UDEw>+?nAENyTn;H66hmq5=XR1k$-WbY4zs-=gFxJv+4-b>XnaDI3 z$7OaJ_tNRA7)1K1d3BW4dVcZ}*g@MUEX=krDa!5Jl-Xx6-m$x#lBcjGG_}pljVwia zaJBE6;kug2sXh?VQaZQSQ8nXBjBE+>ZxD;Sq5{E^>0=h0jp>=bg^!%{$9u`2@+GDw z`d79!${YK6N`W9V`R0?Pu$nD(T=n(L<`K4=AK&Q^A-b|em!+=D z`Y!-rz`!roZipt)q*kf-Gb~+*6UheE_8?tqGRKXMsIQDw>T_w9Vnnh*bkfHaX4(#a z)TmQ>>MMVkZ70FMJ*A~^8|7x$An0-LF9f1@(tnJq$C__iJIc(Rnruf%=mlNSi)4i!T5K zv%!FCgf5EJL1!Xfl0tkw-m8P1>0*8gF0H(rKE;&lp+k56xtcd8egy>!;aMSnCWoEY zc*ZqT!WJRD?Da)?#bu^3CMYjEkA&Qur(Zu%OjcRct|ebZIusN6AgKOw)e=i`StLGtl#2~X(wu3Hy(#85y(aI9HVN)+a5GYOo0IuTvluUnNJau(3 z#D7gzLM)#l&za{^tAm8XB0OnH1(Vy&(sGK`akOORW) z^ecz>cVEFhmx-1p{)n2Kxd2c?3J*3<97Hk{>dZiR0z?vtZc*7xBcV<~d4hkhi0|71 zqm>;T^iqj4=9$Utt=i`qzG){R$YVQ?`p|-|u+AMek~8A&5yGs=Fn)BB!R5Bi3MUS2 z9&s8{S9p$PZaC^BP5g)n*TnepKPLpY#q-#4u{#PN!ff*OG!|^(OI);U0|H*o9)?g# zvJ^0%k8vgT#9{d)$Lt2x6T%1g-@J&7^k!n@fxeTCfND1w^IdaEBJdr|iiGn15d7!y zc|n9Vz|+qC<0GJTBkE>SLn0PG8enb(SlK41>CH`VWp=fz9NDgn9+ zgM`X2-G49n0)$U)ccV5&4Y2=57LA)q{_8(k^gnssSI2-2yj>`!&c8lZP|GZBytH2m z?dYrb{Re6Pv;kOu$Nk$V?mz$jCPnP1MTuq4vev`-ttB1O(zN0osC3pYtk=H1qFftY zH&o8}=jawDzZW*PC|W5ZyxvV&3bGxNbQ>EVfwVG__VwxW(0#+)grv+j!Rc3!(EpGO zz>+Z3%x)=1JM*LQqUK7qU}yNJ?;=FYUs^kaB@d@;cRGZ%C)99Kwc6J`O$b0|NXFW$ zfxe+zk2Bl8s%7D@l%P$x-_4iT@`H_-)l*81`0E?&8-CfK>e=B@yZbZv1d1~@j%j4R^3&BH}*Z(jlz8Vaw*qok) zUL8I>E3-}a&DlJAk0=&0yZJmK9xP|_2k?-R!t9xcr*t&f;eN~gH*ajt)#g{#%PQK7 z`X-{nPa~%k{;)316nrTd*xej^z1MMKCUVcTyx9g}Y~YVIO!n~2CxpOv#no~;x9<5Q zFt%oEc|Z0Y)avo^{&>-2aU;@JdsS)kz9uKz_1>t;EmLcnjJ!DZFzi3sluLL$D@b$v z04Fd10%SOd7>xB*5kVetFcN#--XQ#GtKXULH+v zNOX6%;o~~?lRyyDvwFMt-F za`QqWDoL=K@#?4pPc));W#EITp0BzF_S_9U2M0OQUwxD;1AD2*Z8B zFf1x+Y$bwgopktf$vc+^yZenlP2Fs|6@ubHB&1hBgM;qQE;2UXjt?|_zJP^#+%3!qiNqHJy}neA zNLdX7ICvEK9J)q3{U03oqT(@-JPO|*wj@=STS7*4KhS9P!Na3~Wp*7y*vN#0HbZ7P zjqLTVxypD>u1l!OhBVzyMy$aP6d5Ng4QVKR(1rP>Tf?Ny4mR7j;r&D6?ZA%>g#(}w%)(Py*uR|A zMMcR0BI5l{CnviRtM6zu>U-b80(gXk6eLVil(8Ti6!bj@qgy#i4Mjna=Vxbd1e_k($}Lk%fQa~bI?zCt z-4VC?)Rb3ugxP$F(Y%Y#B)Y09L^!;||8-K29&JeIYw*OFOm4{G!!TZTby@BFr0NYe z<5P1{zYL^*aFCKRqxYl!Gk3UEYm&cxTj76v^|5zIwya(tnuGyWF+&oQO$&JW(#DmY zj#yOlbIzBFZ_r_SCIuW6;udBCbP1NAX*$6L0xTz_oV?FXNT$h{uYsNf3(LsBpeQNn z*uoF6XPFlThDbP92V`aPk9_crMN7}ss%NL6Neo3WHWF}h8Ka{|0ZtesmI|5q<)h1L zNZi#%e-i2eZ>|(DkojuM@a*k-m)ze^z-HF7!bK{Na(yew5MwYG8y_c)j#_f?2y`a1 zwN9_Ek2En6s6D#4ajNG5W@l~GFy)rLJ~84SU>j|s+MvNNEE*4|^g`fKOXZYG@9pXQ z=HqoFGU~3S_HT)9j$L|MUS95V7%W&4|H_^a?tfA?HPNxVnrM&lq^@&cuL5V{xl1*O zH1W7Epgs34G_bL?$&CPiZ9Xd?taLw6-@p2n25sQp{Jd+j(eZ)PaO(TbP1ZSj$7q!M_-2Y1tg~wzm)p!9u-=7NE@2^JDc;I^i?j`w$QJ zhRIX$NxKa&BJC=6#b&Qkt8_Wt^8D=VQm3jMe|fO<3SjzQ+p!aW{6Di}r&RcNp6GA$ z`cjEU$R8P9j3@fZrItp>qJ{%sv&G8WX!XTth95yXEF3(lgM*%26al`bg`x1=Y~<n6mj;2CrFZ-VSFX*X-bE|D;^L@K5PN$u@S!0+MU*cAy=|{@ z>&?i*!gmEGP~dp&4}HD70s008~80ISQp;yiR3 zh_t4r7eI=?;KlKDCS5$8ZAQAchelZ6WIgY?P|7t9M_9OYlt?!C4GlJ!{oUOu{dv`} zg@u9dg+B*-2c!EpLAep`Rvuxc098_svzLI`a!aa<+W(>LIu#oEKfzYsvnKh)H`ouM z&8^Ei4yq z=UT&pNUOUfA-9J}br#PX0Q5BXRnB@7>}_Hor&=&FMg;K4LyGlp_=B3R5n|qKQuYWL zRTt)R*_&UKiH|bVZ-;XAv*8e^_!Rvhc)go-X>R6mz8g$wK zWW(Q+YMz*wSSkmCw5aI1)eJtqxirqQsk!;-nxKS>&}U;&*6OeZe~e4?HzOuJD_jg1 z8uI*$%cYyqxvRIgFVU$rlvZsZAwgLIW0eoU&hD<$+8}IKyZISUuh%s`cSD}QN?*ul7my- z|MihBXwtsfs-QoN&B&+-M2LcWi0kLdSZKFfTJJ)IbjwwgOa6^j`Mi8Wf}#Y4`Z&1a zPdhum5A?}xY<&dqxV6f)eUwQc85#LXyk?Z^V^H(cd13v6z~1jC7#iMocPH?sepl`25)t5{rpRPr&y_w-V46jBW!RJu*cgl^T_ph`ioSn=7I3 z?A$sil-hN{4?`T^5~(!OG@D1hYM44@ zY|}T7mw+b1Vn`?gaqZ{CP-+lf@TC46fKbl*iKzVz?##^-+z zgCxdc_LWA)?znwqlGxT3)zTucHFG~tlajitJ(v<=Q50~v4yBpY?O8Qp-7`z@Y z$2siw0bUa*e#KO$eze%Xlh7wum@A7EM#tX4q-$z0g43aOS7W+29hBS4WUb5vwfJ>O zhc%kqe17R5V$8TM9pq04gG!M6GArqsq!)JfNzCW6{^E#7^BlHUQJbD6;F|FH^H$Q6 zim{%NOk9U@lhxEk0z8dY%k7>b7U~M%)eh-uzSt6n_bm*2ZnEOA@A)ycxe+mZ%?J{B zN)bP@v37LKcms=H*Vu>}RF%!AW<+N0Etl>#68pk$?dYf-nZp;>8e+{N?#KRh_fP8u z4ZabA*z&_~)M=TfPan^eMKu)=ITLo;_+6PL)0y();lx zu7YD@bS@L8@@lWQ__`GQNwXq066G8+}L~KHS(nujIPh%bbJYw&FAkpGd^H# z9>~p)PR2S+3cQcP!ahhLW7MUFsr!LGJn0|G4qp037)jgt^Bt>F&n6Jzc$bCPs0SDPsl)$0<(gc*j;j# zf=w^zMv!LB?~_{D5s@!~j@ ziz|hOR+3#UNxu7Pp~?Qf-G_iMOg61GwYHWWjq%Sn!19wfE`kdSKNc5$tZq6EWZDNE zjgU1!#(w(ufMaB=j6dv1@QwfP%9ww@@xOc2#g9Dj(JTMgCEKM?w&U?f8Oj@%x9^Ds z{%siiHhi$=?=K4F_4{uBT;+dy`1<~)ZT!C;^?$qL|GlF|Y}0h!;$77AQ{}bs{Q=1! zuE0{czZZCM&<>hCBRSX4e8K;-b-eO;q!Gpms&f4~2#Q7EZ(#%Y-v82+_;;1ie}2&a z<0vP5x_Z9i&${-1Q1v%_$E17xVtE-kt1Ag=ou(ykDSEoeW~Pas9HxBM3SRlJNA?nV zi&Q*Xxy6Zi;yStxe(t6w!mw3Np1;MEfB_DQBmyqX#3>I@Rxx)Dp@2#I(0i%Hc$Tbp z)88gXK5}5k$#tX4kZpY7j&m^QD3|*~vH1NoyMy1emk~xwi4Rk>IFNQP_OcBuQxTT3 z)TS+T4^lH0M)Yet*UwhdVKYS|0(xibTqMjWeDOmE3zwlY1vQT z{;8r5Yuh$#)cXDD{hHJ@_#P!3#kGI$86RrKXPuR0F20dXc}_WAZy9t+K>c0%_|S}1 zxQ{{jVo|hszXbw7%jx>O#X(_<6D&GS$)H2a=If#%+5?&!B>Ke~bm_u4guq==7ZxnL z?zwPkeT(^Tn?SQ@`oq#WQpLZe24^Rf zU)gv{3#ZWD3)z$yh#GjjYL(qN-esw?|xz%EuRv}$x+_p3`s zafwD4q;+fv!_pj!1;$eRy0owY1L7PJSdmk66;2;G68d7*ra+f4}wHPPkOe=jn@3%|?qiNo@ zE;v3J5}{aznfZ38(&X}e2_oBT|Je-rW#d%PMFPP@1a;hj1-dt1w6#a<_HC=Qr9}Ha%w5U?zrG$+r<*XbZ$xZ1biY6aWq-K&UBPr_*p%iq z+&+iy)WTf@G;m`(=|T!pzm;3H8?Q*fueCm08Cr`bBq?=#=8~n7%SExG?+Fv4QH-PPc-H*tDA# zswBXIn8;WQ^wkdi59NCAWtRQS(m7xISFgi9uzPIH&h#hR;c$G!VAuZ4V@3MRG}<8~ z)g1l3AouT#ytDXIdIok3I=70gMStiPtuNmzU5#v)!@l`FLWjtb$8@r3 zdPEA`CF;Hk-Qlvo%PmJ=`-b`&C(Iz-l4l~XeEeCZwYZ*O?>#*aSa}Y=xq|*a`&>hu zAkw5I@a>akC2a!;NHC2?%DSUb-D=pP3}U13{bM(eiF2HKeYm!Q_k3=M=pO(*c<)e7 z^1y9za1!0^_|CJ7!=jao^CL=M?|6AmA7l=1(Kil{N|i0rH1XH_o^V zwZ^NpTI!7{Wmcz_bNAS6b;rHyjnAs}C_wB3%kjqPqC82swOtt|tJ_FQv+&+N2Kc%< zVyAN$_@stuT10Ze^(II_t>zG4lXO8!swq0-v7}vIf;=Xf)z!N_4VTqHh_w3H^Co6_ zX5tJ7q2zpe`T42FO>sLOG3n{i_FzYw-4XkD=P1JV9oe_DTFwDIEy`h z(2%FwstY|}0B}dP{bIOeS?s~!DR+O08pdn5Rar(}9v(oAQPk}k&dbkNx$3|6e7>ac z<4a-KTrWD{kd&LRJs!VMQNABWOKx5k6>E0hM?7_z4|9L9`ficHt_Axo{5W03wB>^K ziL%47^7W&m)`)QxlHm}iCo_XU|&iua0VL=jQ_730W+*SS~S(GaT1g z$-uU&vGsoB+i{1r0#(*>${fp7Doqk(KI+loa5eYL^%0CL3s>eO)EnpS^vE0Pa6j8Y z13x%WO$RpZ_K_u<`ZwPjmr8uv`XKBZAmAH-#bv{$wVw+Ol$Ct~Gbhp<1RHDX3A6iC zVcY|5C$s*mW+LP~g@Rf7+%MSa*S>F)nvM65cE?HHm(Q9$&34l2n0gj6IR$Cd*=3iD ze)3$(ZGHM@SZ4YpPjw85v_715m$p)xX@^5k&z3oFf76EaRKH;a?2f0%2nc+aXTDYY zym3h;_{k68(Ht*TYi4N5^4U?1vjhxY&zNGpChWp10Qhn=9M< zF9CIGVUpb_`otVANHPWXBlDsX|c?GU?-hv z>a()&4kxXhk!QI`lk4#6K+!^QTuB%^u}QGO7VC5sdRpBKu`@jH}_(&p=OUH`6MTH^gZOO@AUGI&^YS*=%%cgtbGm(COK z6da3lbV~Cpl28dmcm#?5o-xW%RxE67?RL3*O6KE0+<@<5n}P4jAMfmrr)ynhtwn9b zRQoqaD!zWrxNGq5aac_xjy(JctXP=1P$0qK|Bgdl-bp6Yk>tqVQ_Wu=Ejn%-%!(UI zA2QOeLU<)7+Z&0z0a)0$+=?W^agtRixAN(?*@dbpC`#WmlrbAUHc1pcbQ&6JpLW}B zi4%>5$wr>Hq>T4HxN*4dJwXch>LEKU^Bkj!!&k0$KtDBV-zT$^rKDIaHaMuZYP-Vc zD(gnCOeDakda^}BW!1dZ22r{ZE`68lgRxwtY3F5X9J)L$TUUm%u&K(KP6F$- zG)aSOZWjt7R$t&ZN9f>U-~hO6zDj{~8I#!Bv$Qw=g#Ip>6H^oB^DS`#1XQ=yOV6=X z)TMb%k477w0atIeJZSIxX$-*_IP_^VSGt%H2mDebg$-UX8tFR{gkzX!`f+x<&qc_fR3J9 zob+^cdHK_Y7q;0zi5eS|)8PqF<&EB1wsN=X7`)4>vG!!CP2Ta(j8L*y+jt z6*5S??`V+%Z>gZLSX#XQ^(#a-tgN!?4;*E~TU4%C*w}X$yE)7AI$almhC>?U6s13C z-MoErOn&xCDH4PTIJ}xgMH|GHiAtS`ynSfsqNKk)nfx z1Ca{|{1#$~B)X$UT#x3Mh=~$&BMMtVl4$#*qc<+NEbQzEm}A_GRPNvz9HWj*TC+Wa zuvuN80V%A-SHKHztBX3Ma4c@d;rn-kB;f3H-kMUma<8R2lljE9-i@HuY!IDLuM*Hx z793ZK!|jZ?{}TV=&i#}ALyEg_jm7f)E-5au_|c+kn+_d_|LEO;8=9{5!uCduMyJPL zNxVag2V;vH!5zpPDI7?^-NpXi@Uez$eA|uV9um!`-eVk*E{4tK=H2PH1YD_>_l}pD zD)LpW14geuOgKLJo450N4@rfwS$=qM5V(1$RLLDuA4zDsUCS=qL`BV&(rR*Sm7#z2 z?P;|wlU0C%oZOOx=y=Y3C3x7tWLuITvP<)uDei}sm84;amA%QN)~A-eyGvh0>^UYS zL}|wL4pDJW6>SrpF=7&OR$}wPxxsf`;S&jwoh!WfzP}YLFoS;SlxSYg*TTnM9We*> z)875=7-QJv5p0_** zxE7wS3t_R@h@HC$_}ER|x*T=eBs{cv>zYnkRD5DirFCChHf7Rj#`D#rx3s*L8pZy- z*gg6L#I;zqs1-OO~eN*bGaTWJA2^(eOda+i^jm7-yP|=u4wW{sx_4(zU zVMh&N_mF^atz`*T3eHMA7jJ&V@tmvPehnws>u@DL+=E}*DbhVjd*fm*Vp2R>2?`=a z#H*m}7$cQF%Ko+}tj&W4n$*pnq9IF5O;-}$gDd110*G0GL8PgHLC`c5_`sy{6@ogE zsk=pE~j=6$F-2qOYVuOwzY9 zh`@IV4h1f|zR`s(StxhB3@Zf=q%c`U$^Iw*#&?2rwaP27_;^-RaN|q_7ri#)GjNV~ z&fy)%y^>b@@|B1Jo-B~ZW1#a_tl~|RBLrf$K+1&=hb~o~V%3PH(Gz{y$5AyA1QXW0 zO@Soninp=<5?}aW+wb44$V_I7&`8QLFF^tZ%es2!c$C5yQ}Thl#E=EFz)SeQ$jXX) zybr&#CDPl)w3nWKqX-v>vR}o%W_$g~!p|dzIZ_mj>VeDcOR>cbay!n#ko|h}sVO6|lr>@_SAG7X>=O zfnvcp!?iG83;gGkm$49k;Gy*l{{u>WedcIOmn*y`S>}vNnY@#P+q-#b zPsViAB(lt9$+j;Fz93OgQKO-NT7#;@c=Iz+Eb%Pm?;lrIh>A2Yw?2DlyDVpc?(R)04aU=ZMsMq`=b?6N}`T9}j0;Btv@UN4=p(9EV~``V|7v=~yTSr4Jdj!~3ouDBfE$ zs#ijfM)yBXm|ypFN-w`aN!fBR7wkm!U5sW!KefNF2#o>43pHTAW4bgcH~g*7+tm%^ z)eXAinf9-9s*eIoALa62gDweo?BlQ)NxtfcNf%nfdj+2h^`^OCvg=UyqrAExoTHEU z8fbeGjhV#C59ZKAH19=;+!+4H#Z#6`I@N^7t{f%Y{-C08Ps zO-~#3oN182+Hq`AXrqHLc}#6E?9J_ccv10y*5WF|Nm3J^|3EyQUGLA?XKSxare7;f zn0iS@s%=<7x|XBV=n+$6e4c5y!_WnhiK&G3EK-XR2tXCnxe;$FWK1R+iYSfrXGKyk z?^~9mJX3iQwDjX8Y!j`Dq zcL-XKSY*eXcGSdF*UN(e0tBapJ+}|IPpVhlQ{AXc_A>{@gehb%BSo6D`_sQyEw~5h zq<)OPXxf`&OO7#gyF1UfRcgJrnUh`~6qD!!J*0;yiqYTUI3AI%!(1QhoP5zDRkW{Y z-(*NNCSpVKf&x(PajMdWv#sTS!T3y$K?_Zg19)nVX@1n-iJ$PePzo#t4DHmrmyK?a4v>+h$_9*+6TxpT2nc22Lfw@CG2bd196Zi)syXmpxZH_19Y((8|k+UvFy?2!cS!vO^icBkGv zf>Uga+)7lYzFXaM47Koo=V~v0g%rNxK#d5XZFEB6UXqmloQ~`HRw(BU@=?~Zr%Z$X zVa8m8|02wgNdS(+G57iPojY-M%!3d_jF`P`b*qa5VY1YG&HitjIMBR@?`sqHy^-1W zjujA3ci(;W*4s}I6((Hc%cq^_?yKjA^;0m}X}GTXnQ=C70Hb7?6M`{k3qF8tk4CxT z&!sn;@IYR%xpLh_YF(k@jF~~|5jIx>YabZTb4NEK{Wu)WUJN1Qzs6!ovLbCZSLOk+ z3zF!;0jCeF*OMlUfdUv4rMBj)f^dF(O{Sl=fwE(ngDq^~N*g$~DpPs`fl>%}Hi))s z?&9Kt{O9d(%RqaN2WJfx!OOeWmPU{LqwVDf%kjPA*4tA{@)#GR?c?No4;J&amACv2 z`&eeVc@g1TPglczmV7?A{@g7$27=K%7smz1D~wkwPCCg2Y6S&qNd0{!!389*0G_41 zSY|oSZh3dZh)~WfYx(6`94ySK59`&h|KgY817=>1bueIgF{x(!hYt`uD(mlTdC;aN zUwDxvJzDAKAE=BkH$NAJ*NV${ZRg>0u9qy4mFD5clI9u=-#x_bMhE<0yHOIs#059_ zoj|}kxki8c^p?9Mk)dXJbdlo0eNkBQiG++89)JrbkA0}|=EJvCYprvmvuNi;xkp9tA%S`LxD)HaoQsRH9pYRG&yc zV#O*=sJBG1*ce?$Fmd4=g*9H+P6YZ05V)WJ`aZs0QhP{eeXBJe97Mq|8oFiE;`*GB zkove#X}a-r*m~>ID3Nlj>tetKd{>-6iBm9=qb|&&CNBYibeZqbYM(sre&Tr!_paYT z@;o(XH24cW`XC^I^0bQk*CtzRvlZt~!zG8BiXSDE=k8+iHKThBc+VJ$U*vv>?yAob{N1YN-Pnq-~MK24GFlWyegOS5r7)L;fe0(rU}Iu zg9Pp_4nQ3L3YYcyQ=2t&ci))VSslbv%hB>s@(Un`L>-u^JM4*HZFX@yUfKEb_^W&U zz>EqBtDeVf?P#y;rcuSb<3+5;bL6XVSHe~51c{@`X3n^NhpO7$$>!$L@WQL5QcdZ> zo`zcU#Wm_=g1d`vbIsPqwNi(jI*YqF*Vtj3HZ#qQj)0dezbg)xwF*get(A zL#0;f4z{Z_jBx0!%W5ilOo88z(s?(dgC5OPPYy1E3D4E0UCd|Ak7mEriO#uGAI7gM zVXi_)k2o@H%ZQMTheAe$r90n7Mpk29&(A5p{xGuHYFUkze&NuMqOuRhKn(Dx38tOG zbG`IaBlD$D1#eU4|3*M80-MCh{hKfCtEmmP-VRZpUfTpf`2lVIm`c4wW4W}8{!o7E zJ-tD8_K;ppd*lgxw-SM=te(x@%L<=m@3-d`0X$Ha#hjhZaLWkT8L5%fa9@}1XYviW zDORn`HCG0b2Ia_Oj6d9hukttx6XbmN3l3GV$S}ZZ ziRYT$C<(U&PDC<_(te9U!q|})+=Oa^Vl*MpfZ{JjqjSbU^Gr~TA(#12TmYJ~=r^3M zqy#6_hgVCYOQ-7Y=F|DDZTZ{-UyM7mWyv&}-4+I@AXerc9}Fd(hrMk9yx4E&N2o8n zl8g0uWoH*Jn$iGidHE8)^c%x<2uJ3C2)yOvZAnM~WZiG>a@g@q-)c#a$bne2LSF}8 znvBTcYfOlkzP5FZCeCC`j6@6!3`vO)h_sv>E-HF%Is(vl&16bcvcIq--`2W<&?c|f z!4@K{b7Mf1-eacvbeqXL1?(MtH{S4QrM-RbpT3Vxei;Hq+j0ZeeZJC3!qrC8h0IWL z<1%Nw3o>widenhV&bg%t6*3)cAKR@`85eqZ>i$d;EJe_sRsN`@&9ANcHLGD$5ge5R zn%xs)Y|ee9dh*S?t*IteP@nIN9Z1miO}n$#g~6t?)O&j@Ft%{jY2x$ zHI$-BI)02JE>0YaD=E&JoG|rk924-BGgkK)q9<09m&bM8ol5O*xpTdBTcbJL(xect z*}kcc8hC_W$lV9DVgjz8a< zd-ZGJI)7iLIrqi**UodDtHw4gyJXfKw%Hl}+m$o|UB>1`%OY(uF!Sm4D-YkUalg{| zvmO2BClH`5iQJo$G!3+c8J_9aYE}tX8qnoUSh`%4({4eu&6&mtQVmI@AFq@L>(Lp@ zw03LYgIg#kyo-of&1nkchSIpNfc~e2r~V*G-b3L_j0bCeenP;F)$r$rHDr!^#RTz} zws7v!`}JCyOoI8Urc4?x9O-O1=-o2bn(?+_CQY z&0qP_XFM-{ersP8RYju49&3dMus9srS6X)LR1YFs!J^LGrSZkD&`-@4#|6vVZ&}T# zw^N5O=nc1ahPR%F!K>0xFh5sWIRrTHf(VlGu(nSlm2%Y_jn2)WZ{s*Af`w%M9&Qos z^v?Q+Oz;;CAo;h>)fmkkPktR4RBJ*mWxrE zn3+`t1F96vR#~20S^GPSCcJXxpOz?d%1Qf_mekuO)eQv=Lvvz|k0jnA`3i|Abu>{4 zSBs?gPW5J*=j#;a!F@2@SxVbYV;Y~>o&>G2Z!RwLz^$p zM&QlSw(m6EpLp-#Iy{i-#eerqvEzL@M!zemm$F0YK2|#svT=_68U*{yew+4yu&rX3 zfgwhS1xw%_bxjwY2^lNZrxTtjBlS5mSDNFdgjoz}6 zB8a@m1O;n0%d|d`qOT)YRNxkAavdwy3RdVkMg`V3;BTX5ORqUcVY{xN!u$#Tfq=X! zxjLU!tx6?LHcvKsYyb=%9?2Y;7V7RK0;|T>jtv$Edu-44w^8Y`?%Pxgoi^ch(ZTllu@-#1#NGZZ z`s_pi4x3hN-9~n<1X8jz)9KIui?O$k%5vTIh95ytLO{Avq*GctL}`%j?(R-Sq)WQH zTe?BIySqE3^SxMWuk)V0-*d+Ijp1Jkaz8g$%=xQ1`+u8ep}n|YN*|%_;{&ZTqoT5- zqN);q$A-O;oeX@KmL!W%PuwpJ(G1&s#$1y3>Ba*hmrY|$Ng+s2{;7_E`|d^l?fXK} zf7)mK^wYv0)o@xPDNHUpzjcrhTe_T^nsbxaVxb4ai{5Dp+*XC?A^CM||0`PIr8aWN zmPCyBBBP5_6rWQ;>D8|H3mE&m9E(+*&b{s3*}<8S0Nw8xf0EzX;>U7d=HeYuQ=>)7 z!{zs?nrItSSCit*gcr?8)6B^f&i!;cREquQt$}boeg*uDXAeBkckZRBBerjF>ZOAh za+5R4C>D+2eN@Pxvrc*Y0B@N-_Eoea|6k3Jl^;9+YW{p;YhQh21ZSvdmI@8550vS@ zfEgewVbW4Tea!EeP;%Q=7yM0Z#9b-=gZ*EzF0FIe%c-%~uj%E^uR7Iu>sv ze@{-2)htbcF0z=8STONLL;f~E2IXak{VR#bg|xhCq9FNvxnn~69+_zQ$tG##pS|lW zMX{ZG%^dE#*Afy?uOV`iLfw) zLA}OoOv=-2sqWG2lRQD$-Ev+H2x#MS{3RMC`Ubsu5IV2eT(#C_TTJqz5(J(D(eEtf9?)cMSr6D3dZRRt&zzAA=}6~A2cf($_Aa(~Da_Ma zQu2tIU)XHRxw%|;KbGE={|USxXg(8n)~NMp=6mB2frsIu$Sc1^tNwUUg4c9!-?pe5 zqoHo5LK9A>TE3O1n6q`uXSM>>ZHaCYy_cx}d_X=I#+pqQJgD03k)%p-D+_3AfAUr( z1=a^kAhdGw_E1c?25{LDilXPxoQKh`JFrAh5mOnMLAbb1Q5yrK1t&u`^w=>G|_Cod4ANk&dcT~iwA8S0R z6+yD{)~CChgR|(NZ-)7PkH>t;b91qVXCc>aH&%GmAiCt2N0e|rq7ghp`otClp-@8HwojMN<8QLCe-(Vfb|i^Cxz?Zc9E~u?J@)ZoErwg|poAnd z4%?Ot=_oEv)oFjea(DKJmS-r#$2w_BbckPboXd&{@Le9F94>*+f0p=S4mlCck7Vhw z2^gbFB@ezayRv(3494}rb>cfL6^E~wH-PFdqBpkE zYOTSmwX!LC4GFSv5w=4;NusI8?wJB;mkLMg(r1u7xu(^ndt1Yx%rQcbZ6l(E?q^B< z=;)#wA>L&@JJ)m}lWn*54i)9&>%2$&Jtxz6<>aq)7`Ko2-%0!&wc$->v>TXw*LKrs z)b#M_`E6pIl`Puw2j>-odXy!yq6hjNc9;xUJ6NwiHkm;+(Jy)9NyOeaj+V#}(4a4! zh&di^swl_Wg(4xq9h+ICd9d#h86do{D3$T^;Y3auYSi4{*Wyn1G<>1j2ex^c?bLjt znUrQ-hXDgQ;@-}oPL3=khJ0mwz^(P+`ur`a(4ZP^N&c&22LiSVS6hA89hK9Wnz_pJ zV2GBf{zFI5Yy5YUiy1MfvbIj0pS@ij5ic%ti#LeaZ9B#WRs{E7kwq+KeH5+^NrQYD z!ZMq-Pp?QP8}2gS53>N1BkgXFjzbe0O|(tiu0Q8T)%FCzLDQ*=H6_Pto9lDv-a%vu z**KdiC}|z{!wzpmcIZdg-RU&M=;#XI5zcUV3t#vPuCl?g9q`D1k$H5@LyzduZ)u!_d@Pg6DY4`Gy^iXhTwgwt}cJEHT+oryplH1Db1hNl+~bT{LTuRC+7Y5v)e3h+ztp zq9yCQzPJp?^7f4B`CWF;J6GtI&V`)1PrjlgzkmYyYh${HYNIMmxclR+0kYyP$PCX;fyQ_>|FU( z73mz)OVET;+;8&o^BnDexqp%K03Svw8!74WBzDgqC$829Vs)&iCPDBx#}44%kVP;T zW5ia;Gp*HTlDB^osi9UBNFzNhdCV+zPsXN*zQZ_|fS@UwaDd822HltC7ab|CnZ4<>=L|XDMz7lLqqO5NUpthA6)UMo-#p9u4sNr@hd=(1TDh- z!{#VvUcC3Y*MbmT4adv_m#2#$o+Z|c1dj#cO50!dOUkZzeVWZlBb`gSW684Z!M+}A zC3$NlOV$lyzRN_-u^@K2c&TSNsN!c|6bDSPNP|zn7m6q_>~MFg=$?K_T$WP4J(gzR zs}We-oE1`M)wZ2k2Af!sa@#R_^TCmIKe9h*O5pHTyhxHvV7Cs#9p8vziO1N*#U(|J zYkfB{7%Gzm7L{LR*3K$@j$P18F1y`;2X@or%;BN($>IbHfOKAKO@r6c*|{VlK5$}J zDb>?WE{R{M;(lTx<5f-VflBPej@Bi7I6q+TSjFT7gXy2uHKcBdwOS7@uG9QFqG(Gb zxMQ{VhHm;2_ZxeZz)l+<5%%+brecLC1kdWg!A0~l4`iRyBd@MX`$0&z>(xOTJ0-Is z`Mp^BAf@GdiEj+P>Z(h^;`ZT@(FxJ^nrU)W^7-}3m-~gZe(I%h{m5OfQonSUlOy8} zXEbg)1}dYykiePQ0&6ykJ8VR$T8;eP(z=Fpn9+x_^#&Z{X~e;*ZREQk8lIB%NtEj1#lP@Y?0p9j@%7 zo?baU(WKr^yrOH9u4*dA6 z1&%Qe#ATUvRcVF4J`;z(+8+6;+rB$am#cXxT$VXA^NP0L>D^6N4Lk3HdUtFes}57` zXBs>)CfummxAVLw7Dx;$Gg03w23?v5OhOK=c{bqv<+8s}WX!=zU{9hE-dmkrZnnLH zwR5np_)7knzmHB$V)PDVPY9I%vDWj2ael_<6m|(V*g>^R=l7I4D>Mj@O-wZEVk?{0 z1%nY%n#km+{y<3R$>Uy=R0-4NM}WHQTvCb-DJIR9!e8u*>;g+Ogwd<#{Jr%1f#T^&B8R{xQV@ka|+l_!;f+N!;%Z4|LT9114xCBdKflm`jKj4b4x#YK@7>Nx!+)IZ81=3>9HPuq zpuF0f>uHZ2E7CR67RkCWxe=*MbP_BrNr))QNYZ!0JNmW?Bv^C>0Rb^qlYQ5;YA|jb@x09ZEnj`)ADoTytIH>}COLXM3fv7zW=3O2(JtCb*R| zi+-@7auF%N0&w%>cnU2Mho&irr^$(@g&q@GoMbBaiob~Cp46DDNr{7~))oH6>Yq$c zrOt3?Z~thbqJnaPyNsy;nLut7>pn-V(?*q4^W$9SXoaj^SS$5=NDcd(PxVPvB_lHO z=_(GMy&0a7zV;|xdrZwHXqs>r={tW1ZS89w#+7(V6nTv2g9y8@GC~H|UB5?%IvQ8_yuAFn?$WiIHCZ427;PDs>(ht};8r~Y~ z-b&z1Y_$QV;?1Rpe|=z5QPg#CyIrM9QrJ(R*-0mc+QWkZ{zqeuT*t1gKiRb(lynmW zj};K5o&A1ie!3I2Cd}-f%cg0}&99NP-sj(R4wGp3`qk0@#|!Xd({lnk}7LA70(LbjAJY_jgm#* zL{N)T=fB|HeKa<<5U@jI=^jmFt8wfC{hVGow&2$EXh3|TYlkgXiSrpXK(a!XNKj_x zRE(-d524egBC0oIPiyFqSdEo0%?tb2ZF~|U4rFDGuyzwPztk;P2ZO|IXxC41ryn3; z@%B=06@S3G>`LV1k0+}p_i3}S?U~FEj3alR4fNCMF>YfOlLg~We_|44XKwkk+*7lD z))18V?c}4Y-UgPjRLjcI0WeM=?H%u2f%={qSDqx=;pL^J5qg*~i7uV$7}|3PB3(mV zWS-{Wjj!=>3yXY-CZ+KV^1eAuMct!PbfluHYHWNQHX7TI9qvSbDNp5}wbtFtjRJ(^VO=lfJm+9U$sBFtbC{V?M z*v;Ot%0}1<&znLVSWX&fit6ZTIs8*c$r5oNyhD?@^ zNnIszzmWOSepoCgiW#F-@BJZ0q{WQu4{e%uu2=+XHamCt0wY**^#|qV7?-&?_3TX&E)Ii6k z5|?12VYtrq=36W!&NVXqrb%geS?(5_bT>MhZpdcl@Jz`AsWk8V{D|y}`ljSTXP7Li z%GoFXP%jsCiQj>7SmA{G6KSo~=^Y+|2HT zpsep*IB8C9g4S-v{R-+N17<{#x=wu=l(b{E@D@3GFgJBzsi`4RHw0h$6o>$Eqjw1$$4 zgvFr!pD#8;gcLl&2R|sSR>`8#U{6*@47wR-a}{qI;#8^>$>sUg3wqbtBOc&lxHRXQ zEnMghBC%$3S$I|N<&6C>E{Sk$R=Ra01mfzq5j)KJ*>ld^%_6*(AlioR*hS|@l#lV& zh56aigw$8jG;!P!Q_x#d?p&Kz6W;5dbU}vcrWI+T4mcf*`4Ln@A#axqW=jDS5V!&!00^!PehR`DRtfnoVW`(oCNyLL82i7$i$2 zkN+-OEe&+tdW`-x>dztG2(O}@H2H#-0Gwt+{xyW23YS@le#QW65z}M$gYOCKvc)01)PM#wA@V!0%SD$p-Jo zG9VtbHHb}#;xDBsKJBo)KacZH)dEgWw47;uhkU|j75$fmjD|%>eW+TE&0eu@;C-ZY zqy6DE+X4Ie`91?EJ7nVS)?hqQFJW(jmm<5&jZjSn!cG&1zKrABYm0OQbK(RxCHCtu zj{YJ7x$qs!H#~%rVomWX>T{*{T4rW$#0&>8T-SJ~#cf+yCG#fQ1_F1zqGaJcdcTBe zNOe975;=Jb<=a*o8=)FWJda0*K$bW4 z3W(r7<(|_FNSGD&gI_nN>-EJ8-5cBnsICcSF6V)_d+HSUKQ05UCrkq1v%oAH(@O2M zK{8l+f7+ZpTZfd|NHA@F*5_(gDNemM%A}uRH=9LDsBa2oI6>(wF9il%dispDgIDN~ z_iNUHz4?)%7(N2U9_Z$B1rtwgi-if7>1ZkdlW1=TQTo8`OT=NX|9H|jQF#Ye1S(OU ztk5OS2rn5s_hXBHO`Bn{5gGHRmy2glj>~bA-zlD$bm~-Ub#fIZQG=@au9vwM7J_yk zlf&L{J4z~R6w|m*&nZ`UaF?YWZ>21)oQ8{T0B8sdHM-o#ADQRSut2K*S?>2DkBr3d zfXgoVO4RQ9bAZY#U>fhAn643oEaR4$;NklF;P&h|_f76A6igfrI$W?uL#1{1EaulV zeWUP+YW~4xr}EclOdymxNu7Y%0ho^mYAa(Ls}y zMxDK?<)xsL674g`TAhkdpLX3JT^Um}k~1+%#flT39Bo-sr5&{TJgdhUcpA@v}etba%83$3{ z>)Q`j1MF|%1E>+{n3cfAF*E-a+N)L6x}vreQSEVSY!d=+!UxmUH%U8^ zU}dNkGqY{Hj!%BLuu%fmwp9}q+V_Uicnu^bDW^BaCYBcc z+65E4L5WbvSgzoLP$KT5rWk>{7|E4`_vyDpZHgogs1G;M)z5xxU0GWpK?#^T_~3Ei zaI+~CngixN>i9>trdkIniKsMVT1^**@eP5pJh@CdH53mrUz@;ro4{+4v*}dN$%u27 z^MmL0H@4CjK;_AOPlbjp%*gc4VgrMHzym`;UM?3Ne%;@{!r>s-d=>(k=nKR}7Yx#q zUTl6mjOtIpLzbaL#|_@y*LrF%I|nY;&rYlY5dYlngdTulDp@i^*x+8daR{ETd+Y~* zIRg$eoiDe$nJ2`mw33;P;lbu4UfR2^%AMJXXLyR1lJ>}VBOy+lBZB|(kDc~=qp{92 z)$((SgpPGK_)et5&u=3r5pRSdUX(03|Mu&U%ad!n?I?{sd!t!RU41yHS~oZzi#OS+ zS`S^@6b2cRPe5|7Tu*T(3NCxUCQTW+UBwS@8gG76iLYltaGC(yG0;d8Bo4H|%f+E< zO&v3k!abYYU8tJe96Ez80RT=<4O^jQ&;?3pmgfOB)4H`G3Yh9P(4}k7Dn8_#8h2VM zTb~MQz<$p!RMEn7SKRx*INjAAD^)`mYrrbYyKhuqNIHmD&3&r1p0*5R>u{j?DOkQoec_yE-PjVEFr;Ap$eZk6AMAH(ytT5PV-acPxo>J5e>& zRej~pksz8|njNjMoazSWoKjo@gb$Awc|bV#31E4s29*`9L2XKZ=N=)DW@rD4 z;A;CVy7cR3^9bQq1kxeT{*YISj$EBOJdO*^*{nq1GQ4h+1q$mFj0)!1Z=RAh|hq~+UO}JB|)`2 zz`j{~tg1jbA>hv43yd7PPe1*6y8HV6l^T<)qp_-nydx(mCp$Mi*{@d&j+B8t+mj4u ztCi~jgs~vnEWz=IgK%^D07N$=;3bJpWZJW2@X)?e>g-m;gTI4vmPQbPdo^?NIt%&j zSr95yAQbn3<{wFUswg$OA=>j;$ zXO>eXGxc--KKE+Xc+o6Oe^L&#SKS!!m7+yp$TXsqOfHxdU^a;cZH)&*T>M%!$Fl&m z>^LRV=prCE*Y>XWW-MinJaoT^_a++#%v$-Ju`3R_j=#5DXnF$KeEI(1`G7KNkWI2o zuvc$bL<%#d)#qlT&@+~nsKz4;;>Ab7`k|nMiTk4>N%U?GqSOV#o5SGH|E!zG*0 zzd|^=^%$S>7#iuf!^1~E`U-m9wPLe~(xUbt5kUDs1!l49F^W9?XkTWdZOby>-ke!h zM7f_^z_jp6>)0xnp^P*Pu;99E(kKRCe*(|79b$4>_=5>Y8@`GXIF^P~x?z{xTeo2$ zVZxcwm!<|fiIK@$T83G2`G;6hJ};b2RWb~Exy=zjmaz`dd+4FoN=;SK|I|JpLQYWC z34;rjRb7fr($urm4Zlo{Y%|!I0$9mdCQt+Ix;ziPi0p!MUd4jg5U#6 z$C@3Ea^~%`Wc%}AKxD_mz3kD0mNz>VR<*Tu+7%grO1dS5_ytStk7W^P%#9RW;2RdS zq6w0d)qx((_m`7?&yt2TB&R)=@q<6VLO!*y zV15=Mf_!o5rGO}ZRf6=ri{-|sce!s$7BCH})aCSsz`(V*>P!Ucu05J-vzueU?T}`J z_Wnb}=d)jBjIM3S{3OvzskV5qA(=sXMcGdGs={dVE-jYXzBVVXBvFXe`IF-Bg6iV0`(N?v&e%E zzxn)cc?n1g1}kPl*p6fKd1GokN0Ts(bH)W7s#t;P^{m))0c-WPKfFx2$xGuTD2-)+ zUef@5TCzQLp16i=m+zLFV6FvRbK~N1?~^;>uON|eDmg0uj+;A9q5On?B=?xbLD5Z2t*niXHISoOnprCPdICbUgRE`!?FlM#N)x zV`8l=pIU0$BHHM$(?Bp0^=N*evW&63y0Q>(kqwt;gCDm*K|UZ}Gg0}< z+}oYGo`NQCoegg8susHCn%a@|fZHAL>?%bLwpGxO`*|on1C5nz?i}Rg0KkTL<9_%| zqoWT&@oN`*m|kqbBFWxFk5Q~XvE5>W2MuWBpX2MoI{_h1YTe@Si)Xm~*S}cm2PB+9 zALh2ZD!~!FxoV^fv{1!l7%>X3kD?XE_c`1ayT(KekG57VIN6mz`L=p>y@w9pG0=kv ziKLon(v7Lw=Zy$UG;cSUQBHtv0so;n&A{WLn;(elX#Y8V)ea%52A67+9k(7_~ocu zwKjIqn{dZDHq1(sye5q(4?eyL?|xLRX6qhG;?H?)C@WYxlqP!uJEZ1)Kn}QMP!}hI zh89)Kohwm}>O7RX%32}s$BZQo7Cq(Gm0iAsVN%EQ=IZTu-0SC zf6sr1U=G$|!Eti2^AsSq#U%4!$&TNJcI{ez67K2dwPn}7$ZTb%vIi6!tAYVI>;dQn zR6701%&|SG_w{=u2_4&n1Pba?ZzB3uMvP)Qv%7R(fOQaGBm}ll7xF>4YqQgBs}eC8 z)Q?VmFnZRL)x72l$qcAyeQ@Zfmp<}VgJ1tSXGkc){J`A8&hH6M@Jf((7NjFyCiL7{ z&3k2enx}9(qj*aKT{Bph_{(b?U_eghS;K^Ch}+|}Ah_X`m$U|{3-*RIn(lkX)3P=u z9?f_Uj}COSJI97ZGWY~Dc<=?uVyI0_t~p%E7dZguUg+&uAZv0y63W<8lacC)d>IwImyBtE_~cG{ubnHi9K9hdL>o< zi&>6AYK;&&Z?gGw2tIf7quZ*i*cHF@HBfB;WT;1HH0H5jnG)pGbe0`!PuqfnDGR5dkC0O8b{(`IwGeT5r2DFFG^S^8KmSj7OmEWQ7W z;IynLh&a&1L#{e;1S$fmlERVwvf?yp;&4iKDf~4c4H1R}Zc6shQ!M}N{}0&95{ z1`RA^)$h1Ki1~CDw@|!w!2=Y81>PzG0)*tJ|vTP32 z0qmA57f_p5R+&XvM#9)1y6rr|I-OIR`3pd`#nNvV2_^Ly^K=E5!y5J$|O_fy0nRb1Xb|) zEl56^MDjGMk4j_#4Hf8~eg{o)bLZ*2-2^7yQ8z+Djj$LSRbvkUXm% zo#9NAnsSKVO9L{QFhhNoHbOk!)*dqtuAgO?91md*e>goKwX~OT#|?@~yIUJ> zv<&ViF|xt6X0n8ao8P|@`)7(!{1n!McCmZY+v_)gE=B@GK{u{u5@Qn-CHWI2P@ta6 zle=h*^`IeBC(kx0wXuiSd}WekGg(3af4w5S@~ap3{^K?d+DY3ZYuAD}Emc80SH7dI zAziR2%e04{O)cmGHnH7VOzjYOQ;msqWmFC=mj*yURqF$xh_Q2AEetqfR{uH^=g^m1 zi1|QO7nYGUu{L#~0Gi0b3)V|`(dvC};D-WGU`!jVmqS|9HB1(Q$K1A-E<>qeBxPtu zb0!cZm#8hP*ED=|}m93~8AiEzAX)5^xHo zW2mm%kUo_Fkzn-S7MW~DMY_vz#^7tfi?t6ph&Z38CQG*qxZ(wl2H;kzEC|4gQk&qL z(Xw26g*Zgxu>XL@2j?C5)2YS^@xt9Vqe0vR8jVhog6{&d z3-J)&^9)WyJnBDWY28|qDl>!?`7IS96c&K9@yf($*S6HPe&{7wWnobGBm}th-#>fd z+FVh6;%rNt4p&)@b1enz37X49rfuMC*$dlp)@+YrhK=OHl>kxPoF>gj98QSI0(s33 z)~&wfZB5~Cs74T~G3kEKU6s94r3N#JnGLKy_dll8Hg>Uid`{cN4QVS(ynPIeEk;XJ zZwFkZh7vz~L4zORwFNHf)(a+mxs)W|A%L%v5>LA-HOFq|YuE;zyYXl6Fqpouoq9jp9xJOPW4$KXnNCk$9vf7#|H4;F^BIK7htXKDr0io| zR_0d8g3DQG2hkoq!-lo*`N4R-nCijV|AdowBl_HJcgCC@^Mq}$9BG+SM)mM&92+9c z#h=y)gbOmU1v(x0<&X~An_}SZAg3L<$0^YcX%rx!yJsV+PzGKEyBRXg+WreJcbOb4OSwj)g}%b%YFS)I8${^ zfTD4A8oEK9H;Gl;H3<-e zv@urm!E!7uM+k;Lg)^ba*TB;4@*`EGkfQ=a=!io?D5xc*AzlJ`nPEM!moFhw=5^yj zQeGy-@OGj~1(n+hhq8F)ebmg3FX4KW`8^J+Bg*~1gtRine9pk`ZwU1r`&p8$FvV)d zi;ahuGF_tT3bL9}#b#(=Uk?uFxzPCnb}gDd@%*Ms?5SS%k^-^DZ_nl}$n;S!8-Wm4 ztj|;p-yF0$#bD&O9*DEKO2}(B0o4oh>wJ0A+* zZbArvjN-#p!OYg*-VMxb)3|EyFd3rTL9S_KqyKix-ynJ7 zevw#j0cZyxsbD;m_O*e(oP||rk#XH|&Brm>{N)}p!&IABm`x7sY*YEF6cz2`_&ze% zC+n@C#;XuQW}4)+ePy8W2Ho?bZ3!xEdUPJhW0c>ZM+gJA-~6CSSA-41=613CvsaG?VU?riBTNnj6(Kk3?!vr@Oy9Sqv_ySxp|^*x7; z$pvSzsW@EQwpk}oUY%cBysrdW!KcG$_P{Pr920Y$0B6_Gilt1@<-nmXi~VSDK@Ci? z`b*MS!Eirm#@%bca2@=u%)1^uKu)w(jsw4^1y}52svJ#t)rsxcU>mr)O`>L(<|Y@yT65PVvwBf_#-1YoCnob2tqoinw3kOZ9NU+S zaXOFwHBvdRz>-_@J-;%%Ww5;L0d*SW{j>)V2RE;W9sufBLSO_Gs1Plslx z*2u0`jLfhB6vqgP5x{*9Zd8+@(I>c}5kr_3S?u#merhtDS5F2SPWe2!e`RS{Pz6eL7zwktfoH090fUy2h3nu#i{3?O}-?_8idNx4c)(QWF+5Gk2F1{F#iTd(MqOFyw+HXqjokCcsY-x$u z-9h1t4tX?KN8$((sBpd8l`FdN2cE-=_@WSXVdl+Jj_N<;tVjPtQfsBd6nm7Y1X%=) zc&&qiL3nF2Iy?^KBBg1?NcT0)DjY;7&ur{L?4xT{WhJAz5qffnSl${!F1k%=ida2s zGRwJytCYsnV3BXRM9DTQ2#CdunSz2Oh&cW#_cPuikD{s~@ZUpU**XFf60G6kIyNdn zN-0T%@U+4|Z|SYm7Bv3%GH6c5or<%DRZ~Zs`J}?Oy9LJ609%A!_xXL9a`;;O=$Hg` zgoGvGL3{g()zUbQKF&{995c$}<7^A!JwH;!Sw}xkn4+`YG)l@o)?>6>qZ~FfRiKDtDJwJt^7D1V%F#}2q=zPPl;Jvt?~A%>e45ht zOd<7AdCiGEsV6mNj^ulbBdwqGSB z3N=a;WYIEH`6$JG&cZIk4yoFl+-&$k_7?ITrUvfQ=v{j6_`X2M>#?~BOjWplysgiV zBPejEMj~?^{V|4qsTV~glh#-6JF&5{zPpKnwupXGL=p@HJjFvY5?h4rm`%WM z=mn8!_kY4~P`+K#w1A~?xT|HXtNqixM4U_!0!ipNzO*SUHVrcRRN4X@WGK7#q;JKD zqu9y=REiX;@ykn@nFu*cb>(s$mF4djWvBM81&pkB!4bq`=rDW)Ocn zc>jwh>7$@do=hI24nuNX7YgrG9~;wb)ybP56I}i8tB}s3UtZe&{wF88_4a;kPYlWG z-;!}>{*dZ)u6@6$C(T|Mqp6LLmEa`4pK1)q%6p`$P9V5(N_X#0V?+Q8+X|Y8#g&ub%#(@s-%4x zHLeTCjZ@>#`qHhp@B4L`Y^i&KHC zRRiELM0kNo4;Jgc@`7JJMUemVlm6`p{I^hT6s`XjV*TF_%K!bV{tdSOUn9l0vz~Ie zzpH$rg^qeTE($rH3sXl8qu?`u_79Qw{rd&{^@*S$U;6lFUYc~MqAoxnEV&q|X3r}T zO_Be8c90@O+t(+nQ42yQzKraU@bczIv2=9)Fw+zKt@Fte1{IEC-PaTGF0NUhYD6{B z7JicM?@bFL=MW?Mw1;?lem%mKXvW;$jPS&ES}c7%Jd_0VkV|0hMCzAsa!ACKepyO{ zv{=!owhyqZ%Rq1A(zJZOUjW40wQP!c@IVwFg$L!ifYM)H!UyDp zE>ndeEE=_{lm4vd5T%o&hnj>udN%h1hkBibhr1V9LotJ`vesKA^VcQu3V%BopThV{ z#x9_@nv^OGS}pN5Y1Nwn*!sDZdf%kZ;`XF>_a?f;o_<4Zc+p3WY|8CbjV;?HKz4^5 zqW~2OO7{D!IbPm}!y%wc7=A8FmA|X-Q13bTTRz3(@iGMuNnz?#Rd{`WV-CRgWZ}JK zD`}2QE!Kac3+qH-AdR>0@d+rE{I=C=%^^4%)gzt(rtK=H=i{WBQuj{1D0IG!ZU>8) zb+me$7(j4WU|u?8+8rC^)00nXi)}Z%M-vRHOA4yIc7?PIz`C{-M?7jbHoP5JgMlyo z-Lq&iJM95^Z@4=QWbP%!3lBF3cA%x$5;Fw4VsDpE_lgpG@|HfsVhp*4Mu46TeCN?=yvvXSlX&+E6Q5EFQc&;)+fCQO(@`%15 zmw+X=@3<)mUX%)adZ{=W11l1y;dsK$E4t*)lfcveEd5N_UyyeBQ& zwFJCf9{hRrVb3V8|DW6uQP( z>(e!;UQlfQ^5PPkDHAVBV8-+AS762fQ2GOfx}{?m!0VM_PZZ2KB3(W_df{DD;(u=I**+-5-qObK?E^%AJ1KkofG)fAhmF$5~LG?`73Rd+yJ(u#wM=#aR3` zS=*(qe)_d0sUrbIWhSuUTj3P z$y;jp0y1n_%yNFG?mHAnGJ52>Bu>KOAk0RDOzsh3HFhWqLyAFM7HMdPj`14%?`9GZ z?Pvw}XI&R1hM|%J4LNz0!1^?4smpQTa8RZD@y4#Al2I{V?lx3YvLQkD_r}@IEFDcZ z0wlU> zKzQp~AgMBvu5apq{Pat+GOG^JJ`iv}xBWIORv(up^9`D-nB0KbQJKf)BHt(PWCJfx zVUvuB46(+J_8N$DE2DM*J^-*aZz6Gs)r!d|up7Z={c_x@;vn)VV#hk;jbXvzaX74N z4F04Prl=cXbj|CU6SA|ms%6`p%XRp<7wjlMb^Opqj}sF{fAKnNa@(7l2S_UHwC&ky zQ6`P5=^q?4*yEbd@dfRF+lT4@%^-Sq_3oE@tfv#6GwSim4(ibuICnTv}Lv?9;MTgB;&ysM; zXd?Tgj{kmva)t;zXFiH4ra0nd;s}54gYnN2C3kG;XA%I;c>NB@13B3#Z3e zn3NDKu}pB~LGuCAvm9;0UijPw1Be!Bn{B*g-u@oFCUQfYz+{q z1DiTGgSx9G5KM#5f$7eoe>Y4BY=4{W{E*WBbkzxNhIVNfmSF?A@hmOX8E`TB5!P}d zbs`<0-5(@c=fz!vT~k!@=H3Ma=>wR2W5OPRCkbV-)3xm|LU8B4aii3`XaiuGKt*A> z=&Di#8?NMXBLf9y@_cB>$tiFL2DWDDmk^LxvO19ou>=t#af!((Ka-!hEux@9S30^A z;L`sOk7rh1%>Q6oglN5I8eoVO0FLk-F}M^7qKEq}v}en0C-=^3As)u2zqGAFVbMk` zwf<*st@G3$zTa`*1V8aIaz{heF7Kpw|yS7?X~A}^3-V)6g;oxKWb+=@^ zzT&7fC=K4JnA@F&tyP1AypU{vqIYANJjPRt>q8PfzsMm$q9)D_>6ae#c87r(WS`q1 zFZW6Ua@Id&qh20V{ov5_d&!G375m+&0T0GxCsn_e-;d2Dd$Ye z{*)Mt9MIc*ujeKw2sx>*5Xe)j-1!2IBhPDtc+or#=Z7B;3b^2By^!oY-&+K#O$lCd zCubr0aFDkc9=mdAHaD+-?I2nukauH!NFrvtNMGO}s&`7XDfz3CaS7bEwnXB9-~o@C z%vd+{^jZe`ONz~hA1K^*YqgGTmD@(=Nw~M3K>*!mVr16aO$qVZzawTs(;cAu4A&x2V~U0C3DkJnh?)YRPGZ)b%Tkjjcsm?Z!$kFAL+LKX`HA zE7i7g&)Ae-RXqiQBv+GqUK8!?A#wdVH^k4u#lNcF=m9d`ev^Jcw+d~ZWz8hFp-A*O zhE6V?#s@zQe~1(BhBU2q7Q#GU&kEx?Z_}oH5MU zI4fW+GNTy~cLooK%NqE4fzGeZ;QVk@k|Y{MvjccHfrAP(+UgksK*kLQI>jJ#pu+nw zS{PmC9z!5C|3zxfwAQ)WO#}4~Bn$*J0FlV1l%Wdayzuuju5by>&^Y>ho+5;QjBWVl+`r!wL1Yg4^T>QzO-|MYkMRYBRQ~Q z0&NO>3Vxl8ng#*px_-a5V*nylW&GzX2;Wq07=L5>ww+0rU(4@NQ5`}FG(tnAC2XK# z7A%zlmc7g~wREND0%Z(c+u*bYYLNXHD#G9JI z%2H64TsSyZls#FtPyg6#vcZXvv}F~gH4AzBdo4cqK+Q7)F$3v-U}XZf4&o(8b*m-L z%S&&Fdv5JJ1}ugk5(ALR;5u6O8U$86L07y{^4XEW(b0K5fM)~i0k&DO9j?5r7x0?K z7jFWuEyzarY-UisT}qY~D`{HgS&%)6SjBMfAXWoBeXD*Nz>xz^PGEwW%VTdp1;{`6 zT>uIRsBu4K$-`deF7c=umC;s9#fbxbJkZ2PG)_3CNDd#uW-V2$!*AsBtAhXrKs$dY z7Kz{^`G1^_rp5fI;LRc;oH1^ezDlN?vdA$Vq>*rcdnP{Exu8*HaM^!N4R%lv&U{gA zA7h*#?r2U1W$0Y(M=QV^7Fv>{=}LkeiFP6XR^)8J@BBF5Ti?_(HMU>`*YbhU8wl6A zn$e+c-16FrVEK{#U2ua8$2r}i#7I19)6Sw(r7pYc*>WY+;E zhDz@LDeSDnqH5cXLOAyaiZTmogeW6f z)|DxUCtp2?ct@G>k_H5pG$8%sl*2{3irP*sW%Se)a4=82KI<^xHMfI5HZ@6=1Hd8& zP?3PiBJdi?mKu3M;Vnv`E&UF|`)f2kXgTs~$O~~`h{`jG`2J=O4B>+&$`<8dp74TJ zMFkHOy&UC2VuGyb;6+oPx~%QS^`67z)9u>zh?e)sZh{xUh3uUcjZqlCnPPp#+4to^ ztluR`-5jJkHcY!Iz=TSZ?$EV4P4RhRt$p%pt<`o)2}A*^81+vcIB~9`VDk);R^I`1 zi01g;ApZwzr~V&lX$Uyk@D;Ph+C!3yZmBGm?PDqy4gQuu;T#jc7eH}sR^iJ2V*4QE zku#eM?|$*X079y=J`<*5>Jk#<6C!6i4owj3@zzkBAgKKURziVJcIX~6KqB{BCL~|^ zUc|N-UCpl*se8Uf3a<=VZbP`np=LWJq}#;+B!&F=PaY3EzUi+L3yDBazu5aKS)849 zh2ySR_G9*w8p1>zc0qgdW+wEvT{WM9YHITdfi1&}Vmsu##2i;bPM9kr*Q91lO5J_9 z;N6aa6TKHozYNT!hd_EBHz_;y397N5@V!k{HJ>v}b4Gz&i2~sxwaF=UVtUK%(yI$M zw)lXn+3L8dsej{-i8dNCGl9QB29FKLPbjw!s`o+aWqs@Sgm*dID!0Kk8&cILNZz z1Dbe&QsZ?oroe;nQ(CEhcP9w9QRN~3%8u6dT={bUgnh5WR z!9Cu@s44?hRD?QEjcimoQu_=X{2gOi5utTu*k2cc>@fnPQL7=AKB_xNiVn~U_7tz> zJ?|u%3iuu~5pjeuQ5)qaoE~wevO46cQ=raElX>xU)!CdXLb5?wtrBw+7EX3d??jpw z4#-c$o^5MUMcoXId4OgrDv41k0PTfQ8Xg^(alV z0AhVef4xUiRS`1j~C-aXNF2k^Z&o7l9G$n;;i}v}LrY{n`l4ere zYRvn?5@Tpf`O*!ZL`jRiPAy*~pAjCs^-kQ;p!bc6(q}#=tW0*aP{PxLP+)4oefkaS zWDD4{jnj7?_*TB7Z0lR#Sh4+gUS3a27Q?q_st@tI-FYWC0zKmFsN*X@JQ2yvga3#F z)Mzx5OM@fQJtw6_p?L2{c29*aUglTnwhFqc(hmN74q3NKd)ejiTnmW-25t>PdPfEGc?kznym`-wvVHg zWk{xUmA0UUCUxp;jVArHZGPgP6Yi=}E3F%^CcK|7(*T)eUA5iCPviQSPE;&ux|8y% z1R5>9KAsfvGmSpQzOBP#F}do6K0aU8;|BU)QBv50R;)x8mlvlR>m8T01SY2?(+!&o z9|aASttsASP6WN9ADMPA!M7+0*;pbj&tl<@ke8j{P}90Nn##Sx=LyL%)jz(ZzLzjP z?U1S2)nB5R4ipBXmV&EWAC@*Ix2TQ+nupF??yAuGIavJx zWdMeoIFL8i0Kc12t=R5IkyplfS6ESC0O>#4iv*PleB}|%=fifb^J@nLIEE7-84GWTdyU*#0pRxUsmrw59;_XP(vQnZDU&{DcASXwHECMutQk< zVV!G0kSt2(r8jTO{uvLF=Xvxc{=(k*n%J7NYes@;mWlpltdkj0bfU{HSl9rw68|?| zkT#pfdm-$n8<(W{{ocE9ilY}*8}6F z#v#<6o^jovqTJwgw8ZcJbdAcixo^JwV2K2=c6Z`;A_2!BBs1qLXTNdLUVC~*wH17>99*x$sxFpRuWf==lnd;9Y z_;&2*)Rdek%V$T!%^xP034nAFR{58!<_^ME+`h0bCf*56pdCB9nW5ZrJ(6xT#3aZs z${!=!T{1D&)=-kS2lZW6z_a06$L6-Qy}e`4`Z_9}_vOo4Z|6iHqF%aDgq4GS?^33Z zF+YE4SK!lv53>i6Cx`85yO3zAB?(<+vtxg($a-9Xr!+^NcMa;`DYvshGbKrx_^U* zBy_*5BJ$K@*Uevj18T) zpOZAF$U)|pHr)A68cJskKbyB(t@uCZqw<8qk|P}$cTV70zoUcQ7YS-YQX7H29B^6! zA?sa1&-33ax15N0b^E&J@}F(dPtdP|kASJcGoHs@r;4TFn9bgIynsIHUUlbB(02o8 zww^*W5p=%5i7r4{o^?BU-TnG;u|GO2B{k$hlPNz}N?@Ljc4GP~$*BF_)Y;usV`;}b zSyM=*i5$uz;#>099wZf&k2}PABJmAP^DFW<7L3EnnY$4wi}P=7?X%9#6uODq-Ly?S zhdLxaK5}u3_RWp=2>li5>G3Rno(GsdLA=|UAB8E4zU-SOZSfe^|BJ#~xX8%LYkRZl`P_OeY7@B~XD zV9T?B`UnAGmtV4t@(j>&m2~AvXab(+@XONv;;I z%9C5ufD_`ACGx8)^8cx)NnI}`n_)ERN*@Q|&GzVH1{0!1w}YQ>9#5s4=~3qK@PLPg zjCfpLIOzDF+KmIMP?Sgua_7KK(3w__HVTZs2vXsI+`Oaz;O6+-nE#AmGhYYbQu|yD zEVphtrM&sb42qQPc`{>Sv51P@`p)I0gv`$du1NoZ{fPxvF#i`+iRs*E#`FAt5{0dM zs|QU>3KjrKhuhrUX1ss#`s@D%7%I0^X);owM2qNUu1@=A#dPHc%-W77qA)GTJt8{{ z0@@>OMO@VrlZfeM7Ok?(mDj-{|5LEK0gKCY_zt8W$OajZa$eU+>U+KxR%S(}&|*Ek z&dSR2afh=nfSgs4#n?B&$4wf^HD7k>B_a?#AjL(^2DMRJYkN!+O$!=w_P~L z81CFZzUntky^w~aN!Xu#J4QBZ)P*F5gb}Sfw;b7hZ#${_y z4f#w(U=3z3E?cvzWpZveF*Q@J_?!YE1Wa*&+=Tq}KJZtn-so48zDhV9h$nje9mtbM zIM~Rzo|LKajv9{Q>ZoV=0e0B9^f3M*x}=PQ*xDnmLc zm3M&=`mg2-)9s4etU&xT@O2o%K$$nxnKG)Jbssb2V9VACbz)l9!Esmg z!VYa6EX#o{#j5}ecU<&{c=2==;wm+#oaaXcf{ZvRhLhwnP@16kYdnWCYr=Gbak?0Q zGE~lItNdohu)cx5+Fo6!5vGnn+FN47?bS^j zU_MvcSRqm#qu>g}?{NY3I|%T|qALRJs6Tvg8l!)sDwY6De%XhViKEvpQvR6^_*8oS zsg>smxtJcnfq-du-@_T_9M;?EYA9RNJ^CTRxD7TlyMYkZ6zt+lEl<+9{&hCgI%av( zN*FO}_detYE5~4(~}N=u)0w;6PoT5Ys{p%21NFJ;7d$UhaN zV42ywqPr5RVFal9qGN{_dSKBO#>G-Yjb)$H=qtDdf7~DA$)uQK zt1+sc&k}zJm>ctPFS_uwfY>$p` z5h%?T3N#q@s?{`=nvYq@B?ufsr(Jk?r)YLZg5s_!wydB$WARhfcE6|l)>o#V1CZu&Gx=DIesay`@*J4Mzu;>0d&xH$V2Dp*QeR zHKgl(6gk=b>6`#MVP)2gRGvU+v;Xo!>S7e`mt{DJ-Wf4o$(^{VA zrnZW<`-8f1`{yAo^x8*X5*GG@jr%U&Q1e`9TNa7I?dQrWD1tf^)N&7Oa$}=udwWzE zvLA#PqYhu7<;_igzY(y5dka`mra!Af%pn7lB=_r&5_Z!rQSQjo-Aq`PY|;-7OP!%d z&3(0{!NEm|lamhS*Y|MlVtOO-?#U$!Am1MxZqQWDEp$SaO}Nes4JC6FJ}jVz3ZvQc zJQJYccY$8WyiQXUz56OnwW*j};vabs3`^&{{ec5jL64i1xzoL|FIq10l9ve+O24;W zCtiPI_%*r{-Q(8NfIkwnyZX+aqXQ%xp>1fGPuCBYbvep46$LNKt1M7-p z?7QKXE5=I`xuxvhiYpYc#YtthH`F%&gFfP+s{mNAvYbynBnLqc;74Bc*QH<2JCjO? zpExBVj686WNaQrgg>U7n8YO=o*3$WV1frXt#O?DLDB=q7_Ve>|J0*vBOJ(=8ICVVO$n(jNq`B*|ta?6PZeW8YXtWR}-6oO(}Hv+OZf92!nhnbiE~gHV}J+BedPnp7Xyn@4;eq z_waDEn&NZ+H4kJWlI>hpG}NdQ!K}S2RJ!G?VB^Xo8;WDQ z&+-&!%VJ*w85bgo^^G|^&$=%F4?jHbEi)#*K=55u7l^s&XlP%n8n8378xN%nwVQ)E ztOBiWo7{Pbum$B!v;I>1F`%c=5w%);>2|s>0KwtaBuRekcmFAu>+&1O{HJ=*ir+~~ zhXn@i48S&jprN$1wa!99Ui#xD9d@YQzAZL7stPY|aX=y#M6lqA+@ug;pQ*Epvw)PX zG~ga8h+KXt&mS)4mng{mCX?WY2K zIy6cu8=~+YI$5IK4)W;%RD-p7IA8q~LPEOZmJA?ojl;prqc!De>8sAqt>|B84S{_J z=}%PP*!2z%bD0Ddr*WeiY{<98`qI4n8NK^Wr=;hNkt3J*#&ofcP<8L%;JJ>on+y6| z2TKMBsL;Wk>ZPKst#4#T5z`Iv?gOc2T+}hB17c)!Qr7CjW_q$YC2hX*Vq{5f%<;J_ehun@!B}A3&HSQ95oFCVcX7cbkD?lK+@axg(>0tFP1R^J+ zDbkq~{~3UklLUuY^-e-yKq=e1-x-SyE9U>^?e#V z*aB8)k7yzG!DcP?`*>4MJ39Mav_!_a@&YOB2L0Zg#U=I6-bej-yZpsihKw^-l0wKT z<>RmCMwZ15O~NBu_nZ+gzv}n^%z#l>9+(2acx$O*r|IY$KW*+TN5BHFul~`)mrIpH#UnlTn`5>UYYr|#*XPAw5=vuxjRaP!Y~47fVCAOKkhFDCb5JqB*k zF;X*tZ3BcPq|Ej-9~fXGa7Q6F>@Q?r#U6bNR0qi>z-;p3bvbSl8(EoskB;Sae0O>S z<ADBYckRkGT5sJ-$c;)CGh@8 z82~%VZorQA7Mg*OF)+(T81y@^SeyMkw>-8g7d-*GCE#igkmd4!8H9K5{FgyEuRl=J zfH+EgWQ4Jv5erZgc`*@LSp0qD#`r{61Vz({iHrAEnyk?;-J`5^8;RZiY}Th%Hwl0O zXLfe4X=z94C8Z?c-S8ou+^Q;f&>aa}Z$*72u_e-%KmIcS^QE_(Y=F6yUP)!+L*ivR zzuM|Uo?p-MK~DK?N8?~Npyy~5C^9XnNDgv<*?sdc-ggBs%1WZ z=#Tp(uM!&%?=)kv>q+x<+Vh1IQizR{Q;-FbP?p!qdyB0N0-7*VbnkCH1?!=Tx$@8C znmu6BYw=(Vs%dUskS&zbbZf(qUo7oeTr_;?$4unWSN?{kc*rtlrK6)` zolXw6UuPoS_ZI?&e_sM20|ZDJ!L&M!o!K9X12#5m$boOT`@$N*W2uqAaS}jo0js+C z`UR9ep*xQbeFPcblhS18Pf(p3ndbS8MK!sAU3UF3kiYb4$pJk5x=YC~%U~I}OQXGY z(DspG^p|+4@RY*4dq@c$T2LPX z4F1)l10d$WJTfW8bZ{{Yp`HNM+yX^&qS|0U9RVSPClBUIPl3eFgZjTkKV5avpJ7V2 zzyJL96`}MeyF<0&tF`=1JQ5b?(`J-0B6*E-Pd3Xez{rDKCJKw2G{^I$9BL(DW zcZz0T?!XVOd5&|r$!R6#xOK4G35VG1FRqYzT zk{lT(XnA?rn`7NfFx^t>KKcj%EmT0+rLW#12U6J}G#n*9V_w@2ZXz_|qmB7!Wd^KDrE-S=lW0w4d}DEu9ukv~%`H#k3o+*3dUDDz}y z&Glmg6bEFvzM%L)yaMOV%*&)UAY%(<`4QGah^hVH?etO?!c4lY=8+#%bsB9}`#Xc1IJ)wpLzWwv!y8Wll@ET$>n^m{EeunW>(nRX%g zA@ds>&302pFF8mcqeWMnhxNL6&sc=1qj-6_ErEzW%$S~#gm`;#Yin4bVml=1?%Z$W z`|Fv#vi_E9=zec$@Aa8^HE0s0Iy1&HsrMie+Z3wwNW+P5G16W-;+X^DVNV6jJMAIF z%s3L!slf)u>n0fn3 zS(0vL=K$iHGdyi*((eo(8^lxq<%y1$T9O?N(AdegzRmy5X6xIa2EYAj4LkT?YV{G2 z#=?HvMQ}}lj8IFAT2ihtR_aBlFm&yt^@7eM^k;k61S+7C`pjC-+?TSaBW(UIfPJ>U3T2>_`cp1^tkeYSmZS0n0H4P0*bMs=@RZ`nnn2|nR@hdNc@m)>L zDAc9t-_e&{iL5qV(!^L_=qt%r3T6mkl^1VA0@~kaX!-*dUgHi#^m$u!7wKrN(k`PV zj+cefE1(p9%A2Jr<$5()EOD)VS>Adq>!Ovuu4kiFtV*XsOY18PkZJ7AbJ=K#IM;jU zuUmCNGBgI7oUE&?@SfSy!t2cu8XzUIegg^?1xPz8A&Q0P7@EyaE@tn=1W0=8?a z3=$#!4YF+$Oad1w2{~$Bu5spszCC9seqa{qOn=vhep1qH9K?lQc;IV!-iGv60~SzB zi^xFF%IXbNPv0_|KfkMO7p`0YgKZ~00n`L0MrWv@(yKns$JjFQKXR5>-#!p7O#%3{ zFP+n{8N@qiEJ}rz9Rkw!z{8H<^pZ1*B@on~O9r4c5J^CO{bEqBT)6{r{+mMsMVBDq z|0L12+fRX|l&&FDJTrrX|mUFNM_oGcAL6Z z45x5ZC&&%4!Z#A4eplJLve3x!vdhZhlgbo*<9(&ldRxm@Oi@wm&Z~R0R?pKY_Dc4e z54+5XF_>;CD(@k=uUaFJe5V4ZvuiH(EvK_c%DfS?Lii3dDh-X<4L8{)POohggZG56 zu2;c+^-F+yQH>In;oQFBj$xD2PPZnBy|vHQC7ip?G6s2ax%Y#E z1Y8e-Cq6!o_?cnHBSx~mJ5{syO|@_!Z}Sg{m}qvSz>Cjf#!Lb4Iz~vw3eBc4oicuk z;1b2wy_E1mev&mjmc1Z>K-OoUJX`RoI_BKj@d>e7a?gUpqV~KCzrc9#@cc$S4c!1 zCZ!Rp;=U6(VwTEAJuzi)6z@41ZQILI<9Rgk$wy~@p96+kwSVa1IhZF;RFcf^R6dYK z&P>_5^2bDDE~{JwI98Q==(b|DB)z5}5XYNnV)YsvPbVWd4Z}swmj*p57FVolL3Q*} zL_Q$lH~bmEom$HFd%-{OW*mKb@O(1`DkN} z=k%U8mD@hQwGW=1!h+D%3*;(XHK|xB5Jx_b)rXeDR0+41$LO3#|&=RCorg5Gi7!~ zaV8dj%dnh?&x9R?=1|8CjhHp-c=*)&SPD(r6=Yrhh#1}^ZiB`|O>MWrwOtZlFfsy=>E9M7N%lgk}=P=g7X4^&dndO>lQx%FEH-$e)7 z42$&7`AjKiRo#ZZ(G^xofl``=&nLkorP9QCMcVp|bmlu;hFafOLpWtUJ&&j$VTp(# z;^ytiw+|KbvsCOwM2F2(+y-zSn(|(q#_J5Yo<;8pgLfUb=;AMY%1J5v^G1p@NOrQ5 zErTX)_ki83!}qtMlSa27kmobC-Ro)O>pfxPNkt`$&k9c!X=FZB-m<5Bqj1dBvR_c* zsPoF2k;$C4rQd!tb~7niR=FHiU0yzURi4`8B< zA|#C@A=ocL(6bpf*L>b%r~D8C3D>z!R9Et*^~}H*jM%4v-28--og}LN-GaD8VmuR= zbs7sB9&5}KI1->Ge1`@;@#edY7W(U52-3e$Eh!(o-{kn<=743>J2s+XbNtH}?C8(d zeXE}S`FonIQ!FlO`9V`Q3JU*&ZDn#-a(>N4^nagc@6E9^(}vjcsH~b?O~_MG>yLv$ ziBz;VM?RPD(p1ioACV9%5ToQAQ?(8Br484qMEdDSu-|;{&BuU-TMZRB^EtKa+fb%W z;4HQ6BO5J9>tbDR9}6=3yHASLRCU`UF`er`y=9w~A3_q6<(XUVO79~%s=}!GWGoLB z*^|Ok4#d?%E_MW0t^PT$FB)#`nX{}r-|qLDHz1I~!`Qrkw(g+e{-|`mM z-&gMk^M7B#McpHO43Yl=h#K0zmkWH*pBW?x-{(Bw*aYDRZoa`fPf#+;%`eWERlxOP z7~PxEjzbCa-AuB0vFef`3!jM+kM>xB8R({Y5@wB@hB@PXFi>P4d&m?+RM>03pu1N; zg)f=q)5yAQBNa+&^YhQex3>cXgtP@j;-(5|TniWpDtwY+RkL&P(!k}_u&`ZuFP@oLpAN2(oO2ziS8q+EH^@c&?@ zeeDN@khLq3QQ0f{S&?iubFTFYw4yQEawj7c+c04Vi=r`7Bi(Hza8;Pj#wfENe8;9< z3lkF!b8jzcKl3i0vs};!2PYLODD0}b(rK={(nTU@)@$u}mtL>yHTmwZChU>3 z4YeoMu#-hF7={&QH#8n1&s}Hc?9Nh7V6}%%=dMY~azP!d+lKad4DVx&5a*{Frw+>C zf6X4>SDDr*{;7>Ujt?mKwM1>B=)7 zITQ49Z#>Lgp-Io)>Gkq#IummJ2}^G29dp}|8p#;ZBpX#c9ns;}?(J|a#{G;yqNYl( z&ILW$kuwQkY>A8pcsQu_2=otKqouH2EIPd$kQuFpJO|%eJ_oL_U1? zC1QBx6S(t}Je2{WU-=Lkr=v9b*Vy`{Ni3$7+$XE4mjkB~K>-;i@`Q0>epnK|{%q`= zrITgm=Yln)f*y?hb2MzfbVVI^1Y;}s=&qg1oFPrAV<@{+l5&DY=l**|%Dii$_$TpusWcO=Z1BiNw59{jq0*SK#jIU*1vRsP_`qz}l19Coa21|aKC|2fa)b#N5_t=D_#FQwnrt!HxUV64NpV$NS zca3f3u5BgNNsek`vt)_HQ)Yt-rspvorW4oW6{mlW6SKZHLyL2K>y1@~5OX)L1#JGA6;9t-Jls#`ENxp>B;O>GQxTdaMuz3nr;ut9IApTC04# zBu+WgG!vc@qv@2Z*LqOYlqojwF#YqDfH6X?ZmL#gZLR?sfOO?|{8?!jC#c(GwYl@s zC}?}uR(N0nTY9jPuF#rPKqq6s4D^3t-?=h}USBt|*_7L&nFpO zdsgSZE&l1FMfbV%DcJ~Tfqd`XnQg;r9#!L=g1Yy|E8k?h32H7wH&eOSYuq-5@4Z!jYuBL#b(9-nCZY{iN%@Rg*{h)Js!!<-H7|lsa~tx z<0aqhnPFUsi$z2%;WGi}9~HsdiVt7Jl_<|>lH~S9>lPPnlasCr*nmDo2(9_bbN2Es znv3`PUc50rxGvu^U_&O&P>sXi;b*Gk&!{t7QC~Oan-9m&#SF$iFXeA=^PW6@1>NrG zjd>YKaKvM1C3R7$?_YyzH$CoOCmG4DI~rW9+5%0_dU*ON-`);J|MsESCiuF+n5g{4 zic(dp6fSCwV%3$^$2v{#ACo;@M`Vm-g6`-&xwX>hNmJGD=^m2mwn)r8W!h7pj;>xd zPAZ01Kde3f_-#$QCubZXSH+8U?bQa;G>+Gm(puQK9I3;mUnmUYpwBJOsug7Cy zVt}cIis#M{-u``Q0Wki4`=8GSz9|2`6~|<2`Sky>73%Xv(f{Xr{f}12 zPaOVhTwq`SdyoI;R!Hc4|2?k%cdfnvC}jUVuK&^F|9-Fk(MsGG3Fp5iMI7`0U90~w zl__cs0rgkE1z&g5Tata|^x6cxIRDqE!;H~8i{ZC|&I`f%@P`|C?eOjApWE9rQmfc6 zrH^<0WrrgIrv8pG=YA|GOnTYLG&01#yRP^YW||QbPjH&lJ0R22gy( zP@p?PmBtt84YOzh1P>RZ`sCAX$^;wsGj%!XrQMygqa!0ff7P7M<2K)422)b(lNy+t zx2+tZA~zL=JQIE`Ox@X$UmvXLo?Age`sUx>P#?5>{eJ#RuE$08t&KC8mEI^6@ zJT3htrN+1EI(K;#3!hSTayq%#6@(&S9(&M{GtzFL#AO`4aeWHkchi zDz%BA6JWhF(!1{HDoQ_%`uzJRZEl4$L&wCoe;1+^PO@0zvi5E%`6)~6O*cj{QcF5@ z&I|!JpEo$4r+f2}gBv@Lddt~`pUW!igOom6wq&{OiDKMC0Wa@={{A? zjYdAN-6U?(Do)i2yE%67y`^(X&cp3aYDin>z}0qrbcpW2mI8 z%)#BYDL(0Z)IPuYYFQU})1X>rdgD{a*_+Ghcu^W~cYRt>!B$+D4_{il2oCNwQ=qgr zv@cMGie=}jJvv^6mZ;Kt!;x% z40jVh;*IF(VT4@-8JWFdVrp_(s|(3KkoFN9&SIRT4+;uyhKlSz29yZZH8tT|J+8nH zo?c+_65WyZs z2BgJ}==^9IQ;82s%?rZ&_HrC+oTK72ifK!pW=qA?!C`~EqMmlzZofk zmMP`8IQx1xXB!7IGat=OH--t2UUCcX#1k)|`i5tQ38SOY}#*N=!)D7P`5g?WOxpIv{kvo5A}N_UK%{sWFAo%Z)#nysU5UylpwT=1txiAM2@F#@gF+iu-St(4&nC!i{w7)#wq5Cj> zWc;8U3M~1a(m@ZK0RnEyOAtdnxQ%P9BxvRI+zF5e>r4*Eh zz?R3*{Kc2Hmd*z$5$F5QDqW5Wh*Oer0rNq9m0UHz;da&2U;Gt*aFy+?@x+>1S&9zdSKcV0^-U;;vhG?R*Gfk01f1l9+nAndTTuL$~ zdEnaf9h_o(~`66jRuq0#$och$)(R_r*B52_qw_Bz9La z9;1I3=~o6)C~dCG#{OI2M_knQ_Wb;KJxufxFnG4k_NyuVXy%NDjbah-<>#c+`WVN{ zBRy$1hXf2lIKy{$prYejtTA61rkXka2sF|7j zO7W@x9V9un1DTLl&y?y>Y%%cyJ^STYEmo{L!?W1ly~&)M(vH_g!^rXvShBLg{N=Q6 zCJ@BEfq#~9Nh3_cx%_(yhs}HVwV0vuBfupD6W!Ox8>$y9`0J!tN(~i|c=rVmmH9}- z87I52_j#`##|Gh=mYt0Q*w_{zy}Z&8C?7uUBfAsE$J~#oZ(VYTb5xlcrT+c-CsiA; z*r|V?ZXLyv6nv-p@1af~z;v*g^#lN_-+sNv_G}Lvk%J?H`*YrSPc9T|0YEw2P+%o) z)5Gn^Mu4ouVxi)u7i#ci8$k-JI(2O5-xVmm0elrc1HPLSx=3lTY6qak;b=QOBL@(r zwT>4$nQjUEq-qY48k{JX(gbRf^)K57;gK|2h@s2f-~$%V`@%`Yy$%frny)WF2?RDr ziG~F^onB6_&|L-(kX4`%IbgBfJq2V;|K>z3A_~ID$zE1Q)Pe(T_LEf=%Pg2 z73bUYd7Zkbt7A7sZ#GG1^*hxfDXpTy=FhxzMkJ zZ>k&B2LhMJ!NF(5Lf-2?Tak>!ig`P?GG-GJGCv_T+4gCus&0@Ma1-_l7PDp;BYhWP zpQo<>s@EKTJDY0#pxZ3}hH%J|cvzUK-W40o*D)htf69BatCSN=Q=3csDtgM}b4=8j z%Nq~gGR1~{U9DiQn5(@R%3<`mU5ZujFC(hM=z-ZczHdHXdV75^=lx5Xfn3B5N0_EC zF+Z}DjL4!KBSeD9$|j=eVwm^9`?TMkalu@#_e*IT;^va{I`{yYi8bg$UcNQ_)>M7D zKT4Z^t1N~Hu75Bz)KXhcCnfn6@~-%2!_P9QgYf=-4vH}M^(h>E{o)6w9ePWW;)Zkl zJ3b+y%h_j?2KCVIT_(&oI25xDrtVNP9^K`c)&(9aA(QB@} zTf;z!>;Si7T{ic;!oo_m868zsb8Bm1>+3J`+M2^>B4B2iQHS&;a!-RDH>dro)mmTK zt98GDyfwPv5SF^XHSH*uHLI`V$-%!ztdzUe7xYb#t*PX2Ik0-`S%kKk8qX+gvDQNAa+>w8y9Gz z^VIUjPWuXHFBIa+eiTLD)PURg@%%TrT(uMd(oQ*hyO_e+67Tu1dpEcga0hKfmG?vc zs@gT;Pk%iFV}7ZnFk!Vl@sRz+_?LD!mWYIuY5T)=VlX!?XIb|FdZug9Qemm_-0v!Y6##U?1F#Q6(P!Dfe}&m@RK56Z*? z>gA7CV!w*9gc?NX4d;y*8S(+&!HtXE;b>slO8lqXg!o{Ib1%Xhdf~woYVy`tb@wp$ z>dIds^gQ6g-slfqPgmC#uLm;l1sx-auWV1u=3|zMqzk2r-Y}H(_NvpKdH4(KFnkM9 zslDLyAPan`^BBmXY;>HwDyF4Th(D6!WGu2Zw40!c<;(#9K7lFnh34+*?j?3%wEsjO zp-mQsi;c1PU|^`({`BoPJD^3knF9)~sTB4LsFx*uEgnzxB6)vkc+>?c)PD+sW;rJ( zlb%5el(@E0p7QmRknkJR4Hg#`qWHd*QWR!E!r}aOd3=R3J?*)$kg_X+mSwtz3mr8d z>?r^HN8Xc2PaK2@Utb)%P4aSyG~bd7)PWIF&)ahA$5fMHy4Yj?kF&3RBNO(^NS)eTcX!uiqXy+ ztbS%CuLSClfcyIeS)u_Uw`DRQDpqroHA{`bo;HVQp5E1=BIG;fTD7N0jHX(4mZ|#q zSPh@xwTEkIY3WG(r|yU9(yG;?kHriilFg>22QbmRWM#1crChaWb?#kyc@<0OyQ**B z*!YH0X}W`YtemkCsCR{KAzvlXTczI`7QLF#=@RBOi&vFVHMOS^(!Br7|+QxQB%{XtrI{) zzpPSb;-{vjV{P{BTszww9-os#{=+Em;#FVidgk)_qctOzNGfYA$pQ)~oVpE$M4HjI6TsC(`>!nf`gllvL5?r;B zUV@?G#-$}Znj{z&|osX-Jq1d~QH3!h1O)_<$i?t>)Je-rS${y@S zB?}n{?^4S-cr_}+PxgCY;@tzG1za#UFE72?2t?vWRGD-PghAU00@tOr@$F+{Up)EM z6PkqFg$4iFxzeeQH|l$z$VyxCtDa}Ust+#^-mitY-ajmyRq~36c&yTJTCm6VCi9r?CKfXrbEGFE znx^<{KM5z0s`5w2U<)q3T#u!MYoP%s*PS-=hZul~`NkOq9}e(a965|~p$^)=Ui?s9 zR#mm%VH&&uzsU;f$@@`+vSrGeGQF|4ch&!(aevSWX;I2kllC#XUHftrN$g7tGZlpw z)^!A@dWRHE50}GMn{=(y`hAen!%?=Fd{sNE;8$mZbP6dLzH6*ZJ_m(s*RQ_vBJR98 zi%|O5mySF}bH3l~uJCRlMO*m0%fyI0y!#zOV-^%0-60FM-;ehcU~CAFyZtkp`Z_0* zla-l^<}kjaoKErinQv9S%XA{_oE*tl-dfXaW8M2`T(Pf9P`F;I=+@Lf!*5=YvS6yg z6<2tjPz)~|KiyjMA(KGymGp7sV6%R;W4+o;L8!y@hqJx;ll(!1aVK?Lzb&FcCReH9 zdc9L_*4f!v@9HFoLRohU(y6G22j>@iz}}v%-w0*SKh04k9M2ehFVMnnJab9ed_(xe zRpf=B<9+20$b~k4-0x^Uh%2k96)(95$pDLInklfA@r^0QT_WLvUp0il-{~ceWwv^t zZ)@mt&4-^~oIy9*iWQQZK!s|0QqOxOgB+ydqH@K*=4Um^-R-B3-8Xa4aW)%G?+&hW zL~mxhKfh+B6mWVBEI_@d^I4hI53Z_&SsTw^-Cg=`5P2Q$GoG&8VT7^zoO1(*$H#$? zdP>%nzwjNIi6iJg7U%~z`L4KnLJwsX7 z2nkh6s(0|*?#rrH8FjV0G4J!SL$n(Ak#l?3*I4%MgW3h#ozcExYw~g`{O%?hS7YeT zVqdX1WuEHy+s)4A;*Xs^c|XgxL5`bn6m4GBnBo@@Iy#IE(LY!eeR#C;Ze-MbPvjRR zatfF2(Zn8Xx>F)o&2FmUq?Qk)V5hMVQFLew$*GX&9r|)%F=$uzm{r#g!{*71-f*6=dn%ND^9a zyePWx(OEU*&Ujqlyge^3LHH(AF0rzrsz?v+Ea*o5;joW!w@UNF2O;}mSx-;2i%FoY z{3Px)Wa^VQ_CVX3Q+(It7ALWE1P!K9ME3iWd%w;pPP)1GKQl;C#pFhGEN9_8Lq&-9 zDO}!<$mi4KlZ9e@@Zj{H<_Yq$Bz;aVN&1D1)B0ce?9V8CZ9mtv_kTts;LJi%(aD;j zTlX`?yerMe~8Ed+ODK_;@W$g4clDjruy6^K2jkhBvMSgVj{=d z#2-JaFNWN1-3(rzg=Dv3ur^+|YW2@sZrH_!M@L&58&}@?cN90?7BnW;rHYRfR)8rp zJ`QtZF!_85Rt)v@^riJP_#0x%^u5kTL3jm-zFcgsu^CQihC@M83VqERsk*_eWB0PA z%9}N;SGU4oosP1Jg6Jt`0)A*bO>%4Lomqd}W)Z#9>cNJ5^L(k_^>eS4AlaU{&g(0w zT@BQP`xh=7QS=03t-;^>lKT3{%m(f-Lam+NL5H46gFArD=hpODGR5!B*_@mVKk~aO z3IVT(XWlhaLsO`L+0&!I^mp2pg0s@QFI@xaUcLHecS|UlT<`F09vV-f7t5+|9?GvL z`Bw}?{osf4>NL>fqJOPPL{A@nBMWL~>%6Nwyb%!Xqm^n#5i*O@j$SuqM zoXwXKcfAk4Jx8fC0yH!y!7HWSA%4I^QGT$&OWhmmwD&^)J2@vIpyy%N3NHTbNiiIy zrCXI4d^`aTCbZaI@2ig21f3xcPHuRQQPDR@L|hgR(@`{wr{%()Z|`m%-tkhFn?DzJ zDoIRqHZ)`hZqEkMueE}HPS`I<4zk$~sJUt3dGEgY)9y$Oh*A+@hwL>UEV2VrO*=rn z#7=)=ZrZ-~5{HvVfoMw(mLdpjkbEU*%ov(SaO)($o*ztN0pflr&`uXk2K7_65f|m} zegR>l-`M8szS_>7(&z z8@2|@$k3zF2N6<;8y~s&3pSIdk6?*krtBQzgTk zNQ)!UJCYq)ECZne2bVK&pX{)Wa@lo}hh;&*3o=w+ZF&+p%Exu~_{p)u)ryMQ(J$1B zq^UuY;K-|YGmV(U`lt$HAm6q1_HG2j-&6YqWM6NLu*UrhvUwXEG8GKIYzrrr8F-I{ zznVBQ!tP6fB~C5ELjAh z7Kp`;3oDB7)4S=nTv`~*tT+E^uny;5w`0=A+oUhHs#U0nDsxmx{}CJw&@sd}A)Kbm zo4v$1g;zH@j>ccvpOJt}gP7Ud^<+Z0&qlNO^=I0H74V@?n-jZpy^Y2$4v&r|MQ<<` z4oeIK>cn6x(HjaB^KQqRRUnQC>i8MDdvYSX(Rej;A|j&OPNh7{9$1w@BNy>IR2Kuh zGt#2hT=ea&IDq#U&Dl)B4u&o0PM%3A@g=|mS~nWj8Ah5u3iE&0i7cusXR@24?*+e> z(|NDdvKj6t6-L%KXUth{yHIDoIyDWsFWY{%T==T=ZgV>B4a$j|hpS_Ad{R#XwQyao zwTe!I3&9HBoHFPTb;SN+iKybeY>DWIW#tJaIP~! zbuiMQn?rzFVMcmYnjz_jkzZ1{zz3h&7(9=W=jZi(f&rk5`d52Pv5CXK{Npm6V z!J&KgxNPpn^%oTAu8v=bh6t(nopw)Ai!lhg+9vl0n3_S`fM zaNp_aiK(lHgoLPr!5jbiV%t3@71QNuJRg90dNI7ejNkq}C&P{|K^Vi=F>;;MPWF*> z*pz`=`Lv%*TuEY34ffYB0AXH{vNOkG+<6nlNDc zPi^jR@r;5TBrc-LfPs;bxMpZc1smM-ij!wT!@l8!1W;2S&ono~xW4I$E`&sMo(7Fj z4iEr3No20s4uP<)6BULEp8)d>kxge;$Nebkm-xZ!11ZP7J>x)$+1&)m=%4BsVqK5e z>RGoWnrso6pHR8DsI2gIQdF(l3y8|@k%+=kbCXic{LOk zFl|0>U$dSJLE|gZsZYnrb-^}v^0%=m00sPXYp;DlkKOUu7>+yDxP-I|_nsOO%c)4Z zknH>~;J?@`B<0FIL`f68Bh}%|xZ9(l5^5iq$Oe%jsKU#u(9ieUC_OBoinZhHI`7|R z_4I6m>qiR-rl0*!X%wsx4z=;Rw>n+(nC)(+=leW_#w)}cq&*`d1m_(6`sU-uxY4Y~ z%@5bc*^HmW*oT#GaL7=6GgsBlU2-d~%4ln;xoCzaCT2idrnNWzB~h0f(!0Z&4?A0` zy10+2y`!cdS$u-EF?e}b>?)I0R#paWU5?#ag8YO@lyw$xcP$<)2@E7Pe$Z3y9$U<` zpGWwt_*Wx5(o3bG;CRCz5Bfen>Eh{Ar8}Y!d3zinFz88G&=U;bvf~~Q0mHA?aQpkq zz{di`2ZdCQ(1o`GL?=f9#e*sATSc%Dt=YYrO$%3ZB2e7c)qdETqm}nv-=jU?2&xrr zp@g`#H(OT&E%wdDTLhz#-eeZm6Sl%`w@h~)Gf}0xIoWbA-eT~bQ}T(V!Jo`SI=Y8b zwxqz=C1;%!XkKHeNCr6`W%U8I0OFP6XU}5Gu5;#04GPYy2|m9x!Z@2RvsDCPVS?-I zCf``gr$(fgZlbASB6m1ID21T2FgpqG`>o$8r~H3Nto7f65c8^Z8)2ZBQs)r)Oo=aJ z%V%)O0eZSAgSZ{S1r~2o?@iD}nVIwBsyDN?oKq4-Hu$s6Wn5f%uUkR=%Z+ex67i6= zkyP%$PvDOE_&9@-OxWiuMboE+Phf3HaE%)Z^Bln~bGGBuMW0GaCZn~mdPg%alR?Q; zH@jIPlNGTQ$pNO#x+=_*gQ?bjIWc*&s=?-K%b_89zpn~c>u^RS5QT)0iC8S`(x;I` zy!GxCI3a=ZT;GEtq1)0eiCi`crwxYc$?^f5hkYdv)HQe)uD*+OfwSt32d+dK0CDDg z1Vlx}*w2(D##0c(qZdx5vGi&VkbL7EwVxKzZQ+jQuhg2a%d}Hn*DyoZqgUt#x=ptC zC0(|AKpL9%aC+)u{w^R3n|uy2@|z48;V5f**iuy5Q2lOHX12c-Rm%uUkw|y2Vdm|^ z3z3|g98k4CJK7pK|GZ~Ux647M?|p-H_Z0m!1PRdBXXWKJzxE&cgi8iN`>O!@l8|Ah zOZAkzLJ@h`rUNV@Wat#Mz%=rbGL>bEWE$ki$^i_}cO&kO0Gs=IRAdgzFSR^d!3*N( zs6RNn+S;1U?uhW)&w{|>%IIqbj_)a)ErWD!N~vH&paqMy5q3D_2!R}|YH#Hz=mY(} z)N-D|LyIlJN0Y#!_*}Hza2stXrIwmb500A)USv$M8Ur=-3C^R(c;Doz?DaZQHm0+j zr$0R>HkUd-WJgaHAeRbbZ(TWB@VP^~d-@D(T|TEArRrd++2x1~*j!+~jYZt2+kbl| zv*zp5n8#o}QGm$nPWWcF|M2jk5(kKBzHSw?Z@|M_gzabuaB9dtG;OaYC{usEJ-1Ywtdh`-lNcIZx#nDl%#@ z-gMr+{N|jdyHkM;F09KoQR<-P8$uUCY7VNXtynG#(bUSFYW7YOwsS?X|K@;%;N+j> z!##bjX0b!$L*!MGMTiYweS#O>##}jfE&4FR^^WF(?IUSO+>aQXcd&qSw<^fpfoirm zk{I5@{n^T#Wbc;Tk2WbqPJiajVS%RWW#RR~wO(*~9M8}9kbyVM`5&$}J_2Alv^OPL z5jSL7EQV;EGekEesTl_Dv~XzyKtH zF22(h>FN6f>0H3l|B-P*+^6N12?CU?l?tCw6%x&%4sP3EnyKCut&X z<0w|DK>97R&jCZ1!l+k=dlBPP{A}JG>&}Res5rfPnx<<|d6y#xdqOENBuABPEb3xn zdpm_c6j~&`XF~@V(BfZglX&ibzQ%m=Vk*&-!Oeiu%t2pUdnfSFpuvagZ<(kh__6qA zIETyohqo}^cARZvYisNRp@(Ts+P#^knSqI~!Y7xdZJG~fZ+Fu~T!>MCAAyn?@7hy@ z>OxrNfC5DIQocLIfaF1F|LdmRBiEzji4R?Dn=9# zI|=i~Ka@>(t9R~t`_sZBa#TD#iWk3%`cej)z_93ghV25u0pbiyATSA6S64^m{^u2^ z6KeThB2B-N@6cREHlAis!YhIXv0vvvj ztbL!tXO~$XiQ+s;I?a9BvR~cjnRjDdgJ-*T3b5AO6SQ?MEo$11C4$>`2ukG16 zdDu$Oog14~*Nf!j<^O!A=-JoLRy`k&16k0E`UC0RmWki_V5z|%)O^=hL{5?H@3g1W zp*v1e3}B{L>B=%=p1FETxMkO57NnKDX+Z>R#TY%2j;L1QltV=ZqoFNgn~S&i_!!G7 zZ%0R$OjkF#_D`^%OjbWw$r91ieL^cCWI>S4)Znr80_cn5x$is>@g7RFwy=>I>?$iO z0hKh16(A;BbA5dcR#VSWo&9HZgIHs73?1!yXCp^wXwOZ@xqMf{s;)dTBe;B}&GvyI zI`3BvDEdjfT&(94Oo32ztLxJuvuEK7y)5KxmQzM8wlY z`@ItIud4vCc9_e*%X!L&%5G(_x^lKG9Td?UO)EZ6xETT)%zqzo|7l>fgC#o=l5^sN zlG(lb7%8lC32zD&f140q_)!tEIbKfsj`yF0jfY&&>Ik{mW)4cI%MMDoCaOI?f*w6n zKkH<9PVvV{&Sq@a(L3jRU{R5^oLuAlR-%Z{tK5b}w=UkOAJ&6MIu4CBiS)wE-AVKvYNkYh?AFBvv$a?rE}ltVnR2_>kJ>WOFIP4E)1U`X*>Q5D9IK~2 z`!_h~g?*epoJ=zWe&XY-er8G2aqf-8FUSiO%Is5*@wd~)t*eLLj?~rhftJA!e|I35 zgALFF#I&kqy@kjc=gGl)52Q8x)_nhvG?fb@t3dc6Kc6 zJvaNXfi8NceES~*6qA#)^G7O1F|G6r5q$%!%HgZ0!|dx%htJz$31!w!hZ_r-X*P

1@xdbf=_1%s1_l%~uOEc^aoeB6HS$G)T~H;HG5f}4hN`hwep8TF0( z**Tlemtx7Hu5MQ6l1i?cYG&r3eCcUq5%|QEh#?Y1C(B%cy$!l=@FeFpX(G7z`=rkt z_GPTJ)XB?HQdrz{{pwElC@d^#x1VkC7TBZmhTdvAka-hm^^?k}*d;kFs*4FBbF zV)JWzZs{y*`!+H%`L(oi=SoC^_G-5HClyH*(e96{=R8EJ@6MO;zT8J`*S$;krCeQk z49tISRN*)n<9;746D^*r5^hpboSzd+4s0qS0my-R_&#Jf_}d#P$@(+-`OQi#SSRif zk97gSWIejw<%E|YG2xp$HL_3{mP~!kG>UI=PNZKU8gS{s7o$0j=D{!9PAfz)Iih1z zg7rvJIhq?ANspzq$xgiz`x=G?7==sAWl{o{P(Gqq^$o%(SM1}yF8UPq?CLJHH~8^i zFra1#7S|GGd){_M;dbiSUT%WK4++5~kEq5R|DYrNqtuFH8v155mL1EY3F#S1KLZXu z=aO#A@F2X--z;5f4(?SSi6cSA5W+$&Z{aeow#Ld@XU&2Ne$Y$dyr$CW=3r-O&;GB% z8@2^B!foCiRO$DGU~Z7#JWe87ry_Wz|7H=%*T1$#ix$JTL2%8}y+@K38AtleN+NtS72K9I%M#9(CFul70;C4)Dr)Rw*?=H=~^> zIIX=Uhadc9f1t`3-E~xJDNXOy9Sn7Cfga*@{%1M2lnf`G6AhR$PS^~yU$(J-Hrk)6 zkYG@s^Gdd_UqWMjxdaF!&8^0`z~Qc`cEujaUMDhmT^=a!4{i`};q%^8#G(N5BShb( zzNCB#HqQQUhw90Wo`nemmIR8Fs&XKXa}BT79T)`kS8NfssEW z1+|hzkdA?whO+GR?4n126=`ODs2(l-_V3D5*>74pES z?;%YN%)-LeQ&UOV;y%Wa1tIGGSM}g-;Fd8(zaRp77BIn)SQ4BTA5qq|YPr zH!G-KDZYcQ&Sh&(d;+SMLi;}!3N+``ZvP#@P%BQdx?)AO zx}#`m7hc_{2_9>@<%nvshWB~z8L=D(G4+j|XFkMBx6|gkCxIt-ac3(N;@73NxwquN z$=vMD3%_eb0~9rHf_XWjWz@^%D7Ft2!hUj8C{8Vb`;%YtaaK>~{BUz{`F(<)*ZhE< zg0x(tu&D%BmH59;^UDu(G*b-aMKh>msXRiv<;ey_%jN8>s04 zuKc&D8uSZO=of|Zc;Nl7hI3NN|3K+~;?w`xgZ#f+p#Ohbvrm7Rt}R?`9qjGWL+%=d z87~xIF|VcbepUReYEm{AkQ9^F$|{gt7`Q@8D`==oSDqR0j^XL;>B+|yQP)O%&{ChR z71T$(Da^MwdWhudjWf@;+CI~yvJPjAk};kIzg7vSfdyx+sXvQ;=U!i$Tbot`dP}zC zit~yX>GOZS$?G>B|Gl6M{K~a%P*rJNKmrV!>;7b~pEo4h?z+ha|NK?)nI;!w#wF2| znQlP;1~z)%%)1AAWE1Wws>E{D#(CdU-i?+k&-67k?{@B@Po#9pWaVkmHaB+?q6x_V z#I~*IerL%!-vUaecjO^`Nxu{7&>JlNI@W%T;@iTr-eJygz>xU_r ztP(~LN^T0vDia2@9bGskvik&vMAx=*uM$TWeQZYj>G_#m)Y{+S(^?TOL_rKFBsIGU z?AOJA(9xb;+}~!i-^MKM$_%;UbbegDC&)~A$Y^clcURY!z!lZY{X)F3$o50^-g{5= zN(q{X%8Kvb_nyr&$33zwn1|LhDd$nC(;~MzpU{4Y3l1sVNO8L_#=fz#CVj@BZt0no z7>NR)Ue<+?PtXbH8{D*x(n#k;F@)!KfB)tutV5P>O^QR&9QPxN-F`c;D81=AalxHw ze=45wpoyzwJYu#lgL$378QoLHx!1v7JO0WIrxpVJ07QM;`KB2lbldY ztYdWFukW@ftuH2cc^;v9`HNru{`~FSO#{76n9)b?U}vq)WBs`RTZL8Ieb4qsEa&pF zpzW*Ccjz~;5&R_FCOuPQQ!&;x1M^Ck0lw?fQuom*yGWW!%ZsDFB;;@J)pWI+J^KhfE*tgDzHKeUy>IdI0e`iku{#`JgRS;H*@n)MMi0 z%o*Nl?tBuAn^Y4QuX;HS8;sGMU<+G&{Cc!SXpZdQnvbh%=dfGWQ8R+N?Upul8?G3Z z6H4x~1>HU>*W^b%TIhA2_2GB7jeNKUQmBO$1%grZSurwoBbflrKTP~!G&e1`0o}0UrJLgRe zCXZu#+4W{Q1g57)6c zx3~!jV+*ID7WWn5NKN~I!)x}vL06c*wg5TsvmT8&TI0o>ord00VTBGO7N=QHj4&O> z**CH&!Kc7EWpmBWAwSf)f|OpX8cVj>YlGyIFPxFt{Un9J#dl?>TUH^Ir&uvb46o#7 zsP--0%7!9kZmMCaPp7iGCWcwhk@KVkRpej{6O!-g?q_&4+3oRsmJUu%!Oxz-Ufb!< z-vq2JR_3{?W?^A^N(@nyjZHs#mrT~?r^{|u1zG#oodh6T#b8wWRbe!?sMm&Zj_OOD z!%8WHudkuJW??^Cbe*oMdUptC%T}p^z!%nZIVqy|k9^9h@S5oVwTTX#24c!d56a5*hwhE`|C#w*Tx)xCKUm1F{K_TaTScwu zN)bV@dFZwIiI|x%GE$fV1rop#fOmWalpK7}@qRnHEB&_K|JoJn3`PEH^N@rnB!$Ng zuSB2(Q~t{}%!7eN%*N{Ji&byV*RqYwB4OXS9csUT9y>fT;7$H7N9QWV-X7NcUv7?N zCwt2>gQI_t*lT79(Kc8Sx3`5IIyh2URG=55>7i#1W6alj=LOQsY}gy`PEvwr&_f9? zSKGHRWHL|x*EG`d&!^qn28?$BDHW@MT&zb~&&FGQbkQ$@ot#S21r_)Bp(4D^Q=|Q* z_Je^xd|6KWqy}|rq13t)BTrWmrpLeTk&&8f3YtPC6P}R+e^MYG<&X}l zm`U@Ep!LRVBPY7q{ycR-a6Q4D$4&}?H}p%Lz;wBJ90#-|%Q~0Tom{{E%)v}yX)_&^ z<+}#Utph1J2eZCJA@1j0Pj{oIBfpl#&cjZB^ETV%<>gY6kQP?Mo`E|hNkk+@xD;Mo zBonC@ib91NVm@Zc0|0s4W?uU%jq2!hmWu z$7~ILc$POQa&^|(T&1otE}TYWVa0&zdo1HhA9LLE0$>|Q^__8BgMJJP6t%}Cj>vSv z3L0N3pLOTi6A|%JIt?fuaCa)vs=mXNRK^Y&K}_r(U${M7p82CdCGDobl`X;tLX&GF z95{`S3Y6`IAmv$-P0*cJpuIkNH;4v1q#s+pA5cQPoOfRJDrug)VI4d>-dTxA7FBj&6jsclI!m?6kT0YDzQH;l6)3m2SFrse z;eMtBBEWGu%1e9}^!N(a_9-s`3Vf*C67?t<+^}aR8ELMsjo+-jT0u&ytJ0epK?bxu z!G{qLF;Y6Evu8RzcerxxFQUzT0x;xlyO9YAI+{FG$MmbciK@p*M)Qp%ep*8|05+s} zPEc!l@F;nk^Y1qLN2nJ@vYYFHF3nTUq~ur!9_UUw-_EHsI&;D)FKBb+a#f@yvUkm2 zQ>i9zr}y0gN?N*!F`lr#5|LoD?<~aySI%vEoTZj>7emKA3GGofX87Qz;$J`hWSbc? z78m68_tYEP(cZ6ybTC9)trQt2x|65!+J0$0b1~T<2?^TtgP+#fxh=r z8tHAQ3RFQ)+2n(@s6@J2(Y%|<`sFJsRf2P9rizxjYomnG43#EV??;*5{M&~4&6<|Q zCS@0Rs)|`OAdN=EVRYNcg6iB~CT&`AM z^T@7VyEvvJ(!c?xhSo0(z2S}w?4zOjyG|9NZ%$-!7%*9cdEF_-dFN7DMr`{b$dp z2#+yNx1rnOpA{5idM8zHIwerAp+oi>P9N={3P{O2V>wd463d0bAHd=J97+fQ;3Hq7 z=c>(+5v}g6ZOH*{PX87KpvxY00yx{Fg&`ygy6Res`fs(XlPnESy zvAzAo81oCZh$svkd;m6X{JMI9A!UFLBQgE1jxO7z(*-x{y-cf2YZ|5CjCPLMf|-3| zLD`?-g#^7YnXCk^JjlGE;d0=;{#})rWCZ%8GeU51-NIg1LyP>0?g!4v7dw>7>bmZS z9=Bk$HTC(Kv%>|#QoEaQv{9*%YAZ0P*v+`!wrOtcFi~u7;BRiQ|5B`W*SsCiu=Wkk zAQw)?nLxeqyf423Zp@r6(w)V8Qd|x{-!~>#?Ho=o`mz`YoM*dljUG&XL4|5-CzSRU ze2Dv2@4>f*pby?Rv)=W6K5MH=AQq{{W2pwO>*@*=8wP%160rA;MYM}wCRj^mQk$m%ePhmM`Hw4}!mTuyBeuK(_pz5iJ4|khgV=*C0wyy zH%lkkUj@>iTSrzHf~v?RbYH|p1N?OdM#-;=BakJXoJkm%8muZ{20RujFv$WsZT|`|_ zC*J()5QHLYX(enSKKW_{Nzu;P22P&|hBCzq$B+d5?il8wuJ^5dT~uh#L|^RWR>3XO ztSf1XT`tZNCKW*g@J(s&sG+Bui+F8E6iC`psa;6C9~{Wh++Vin+&GD=f5{Ri8&0V7 zb74?gG0>)vX?r^{Y1bBh59|C*lCg=zr<1gs+0Rj{ z^9t_}NmMdogJmAoH*%wxJrM?mNuOIAPiaqeM9NYc{hEQLrG}QewXLPwkyV*JF|VNZ z*(Nhbyv`fE3P({;yL_@=m0bBOwUglRvVb@0W)VI3?8xQnI63R0PVM%Lux^b_)h=sI z^2_DaM{Q7V7PF2JkDMB7pXd>)PDA~$LO_7pIVSNEKVD;etX5!pxHK|XP$)#guW3xy#wvK2U#TN>Z!2-&cyB;%rFH7QetZ=!a2F_ri8fr z^%G8@WwKZPc)c($mgC-DJKph?wZyxCyU0#wXuF zrn6pRR?gX=`iP{M&H9hrQhIz$9Q6#8(JfPEUIO?SDE?!b@`vT z1WZsTknPF$YSf(-d5P|x*t;eniApBoYIz=IsDra{9HN$`(oOLPO&}L&Khuui(z=Qs zuWZ3d!85S7C0X4d!QZtmh?6u{b$+MO8hgOPJxQZ9HTzLdS}p|h=n?j@h|ju}L`m@n z6Q`U^ukk-92P~-siz|+c61T|_k2UE8Ez5V|aGPX^?U%%I@Aqkw;iIuc3Y7gzcpw_C zEG;XkEPW{*MAMxamDI)798s3{J?ZnN-7DJ$Jm+sU1r6_tlpbFSS(Y;ur$vRD2#0>J zl=kBkoYKa?aN&15-#&FLMOxSgK{*S3zKc^yVXpP9<9OA^Mo3QZ@4ghSvFYK7)`5?| zs#AW57K41wJq$A{P`=#hV3jyVo|4qs25~>_HB=qEbNERZjF9a{qh?xIdX4{7azHzc zQa(s-xwUbzP;ViV`)IBcb<>HgeWwnNNg{@ap?Bsl5)-6@o}6DK@RjM4p3HvGW{Tr+ zI$M7$>Z?-}82ZFc@RJvqR1@7(FL!U?k3N@_ap|*pXM&1|?!&SF6@jKbzsu^WX>`!3 zgR>5st%>9g_Y=g5k*_fAo-&m~it%Ei*NQcWi>H}CV za;C+7aPMseQ%?7aQ(ybCB&Sqq>`2cBo$pKE6b?(Z2W-Kx#_DC(bl<_1lay45*qc?9 zmd#g#_{d# zqf`0&(<49LU7@;*DKuG5X%Gumm1}}9tG}NBaesTUYy8uWP$ZAGg7oam!Q;>;+6=%=05P2}mx|Nhym2uHw^0^#G_%*8g7{)6S$ASV> z*$pKK64i87o0m7vkYA<#G&t%TmZOMi>drtfSa90x3E={NT{hb>-rI)8y7(92j);N( zd4d#DdT33|N4)Kup(d+`@+|;hO5m^aJ9$3(#+E2C0dKEKH{U)=Mk0H!;9V|NcMMUj z0-F5Ca=C#eJaK9WIV3RI-clKl?DvN=jG&)0_v4>ir zSza8570VMZD{+b+SRWCU5Z!Dt@%-Au=YC~In)-S)qivh46b!;{6x$#M7fGFLWkmU_ zGy?(OBr%2kX{bhFb=sV7`=kovnVwTPW!+pyQe{mnuO6J*Gitt<|I=L3T zAH8dT?G!B%Z-#0kZ3fppgo;{W;w-VoY<0tbkcJVqXS6kQ7=-hH@Ak~~uR!2#6a7vP zjBjHTJaZR4kNz*l{yHkkuX`WIhY&Cj5D;)E5drCR=#)+gX%LZ;&LJcO0qGV&>F&;< z6;Qf+=#Bv-CBFxs*YkV7oSB7g3C)D4=uQvN#OP`#kO{uo5gB<<_Uxa{VSROc zcTVju@-`%&Id2iP4wxs7R^jT;B<*RXNe8RuaS}osi{fNnIP8=;3>edM|18L@Ts&{C zW*}xP`{^|EscE~+>Tlg0P@AYRCnWu!mZYA>k0O>GB%ud5m=`M{bV8pvg#Xz){wq52 z+9!jHK_h?K|0$8hGVPjA&R4Y@%}+1>W=lXKg_RK}txqtlPLE1iQ}F(Oe@m0`&rdfg z)xXq2(gOYAELD&Q^uMM4zoQTmN`tBOmgpw=y7>+uSN-!7_~*Z?{QuS|`Ja3K&sF%Z z|0UD%?Mz1=3|Tk4;hQxpXO+!o&)fl9HL zv8s}wDh}hWs$__}fjXZi>`#F0GRpWT^ZPwN=pH^GWQ~`=f3fCeIuQ1vSY>QPUYCf` zUpx=c&?aO`{pU?Ep|_tuu%exi8StJK-;859XBrCEFjekEHQKXF!56u`xCufXiE&@C3pJCn0a>PNq-0s}_wd87q9}@Bge)XkSD76Gq z&ZlO~JBRhQ6FVRFKlyB$O+)x$LYC z-H%K^d;9t*^>JBw#;x^d4tT-e`^IZUaJ%!t!w%igtA|Aj_9HYV_+ zjYH-Q)td!#HvC~OG{`Mcd`!tG%+@r9Xlk5eA*Ne^EJq|uK#tA;fv8rX`AVqJO5$V6 zzQhz8uvDGfQ|;mB>EA4gNyqV}{xxQT#^9cVb6+fqmJ2V-D|$%#^DKXRp~kSEAFZtK zeC~L*TR8Q|*2s3znTF`rD~6+Ta;2@PLEX>8^^!;SHu|4w_%H+c&=0-IeW^DxOQ4HI7`qCfjPD+y ziT+%3tD6c|yme|If_n5-*I`$^i~yPoA*ouX~uTeokrP8=XlR zUg5)0{3a$qiH6yDul?iQbqC5slgWkK=8YnnbJrC%ryF)?DnybHF$-JS3eT~tO4fpe z81t}ax!0y8A7`m{oK+9`M-iRd5&Wqw{OI-YtysD@=|S4;(h+XSuRD21&cz1>Zev<{ zPjsqyYxjzcSrOo@PN1h9>DY_`s;+%yWflQM_=v1wBJ2Enn7y6I)#=jx;`D~>wEW^< z!|h}04ETF)ni>>yswbu`8Jy4cn9Vtk}@oXZ??Edp&NoeR9U~)qPkp zDx)Q#7q7MjL&ogT1faeW>m58e_uISRsiL;ejw=#BV$;F>hPsij*$U!hTLrscu0;>j zJy0NTd5sF7YZ**r63cUhi88_cG8#pS(6HJju2d3_@*QEkI^E^bB0BLaq+VHxI}Q^G zbeNK8odf)00&t0~33P~0Owb>#z!n`1d3WRXjZHmewF1$yONm0ksX>UehP9f8bxegH zaq{(gnKA40XC?V-_#Z7g-;m?MS{_^503^>Xh=(N?9{rYd{wEIK`{UWw++0~)lF%%c z2T_szOS7GtcU+#>S68%PoWHHYCqRln;?Dy(Fc;a>!(qq4K zCfo8FEj}ksR?K{b4j+@^EA=5fAkI*fO}t-PB{c?NG=HVHhSHBgh_Tl}b^3?)u_WvX z>7I!*^^2P!AZJ@|UE;l*`K4P#Gdl*Rjm*8*Cj$B^iaKR1wIw{V9IYk=UMT0xJ&^FY zOLR+|wWK7@tV;azn3h*9r(>ahB+uNTkv=9bMIpi-k@+YCy1u_+WgDldE-9Q$T)M8s z8-ug?&Nj$)o$%Lat7^*{x~PfblgsQm_!E1_7OCHu4vwX54{uzgbWYSf$%BjMZ%X~& z$9q#kW)xZG4tJ#2NX*;W7#c6ok=*Eaa9*3pnxkf(neXVQCm~ul6T}}V^b;XHyk7sN z5G|n({a`ZLsP-lKS!R7n;0F`!Npc01k0XaJ7EiiFqiIQdR3FQt-(!}y$XCW!NWPUt zs4?iyvi&`k!rJI;b|COu5N=eDd?xn>v`0YFERp#n)c!#tTFdpFzB$V$ZtCddPvee~ zRNEkFfj`H(3M-!Qx3eRYQJKFx))sQCeTIwDkalYX16r&`0F8M z8jx1|C)}>$od@6lwlr{B26zN7s0G45_Sd8Pnx^;=5&zKVE5EC_Zt3h^@JwRULeeTe zjGf-P6`8JejxX}=iyT{j8x&T1pZP#=jtWt``hKQPg-E4<>H4yb%9Mtr zSV7k_#1DUiIYPw*RTqPR)i_mmf;)|uMpW24JdiAn3ct6VJ`9Z}zs4F!R~0!v|7i=y z&C6gERe{j3?y6lshLn~F7UgGcl-;wF`MQFRMy2eE8R0f3e)i;#y~13sr4<$=NamAd zL$XzmuHHDUrT2?($raVINSV@nhH8AP$6%?AO2rw~3(zlVTg&5nd>%ty4PwI%v<8&#Yyd)0Ph@ z>Z?RFCM0iK4U4;7>KR7HcNK*=wTwFGSsm?W26mA%%!j8X~I(Tk*%rj4|Jr5?Ti*M$jP-)E+lQC|}jwQF{#G=Kh5`f)Rqa zK)lqS+KLtgAMUj*%c2@skQZ9K77?W48>2`SO@x&u3JdgcY2=hMN2@CeOLl{(e4r0W zUF8Tn?0^kY5j+fCw!v?i(naEg+aPg+(RWm-bSBBB(r}XMp_?<)N@97wVy@UlD_Y_0ThEJRBPJMF`}XqDh3w4gGJSgLnOR?qMLVdwGzg zcy`FDC-(!cvfGprU`WMFqkzxBtGt<=R*$8yCtp5;qy|<^`{g0fC~^^E&V?wf(N{>^ z{3_5z;9gBKuLt>h7%1K;a7FUFsW$H}c=Q+YSq z58uBb*tZn?&H6x=Aw-cz;Bw)ck=K-_0hjR9?0-B#!RmwVi*bk)7Dxniu_@#1NG#N* zb{&+qf;mkUzA4(q_b|HNV2H0~Y@k@{e&ODijU zM;e|a|!@UIE7D)v=|4G5tH*jobbiokw=%uQ`{oa`&agWM%oMBpISU)^L zS5$A>tangrIm6cHac+U0N`uMW-QrybBRA3-^&Gs~_IvzZ@e>u$&U?6{NcKpJ-?5my z&#h+qUI13W`oISY?ddW?vvq7x+UT0%=N*WcMm^Tg99q3g!iGm7*fL*1E1S&g+&A(g z(>BHY`0&6!{xBddj>cB zN`^+t0mjfcgZqkA))JV{ARvKMiDqwMi~|0X$|Gj^5)WNW^ zM1oXJ_;)Q77AZLZQ#x(hL~c)|)B}6T()}q8Vj4_jJ@jLg!kta8O&feT7?$|ybR?HQ zI(6s>5(4HK=Xt`IaCU!U(rcN6!dteQrLmmGX0 zrlOpvSojf@Bn#`izfN_qePFAuIqEca-^0D0LioM!pM#dxC8hBDu15b&s%zJVG8Oc1 zClxal8ONGS5-|7~XPb8%4N!623XMn*Cxvp|V!$xY7KIvTSF&2V_7KV0hCYyMMg z`=_(H@htS4kS!TvYt)0P*!AcL52&y8@dJ{v`}~0YYJcN7UIZD>$3I+rPcMt$!eQ&e z=6idx0DPZGZ&3e@-D0z?)CObra$Y`5TvEBPC{OpQ%VXgshQ|@vpRF!$ndlz{{~=k6 z<0RML3rBz%q3wnZtO;cRm$2<2dWH7@$)Pr-4dxV>u%kL~3^0lVlMF=< zU9*Wuv|lwta@}2M)XjTJ*4Fx3=Iod1l9DSueEs~q6DfiX#`|r2-G*LkQg0mGBv*z^ zN+L)pJr;l7_ocpbXLo?B`EbgkS9Rlq5VZLkH4Jn@t!B&bme~BK4wIH6w{^)bz?mBK zV%>y$ea*()X6Kp2ACe9SSm=u3dU%ca#&R_HwMvoOLo7#_4Env5H1lyJdm5h zB=*b%N=hLGdWt=YAee`;#DFzub-k+NjaD5r)&><|U~o^8tQ$Gtm8C52BQeE1oKS8y zx6p_D7?a`YtcVL?{svph*%hg%skjB9vh89xf= z@0OvBzVh^-;CFfexxX#)+~v@2H4iW_f4k0T8tA+;wiNQ*Jf(aYrCYNb5`v(a-zQ=F zW@2l0-cis$T$GksxqX;WYZl)JBMiZ~^vqG9tT8z^XsG{Z;?6&lUl=Gtv_6VgXM#&G zLD56Uk+r}hc?=LG&EQ6Z|FVzgP(u}=ux7GQ0jMv}_%k9^hZ39LyPQsa*do);yuqJN-@Z9-I7E;`JMnP@i-~Y z%F3#9`$Mp>NrVTKp@3u)1W13<;k=m)vBjej@;qJN*c!9eD8Cc+UktXOvqXogDCE4@ zpaz9iS%T`&cYx(yr=qYdz-LActRmlm8x8z$|G=pfg=Jsj469`PDNKQOUm9CC=^3YX zceI&7)Gr-=lS|3=r{lJ?N5Lp8hf)yB1t?+DpD2;Sd^2Sf^X?aoBRr=!wYlgT zkH@3|9dn)^yZu;Eu^Z^AaY6>r?j|M`DZbNrc(7KaYoRZQM9zF09;*0qpBH{d9?~+_ zk(i!a^!2))2!5(Mvyc&3Q)GA!H5mL)1yEeM$OS}C{3>t^{#S5}seA+)2sUq`xx*{a zsDN1pmL#wgZi<4XkYglY(BY&Wx;_3I%td#n-E0vc{At{=odw8iCpCSWiS^~bgD-sB zD%KWnq>Hr72YjwPA*pFidAcuZi;5H_jE8}y4YB*J7Zwl7)~hsAN{aKZwo-7h%mC94 z1N+eJ9Ld%ZPF75ON;;5Jn;FY0mKYoBz;X3XK_Oy2`6Y3jMyJv@G#?7YeQwz-$o$5} z>hA94dCFGikg31;{!BSc^J<^%|JSm;kyQ|ZYZ$%lAu6hezCeIL{LIrRw=W+dMpgno zMIeYF~J*BgkQeS0Xlr)|R8jSxlhCU#-sE5AwxLFxVKZ3;R zZ`cmvR#P7-`GP5M391#r6KM_d^{rcWL`!|nefWl8uVYuQh`F3F;bI+7>nJPmGy_u9W zmNQD;V+Ja#?-^5<@a0cOrfQU8FQ;P=P@l9se{0*Xk(i#^P>u!Jwl1Q4;c%$tY~-dD z_VJ3jlzse?a){aTv8){PyWK#gH*(eSffWf_BO7KZg^~t3FL%t%tbaqA`bB)>L;9>A zQ<5}e_=HYqj+SACpY?qkY4GyR2p20&znuuxP%Qpfsok-3fcd`3h38JN##*}bu!|x-3VtDziKT{jAc7)SGEj;N z3#&`;|2UxgIb)PdlBr8nl{RpmUE1d=A|tO;j7s9z6G+XFhmR4Y`q1cbDRP%Rer3>u z?1+6l()l?P=e{R7j>{Uk99vGn?WMy|-P@2q93?dsQBK9zheT(l?SX`J{cH@(oDTYG z2J$j*ubkkHJM-+_c--}3wr#DmO5W*SP8g8FLKcp2A4)}-n&X(Y$mX`Wu7UQ};#-8% zF=?95+=eb6oG-6F`)abz7%f$namfxxjnGISo~0mHyJpE87*tW1iH2fQbNqDAZNGM! zn3;=3uKgg2dv@Erb}q-6k0T^~mW;HUm$VeE{lv2v!5%W)1>!?35)t&|ob1Bul?G7K zv>xo3S}dOBgb`Nka&bA_^*)D3RQTa?nSk$C9ffVdDbG=UYg5`G0w}rixU7VN7z#vI z+O<~S&LY4?SH7P5^d)z`dhM+t=A*>SYa4-!u>&sTw;lc_ypBHe%K)<;wgNbe`+1PU z2wcsE_4pwB-n7@eLJBGk!vk*JFU$?A0sD#!{G7RthEv9hd8&<9le;3GXXu1b76!(1 zv3%A^SP5hZ|C5h?l zdI&2l1pP#&>U_TiA{M7D8!Ii3Oy%ZJsq?Hw`ugi8RUmZ)Q7kox_m-B+3Sh-%6I0rs zKdT?DlL^|{!HzwXfLFRjl*ZL|7px|!7>sAmFeUOja)J#iVu}~4Dw@;g7EjSYl5%W0 z2z*v9#&hd2B=tlcG|?ZG2GVPORa;B!l;?jy-PbXr)FPrAqsP6sd^0(zVUo!wqUb}Itr~QW!Mm_v2AUm9_ThEUFkSKlV!O?C${25d4!ANVAyloe6=__3dhz-;Ty>t7*8K zMCttt;kE&x1qZ(K@OFRfKkU7auXN;qt%6beE_D7oq^r+R>1=VQolaa#BI9tFYRvzZ zyR$uf^T&AK?85mKyXPTT;nKc>pjsle^x*DD%?>Cz zL$CSs)gqIcqQb|puptqz>7A|J)lJiqzBqF@3XAZ;>v81k{9smh8^NT!$JWu8jSeT! z-Tue2jT~wWMUQC6eMfu63qV}}g_X31PJTZ!z!-lARH7Z;F&wiqD=6VwymcaNZ1^Jm z+^-sH7wP55!2ae2S59OkU>oEt+U&W`4ElL+ z!1~X_^&6tUj18r)Px3^Lyw^)Wyk=GOr(auJbYzB533yaxHt=(| zSe~{}_T7KZPx1lyPUR-U^Ua~W)dw%-L*8^Zsr}lhd!rU(fb)zC#tO=RYDfBs#QX2Q4PeGv+RfQuD;qE}FrI8Imb-Q^ zMCIW_?u0P8Q1PWWB7XjwHC4CbuAsgg;w4|K@jeNCMBaEXUsoTHove?M6HX@M-8<>Q zjasbI<#7%plH{Axji8tkVC=D7YjxZoSEGIN@_KzwY)2mI_MU?tQ8r8ndA9}i)~XUJ zNv#Y)EJbT)0L=06qf+WD$!!E+VZ+5+ZIx8g3Sg<*DY6{l; z$%Zv`In(5c5vR9S%1IUddNiEJEKm7Z;;BEKepGi1GDpQ4jaD6Obe*nn0Kg!c3i-L2(`C86HNXHCId+(Mhzk#tv6>=x?DU^YNh1b&(Ys9 z)T2L$QA$W1sxzt=Tu+IZwcEZ*Roxoag zk59JLbgGMk6pDt?oE9bWKar;D+kwpT`fXr=Zoqti$uh`QsE2@Yj_gjKq)-T#1_I_nR(lKtGItm*ukg#ox!k$5V)N0W|-s}C?O=mV?ExMZDW+>^u+l*SdMA(++y!6HKU>Yvqj`#IFO*0H(@zc(>+c~<~NBrr&n*6=%l7v};X9^So}Y?m zduo%v{poNVZg#Z<#9lH!hI-vx!*{Q|#2r=x+4?=aW@{zr*#_y`Vje$Zf$<4N{K=uw z*p5L?Y}|%`s3DAMY%N1`%^s(3tTD&=l|ZGT`pl@V$W`OgX79Z$IZ(*6G(WTMO`b(c zGqf;~y}w{O;JYPQ|P4!%CincMkY z^+Sttke@varPa@KAYVAtwzruveCsc+y8B`}OI~S=ams z1X%MJh-7|byF7mgq#d$#?ZjScTS)Ri^b}i2oSxJQr@I7&!uoc(lbAAhxSW?m5c#GK=#?>>tIUt@I7 zOdBpDyt&f+!6l+mE-$|@Pctfi|NFTTQ~*c!Q^ypubtkL5Fuh(m zLM1Iyq*l4+Oe)W(|2wQv?FW4(xDlFY|Ibv{UZJ;O0{Wf1-2HuopOAPDI^cOYZvcYb zq!36&z~)o{STPQ=?^m!B3J6T~k&3KetYkjFiJ8VqG+p230-W^_!b9f7?z$T`Br2dO ze|?s^1R&hmVqH4R{Qbuf_u=renu;=V&}vvSCM0^;kz%J%`u^rKg0E*Dh_VT)nH9_&CmgGcl7~hzyCDk+Iib5ujy{M2_dka=B!o!B!<}Wa1?3Q%vXPX(J9h4 z(0FHmmj-{Ygf^Qgw#$!xsqW_&+C#Br{)Et<d~~o55ID?89=xC|ns)XFdC6{9Lts)1a_R##9Ot@?JejiXH1mi9oFXcVd0O z?)6Nc!rFmbFQ=Q4Js+YeHNtGG1xDXT&&xN#E0Ev)fbAQH!}%4L?fa`7KqmRP;EDcz zrp$kRfbR>dk_))b=felvSSGJY8MLQFIPW$eSuyv9)rfX$epcX^irm)ynvl`xERj*E zJ*KKZEqcu?<=p~hrra>M{eEcu5RjQ3Wtl#RLR5Sow}zwiv*X19x?R$T|HN#7t}oC zL!IR#EJ!VacSfN%U~GZ(o*|WjVr9n*QZCx;Fntpn$uB~6YN`tzQw-;2N@qgDoPfTu zad+^uXAUCpyg-JNPsn!RkN|@Ja9OC*qfzV*n-JG&ppXIQF8< zOT^r4jZ9Do&8JQnklA3|vPa`qG(@4~BaX|d$(?=r=V0BZ647?a$z1#$R=GW0_LU~+{RSB6bZJjEuNYCdvXZ-Y43|P z6@JjpClP=_RO$VRa8)4GKS7IOSzt<=Yj{IVSHv95MjhR`QzVtHawl>fDKzqWDG2A- z02JP=J&iRK8-s#cdMAZBo+7e~_Zv&D#+o1T3QSb51?HYKogva*CMN5@HnZMHOBy@V zx~b{nS`{gQfFfOqn3HaOakr|7~6%9Z~qDXISDq=j(x`XxQ&=h!D7{yT#_ zjPoZ{aPH?a2M2P@EWO|Kw*fpvf?~C9ydL^Pf78YX08$deSwP*3;WC#{OocY+Mzd8S zCQ8kfABCk)mfX2?|5MN@e9H)8XJ1J{3{||YZ)adF0x{Z~h-tcY z(I9a=M=kje$C5osClFhj%{F%q?E&;o$<__B=j2%L!sU7DgX(dvu1t3yPdfl){B-Z} z(S$j`<$9RVP-RtLb-YuVR3+)+#c_~RsV#+1epYOHHL@Upmn7iHVgFhIQ&#o!>SFvu zWmSeal9KF;CYw1tDmG)RY{{Nhh2Ac+tHQ$K;Sz}S%To95H2+~~AkBf^k^()RJ6XNg z*ewneO7gSAgDeMrt-uRd^9*pEXtD+MEY1*KWzJ4T|qw*n}J2j^uBdO}? zdHT!o0ovz0Mjd|Rwwizrw(VkKVk9+Jv)&wM&0Q*YEcb5HN;_DO0scYnvfo|0_+ ztvi*h?%->ju7S79BmH|%tKrMx7&pQ)J66nKjwgsX*Y;fuMzv}Z4*wA>jz_q!Ya1)3 ztASFSC(hl&DLA*y_=2OYAS_7;IS-2g1trEY5s6Vf@g&Bv@bB>%$^@etB)*D2L9X@Rvn|cG1t$Sk{jaz7C?1Z3> zXxQ*M`b+fXsb=4Gs{{p$Q*w5)lY*Ha1+ z8EQ_GlFk5G+xp^S4wj?pni8fM6VZs=2k^&1GtKD-n7ApZYlgbD@q_rOw67N{J_aY za(;$*N^feGy#n7Q9sx-*do1E+TQm0@0F_{-ci79Qc6O>!EP~bg>aKeChsOyXyIS2{ z+OPeVbG!ni{%EsSvfs{P^+uKfk{j@0>z<46(JxsZKRq~>zShl9jZ(V*TpaCsJL~JA z&_eTcxSpZ{Hbj#i!4zacD+}=Oi^a4xYZ*ZB;MRfcyt&!V!s6cU*b^*~>ht4!PoKT( zo>d!KeRwA9^1W}#rq4xTvpj8AY8G2b?~Pnj(WDC|#P>qbHfxReq2_?0&#Q~_ymUF_ zmhRhk8U(7thFO=KcJHpAxf1n3%~~Pxk(3i;llUca5e+ zFZ>4$AwN_miw5u8rwE*Vj_UU3k0$c&j$3X%TCZ;-VWr<1dBN`Lxt80s*lhuzCPb;KOcF3fZ1??X%)bMzy(^}YCZY;n49^3yhCp9$WYQs&F zP8<#5yuGb)rd%&x6c*;Eap#e@n8o*!~(+;TQJ8%HedxBp5w9(}hwnr@7kW@-upXgOHMbt%1HS$nX6* zSp-u4l)o+AKiquy{*RQ7xT%zkRtenQyPht5|FFUvy*hE!?uz-_>JiZCV$Vf9N zrPNm2o@l#!x6xcg+pcD2E&B&}VE8op@komO?zM`h)c_hpy-^@^ zKXu+&K3Z47m3)cJ@MBAE*47+frdpl^vtytbA?8$z!n*kg>}EKR=myhLo*2CWUW$c9 zF8Nak$(zH|=wHM%gsp1lzk8pi13FOgw0$f!PF!$hRds5h;SN$Lv%DVVXZz}||NAV} zD%VwpGwA?O<~!>=^Q7-Lq{rF&ZAVEuObp2mrQ9195dfL9BBt+za1=@L?8>x63T2vi z;q*zHhe+e^9-_0YZoqWB(rS)CwUqevFEy6FZd*mti(I(y#CH?#xfy*h_>OgGZhTom zkE>m^-=b@HA^S46sA`3)LV6e@iZy{}vmf{TRFG0k^x9wn#ad*sd|drm-Yi19&ZXZ{ zK8NMY^Ti0~b5NB8McA9nJgDT;g1K3vdB;zUulF7J$P@I0E4|_Mi;X`=-o92Ck7zbr z+FdzbYzvB!Iy&D-(I5M4iiy_f@zDh(+>^-bI@;k^;(dnj>31xxKn*t?VgGS^fVnN; zGWe^Nza({}zuWm&;UKy&9w_TDFcyIY$rw+5d0~^9;459u8rYE47$5Pz8g?g46J?n1 z2h)wUKFymTwb^4(^9$h`A)v{nmULEfV6>jvMRz>XvP$_$+-$YHUkmmYK-sC)D;eG> z>~s;T#q0T_Sr?BG^Kr~C`q1?X5b_=~^QLP4I7{m6*Hd6FD9p1oPZV)>)k+;toz*|M zBR6}s$VN!`L8T>yJAY1XC^9rD8Lq$Qe~a*Xs`fgp|0?yIuA$bPMhrjvc&vi{{-2dO zc+}|<3MUWYP-+24$ukH}~>pHLN zUw6mj7&V;UMg|u6UA6R|9J1WH=RX2A6`C*HGPJCwW|;5d9#Y~H4oWTUA2<})nmbh1 zWHYG}VD5KCKLhni_`K`;j7mPvk%;^6Niz#(B>uDCAL&wlE}O1&xHFVF&c7l@ipCh1cQf2L{7ZCT826U5yYn? z#bfbE!O##^kHT`Cro>;@)<^E0P@OBhpkpb2Xy|>Cn=A%le`mFuG_7=bxMLce&Ro<( zuS6lb8xfdetY%yhR^*>h_hoi^@<7^V&SCK)4?1M3Evgb9X=iJiNsxU9i!hm;gIMb5 z-r3f;K4o&ani<|xoVIr4>{#DWXMdQy-Ivf$fAN?zxVQEh z*i*=hTh8K*J^%>d(@BVPI;EQi_H-Yb*00r8)=4tVZ!K$#@o;bSPbz^On&ksGCt`bc zeiwf3=d!(_B;>b{==gWCf-_@2i+Ny19v5a-Hw`M#xMw!W>dCV}AR=&G;go)GfRVHN zlR?cnY9O~UB_j#wo%I29Om{1=V~ZIy8CD$pf2jDs^y|~FcVk+5?rEGs^9!$8U&y*g zG`p?)$!WF-isd7p+ttuW z9F%ZSI)}wi6w`&Mj9i~?H0+85G$(M&ng~*AGO+VE$VfM3mG;|n1!vAAi&&-NNf4?Nvzjud{!@?&Wc4v7?A*8m_XnOD|0H=BuL`jxA*$#1-W;FF6_ z(GuhM119`qoct=|pt178dT3D{9w0`^mY0dqeg0y{yLs;Dp5&k%5{#L4J0;FSTyy2^ z4xS_d=40!3t9M-mDI?5_-ikdS7tfIjaK|k)$-?bzzHYeuqnSN)6vW_?bQfTPHWO3H z0iy`(jf4(BSZe_kW^g75&@0O&0TjA4ya=GZedpOdtxHVEmE!xX76m>COli)|y(MZtcr z0$oitXD5t;@>JQyPT8Nx3yg#xBY^9w6gg`w zlOP=On~><{ zF&k^7+ya;x4mUeP-$hXYeP5m>n%o}9b4-gd97y~M0q1Cx#y^#frsmy-ddYDm8NdFh ze81f?}^yLSyW z@1F}kyX{#hBaQ&Q%K2!*{sAPt%GUoCV3rRBy&&yDLUxil1K!{(JjZPOJ!X#11ocJt zJGrPIWzZ_|KN5+bXV&BYoCle50q8~mtmYQ7th6+%M4+(n-FXB;8&nmY{9LyKgQ_Z` z?f71d?WjVTf+G7#?zrvrFiYZ4c6@opStnksqA|wpWM5WQhQGk^j}qxshTwf?f_sYL z5NZ9(1r&g}8lbSGV@z85knCCj5sj5>%np}GdMfr{YVe_R6DDA%vHcgn-sxx3ewRCe zXlnl<@FgQ2?F$eKUMwRJbr}K1MixcLUU;20=yOVM)xe_69( zhaK+}BGQr&H%*k>Scx_VNMi6_I&spd3{-%ZK~Lit(g%P#2gs)b4JYxt+y8rn_8Fcp z`3bkFoF$R3kZD&Vn1ulDDOS}%4KhruTd~Kv#nv}~c@4>D7zq?aT*X`ZTQ=q^HY)rX z_0@pm(r9W92b759a3!i3!!O z$Z^ek;i*1x6$AWjA+Kb>gu=KdET3<9*L-ez*a&|ok>Yjk4b(Ymi~);jEL9ht!Shgp zlPxOUXDI&xy8BYQYOH(6rrrZ~?goAj?IaF0pCm*YS1@kY1`{T~vmVEPP9OrLi1pjf zYyb%$#!sgUNgS+SK14fj=#35-uvdR_!bo%kt_yd=# zTNb4$pIQN9ie4b&XyRSiep}Zdb?BIeiM0HUT);mZ4_|s=e*o%+r5b||Sh4D>M6`j; zTv`}{MCct+5{S?Kf#&8V4WjCyqU)pEwV>j(S&|(4V7qp6bV5ZJhxu4Ajd{P@<;)@EHo@(=oh#Ha4ESSz$9J3h3l&}PT)HrdkSc6hycG$BerdWVE@yiv>fUm zMgUelT2>EL2Vq_A*k7!;pHhW6=ov6^);=8`ALKIC9$B8_xfh) zS?t`LCNM%N zO9y#?+V$B7&i{6VXg|@7z|nt3%{MR}A$Exkq9f2N^U0tSDT)!T!5+Ea1px*1Z)Q1~ z2O2I-4afLD1HJmX9-xH8T?es@Ip7ae0#|jzw5X%qDL|wdhNY|B+$R^2CLF+D#We-S z9j7soB1sFrL?E;Lf1Q$sEf3n8WeAK5#9guA?QR-v2jKd-_W=#+hW-Vdny78V#B&GO zy^(G6UeH6p47d&87?i+DN#}30ZExCfI5+r~OcZp}JS(7+0V>%INqOKAm%lF6 zer{Bt9e%Eu`C)JVWnt@gG7_hkL4``JN&~o3F#UkrUgr)u2DW}V6V?Y-1Q+n=MpNVz z*$(L7F0wRAJtS`1&w|s4{XGSVzwL(Pnf;{Q_;>C&`BT92k0ko_7)R0KzFZB-ZBM)s3if#*7!ZxwY6KrMFY0U!x5+IC zLx*I-G`u2RVksLAnud4#;%+bn^bMP3VYaO0Bq6fQ7Q6s^=jWtpanf#UqjV@g z+0*R?(tCC@05i0BP?uEoJUWvhc+r8w-(py3?gn1baWs-a|oCeEOG%NJ$pZY z^&!M(Ab|a#0|Pz6Jntn00Q|7hbm4yH9zC%h1qd-zn~ zE3Qf)LJu`A#6B`d0YoIXYAAwJ1kzH#(HO}K+i@eh3I2ou$9B~<`IeD36CPexRWz|un>EzNxh-7#KgP}+Zl`N6ouT`vX7M}nRi)OJYtz+KJjeTOkGt<^T+Lu@^9R00 zMuNSyFHw&H$l2e={75Dd%S#Kqg|?@=U&C?3Zyy~wq5Di>ZA^COWfAkx0@Rq!F>2M; z78KlXKdXx;tjG!9HnB7T>V;0T#{d#?st_F_ZL?95zF z&R91$Jr9rKW|9866ey zR@~ixUtGGOp*5h8(>S^eG12Ql)^`s9hp~STgR%tT#lTUKRaJsiR5mL3Y`kAc9tC%v zmt{sjJ8;Q!sENUKOEsrfpuj13oqWPw+&%xiL|E}{!kK~37AFqQ&K#$1ejGeJnt1$Y zu%)^@PiHlByh)%l4X=}KX5#E;G*^Dt*4q`_a>l6nul80nyw&=3;hs3%qVGde9UWj! zzwa_26BFG*VBAExoR!!HJ!*f3yON+7rzC#xn(G|@ZfDagN>jnd7PTeVVlPM96W^aH z3#3gLzUl5mek!T=tZ3rSDq}9l8-8=L|ZKM#-KG zo#5;KCIxUg*86`Z_Pwir4mZr$2-0>n690~}aS@zwp37t&Rj>?y!R3CvaQoZYKajR$ zxw|%d9mZGFE^ZD1s_G3~VFTFy&g9JU#6~dQJHl{L&6$EIjV#`7o zQG|=^f9W-PiFtl{?YM1UUug~WKJbb$09^2?yyf&MJ<_t!c7#cH!Mb3@aG&$dp6Wvd zn(rBNaR-K_2nDZs&w1#kJjmOdoiNPb#(vCwVUS)C)vTSH-TI2FKNU22N z{ypanPr{V%vo(BFFq9Y@O)wbOzM#Og5$OS3U zd9&vJLlG#MN9CO>BR6A3t5FH^|NaMm!nz7+&c45LW3geDtx8Er`@qJ==I%meD+*k} zsiDfSv56$Y?pUz4nA6l_gMHQ{d~0 z4vz_Rc-%<30Qwt0p!Wd}Q2(u}9kXGSF;drgYu&7`f$ByrVsx#u%gg^OwFRq4b0P>m zNuZ=MQJ=PdGXF9Q?S|=mx^cr~78_hOM~vd%(R0ta$Y`4;jSj*8W2NCfGlS|r&Q`Rqz{XOk%Jf%1&iC`} zZ(3<2|C|&jh$yK~D)u*~E$pP2qIX_#>8<_U@ulmJZv}J@Sw$b{hUufiV!wA zOFp_!-Ic_E1pL)ly-TEkfB*JvjPfG{qU69xc{LEDyl`*(q%eo%RJbJ~Bsit%pinpmT%w4wy3$RSC?%m0$huW-=q8#+nz}HBd%lkPQSVsKwmjj5c1sPX1sKv>WI;r$ zooSNG)$F#e+^Zbw&WX|5^4jR9gt4uwJxcd~hd69*7;P81MT+v3e4Xo?M+<#Za(*F| z>okYLV6qI@!xhi=ST-Cwn#$K$SP0q4?g2W6fkfV0-vZq~QSKx+YkZdB%^nBceP#XG zI49@XLZ;<$VEvhBIL6+Fe$1f6$~y(OGhAys5$HU9*K)yJikQc4VN$0`QgG~xOnFS z+gc_pZP9&96t~k)3G3uhA*NJ^uT;RcX}x>#G*P{sEjzB1)Ona`m0 zo5Qbz$&Ox;7Q_$_+YD_(6(E3_UaxRUII;Nv25V4PD_Fw{ky$yYW`Kh!@26AM)wlvk zLMbK=X6#uN`->+P1T1D!Zel|K5@p!cGJeq1VmjF*N z*G)4g&QLLqWgg5nM74s)w^JDb2tgDMnDgQQ*7EC!4A9Qr06CFxCpZpvb~z|?UiA&p zp4*emVyuv1g@LDP>GF@Wu6FTT?@DNdt(ksUQAAcrSm(^d`vcdoh(H&Jp+^U$t&3R# zcay5>oQCQQvsx+0js)~)kh!KYRx>REXaq(C*_xgG_F)9!7)Hap=)nb|m3H8*unP&T zvnA2EpGr{{&}9d|7Hmg~<}vVr0KKN&vYsy%B8Fpb$5_)IXUq}fF*#ml5Ru-_#YH|4 zFO{1Fs|F^jw?Lc1e;o`<_qDTVqvr#BfM&ZNd7qElrBXoy@xh#X7}h+8--T4>%I|zn za$y%a#!@&G>^3srBFI6b;FzLZspO5btywk{M8_Bc4hDT6rv@kqhpnyif+H7&oE!sV zBEybM7f(%#QP@M-$NZx+1Jn`2(~%4-$L?uN*g1vnDOYrvRWDtm!iX%)*FO+096Yw4 zBbJ=fM9!NFE0|wQuhPYOO8`1)btQgDq1|CYP^=1~7Iwo$A&)_;-AC8*l&1)*4r3>6 zBnjdMbzWwR2D7A4kjl-Ng8VtG19O+8WCg^gu;@~({>&8E)hF*$Ggm5eG48wYU40~N zq~i4kt=$gWd~VWA0R9O>dqPNgQV68%p64jVYK=8?az41+bI22y}d^QseUMp zuhVTJxT)-FcTuwR157C3*zq%+)SA-5R?%Z38_s`ybxaiRwD;=Jnwt^M>7DsEg@jwN z2xJ9%SMYTb7#&-5@%(ZkWvy1fksJRR(6|C(?_Tk14t%y5!QQmS-fnfZ1#H{C@R#=5 z1BNYQ0P>O~gJ=O*-Y}4JN;D&Z2KwOxXBn0_<>5$U^a$PpD)9el=}iL1Y!N4$!&#LW z)Ie)tsX=`lQit#rL~1X9WC8M^nsw-Kmwqb91wP?0TF0CQWOA< zx2qnX%`DI6wUtJ%e4>B@k@ODL4d2J6ioCu{xagVbW9j>ktNfN`0=n)h8eDL7)HfYX zr$rzm8BnhQsgOB(0vTx#qqpS3o(zwgOt!2*KQ#0hK|8jXDj~0($pxQ1p0RmNokqW| z)hFF=!uAfX_d$78}EAd&C>cnNgQoQw^>YOrD+j9n3)k9;S$ojXpt zdbjPKAE#QLp2$f^E^Wm{yY%MXEkQ{>rB!y<7@u|uedggNCjOVj@BEJ7C0Xw)6C{u* zOBs)-p`i{M?~S*<<{KymwuM+_9*IFgK3JAJbgw%Y(Az!WP!tK$gWDgJjHMe>6>;U2 zh^YyjOL*cRY5XTX6B*HgiNnp$#b3MJwH` zcgI7))Gm03KU7WeJ$RL)Ip^trSVIj|pWV1nx0DedUl*zC@>2tu#X-g1foO0#zh`P` zN8Uf_vV}C-p>+qt0DCrr%nRS@QP&| z?0JGr*BN;3+)KdD7FF`}pwgB?!1f^)Kut~niuw;^C>+EV@aXBqjl?y>vxraA*s!qv zTyOUV^k-}E0|wg)Oy&3h$nV;=-*%MI6_X^<@XGQe1%0=radoH`a(&wN&+aOG|6}@) zKZy%xn@|M=#IIube++EZ()x)+{UoU_sqb)I4UI(G+S-n_XGQ>I2dL?~xN))Z^wvtK z?k&|j1ZkK?Zyyy5WIhsQtZ`v>si^wri=5BIAr6ihQ0`<1+X9d`;**egf*d1X3CWTy_n*k_r)Y$N1l@n2m7qG5!-S=p^gjs%^-)Ky|IC6 ze0Z&wTZCa6yR5`7&F$Yn?=A~{CZ8Iw3lrt-03-ISdr<@3 z{6Tb5PYvR)fciGo8rla=UH?G(?fE9x7`oodw%nbIIS{Cmcz1dF<0*klTcB#J%L4h* zSM_LVLhDAun`C&|>_<@`^@kzrREu#OoF7Ds^+SBDqiKMAc9*u|7WYFzsrG~{8!>f_ z^$45d0CjQm{;ZKxd$|BZJS{H}KL&-4&5nLlx^9V8F-a1WQMll#n*%T?PBUx@Mi8!4 zQ∋mAN%MYE~CZrim3xS{XI;d!H*q_)Jx3dwEUz`&ZVvS^%Pm>tw?p4@I(#PRomq z6!1X8wSFOOQa#u3j~o>Hml&-tN&G&fY#@SIoP_6oxQ)<2fnF#FsK6`4-!c9D`PC0< zN!(q}4WqMwDJ-C^TfZ_P=`tOEM`CoUrjE>V)(nO8+d!y|pnFYT>k7~zFRC2~8;=B& zyKFlS0$l?cbIEO3`uim(2#6Y~spcY=H$n={+R$m-@9v6jJiRLK+|G9l9$At~6_9X4 zr+5kn26H;>9bjGxH<81cBTLs=d_+>upCQAFZE`+V6%W=FM2)HZ)`U)m=AN8;#btKQ z?ua`Bzz+ zrvtX{l_V3bNg1kpd#c9y0m$Uf=7_eQ<;Kc-KT!4DUi-Das${#4UgNS3A-%&LWZ$eV z!{mDCJ=78^&HcBKcf{3ZKv2nMA>Kx-{hA{m7!Q=rxV}fB#f)FGFr(E=fBNwhC(!lV~zy?85~a@afx_aZi#m0g?JeDN?bK*!9& z>K~rzen(({d~dLI5Mlo&*Ci4^W3VmQydqb*g`m#L5_t14gqa7ir22UoH~d5kHf$ZHr_mK=3e*AeJk}KDP7fhVc%(zKf2244F%Jj zuV5zx9hRm`WCqw%+iJfvG;Y;$^fgm!s@Z#-GE|rvD;RgM99lG^w6Q=#gHE9Decj8% zYbp~`!QkJaPt*Aazj1umrB^3LB;li8ubl)GFqOXU$4cX2gYaxhJFzfZ$}B8TW$%Ct z#nq=#KaA-%UeAr;K^#2T*^U95POXURHFFY|!R?(JdZ;97!qDnD{c)W&iBJ{IV-L37wub2Sq#DisPKOZ)Vx}bTCKLrEf@zMI_D<^#V zRSWhMt2l2Dpfsl?C#Vwc*+q=|BiW@qUZt(%L`D`UAWC@#7!S9?1sp#Q?3&%qd+flg zPnKMcpU?DE)L7PZ2MmS`+!XNCBZ2Vxh~eN2`UB`X32AQM&%Z1_JQjY4NUa-4?9u^L zbRydrew--Mm-Q@>%P8{`vdr?PZH(rp@Q5gv(TlTM#_-ZgTl^uI@2T~(@AmGJ%7@uI}PDb zA55nuM*CFjc#|ULq&qv`^VTz*t8TOv>&ag*gph9H=(*_ROkYF&*IGQIm#fc0S=qS1 zUi2zYOgLMWR-yfxjvf&CHFh_vgI^HgdbFyLDgW36LwgzMcljs~}O9P6ixivPSbC-3Qc zCr+)^h=uL5ZZPa#&uIPCBAd3(&aeOI-fm|5iEPmg#l(l_q30cJIYBg~VU~jdR+g7W zwQaZZCW%f--2JMZeRgX@Four#tqRIA!D*< zpz9M_vP*97n$5yH%uLi_V8SEGY6LphZ$yYjSkHaVm;eW<1ir~}VKJz)m21eFm5R^h zUqwRbv%b&XcQeV-8`7GmK9}1WyPW6c6d2b>%Pv^^i<*T)Ki@sM^~-LwzAaOUIjz~+ zLwe!+%clUEkJRz;nf`FzDtl3${Dug{Oo>@ZE}6S|<4^){@Uf@#A&J0A=<&0^C5)t*U^t zFZnmw;-l|!syiB{Jq|g=oC7Dnp$f?e-n`@$z|Bu&OyDRqxaQTpM!Mdj`k75JcqY zWS6vrETViod(9o%Ke0&EvJr^0ez7uGw>=RC<2_bBmTUMS#%z64p)CDE^ zXWDVKVfX$+a_ikT+)K#9#%hZfGN*HY$UVT!_JD26d(5rxvw2kGFxI_Ur(j?JJFP%G zT>qWQCd7I%81Z~$&=KjwJEv4(FlJ(&5Jyni4sY-iuF>qYa(UQdOO&Ti3`^2lZEUJr zks&R;JYdWxfI9f*``lUj+C(A_Hq+B}F>paN-Ud0Bp~9b@4$Wmn1MEI{oaWtRei#9| zBg^dUOp6!&CiQzTW|~xS>+yML1_r)5GswKZvJ`%D7(b|4LU^ZMgwE72di-NtgCp57 z4t0#+>93XRfk2VyZ(?F7Ypzf8=YG8C4be4>;o*%D`cT<5UFNG``56AWR*tQXtK;-# z-HDjm>0I#%^7kX%XKA;su}&`BW2~LiF{^h&48~;owOap*gT_f>_wFH>W64WKXJ=6# zd*rR_Z2uj>7NuuD|84c1^Hm>U5YBEBSuEaVPyZeBbL!3G(q#!@WADFzr1_y)jjxyf z96terEe-Yjc6p1;RTb!xyxtQ0vM!XJatj<@bQ70{ivEiRPr3zS140cl?e^{~Ngxs~ zswjl&`I2fC^HN>g%F$C>###ph1i;WkzV8K=+f1jl*Drw@ivL&@v*XR5c1u=Bh>1@-eRK*ha{qN)MIqWxYNbdM@u}_ybNqf!6xV=v_?(UM zG|AK-$HkNVZb@KJFzC?lF2QpEcihSl`xf2*?&-b;Z|9k>F;_&EOv!e^=yuKzEg3Dj zLGV2CRHNg^8gk923I?|8s*?4Tce&5oJbi!zf3gN``)(8JJHrs=@p4_(^ynZ zoM)BUJyN3!$*NZnRVAtmDp7-o)|DKeS=i%<*qD`EJWaO?Ri>{mwy<|!&9kq4^v^zv zw0eK6(B@H}p)!oWlgGTM*zKA@!C^Xk^GO$nicp66W8x|)##m5+9uMEwiUCI2h0z+Ci5TOiLFS|Vx7Q%sP|5BR|a3jXR&9bn95b67E zG7x=l-Sv2}^Q;vK>Ftwze!LX!?~^p98kHu;43 z+5s}hNKNB2aK^wrLAB%&i4Q<6UK7Fp$IW3`^R(BZ5j5xFp{2u9@#04GDSS?(o|;W3 z()nMChft%-RI7%;LxVF3&5}fJT^WYgP2~np$Mp>h`^)o-0jd|5HK$>J6}-1|aH$08 z9?Z36CUyLLxIfTg@!Lml2zkxkJtAIIHRL?E-TewJKyc`DVSr8^AG@IZt3D*UltZ34 z>Y-Uh^ErMim!tgM)|;GT>{?n#rBuz%SRjAX+X*GntgeRo*f;_$6kHG}DO~>B=F%d_ zU$f$SQ=s1@Hlm{V?H7>~!eOM$ce>Avb_|9DzoSt4i}p6}eeWA}{V{mQ6W7Bv zOpg*jCbqkw<4E9+agAL6sK0}8$Ye12oajS*ZG%}_h^iq>5pzAD+aSVFl0#u3oiUq? zZf*)fPGxy78CBGb;Nj5l`&2Sq#70dkLGqq^elt}QGprkyhZGv3o|r-Odxdl$MCZBT zO3-jUd;CFJmyS}&@i{30@-nBn7f5RMYH`WL5FAEOtQ z@1!15>N4+ll~yNIl!3DeR?2gvybU^E+Z+vyfy(>L_~li%$Ui4s8(Y2ih|rL9kbb2r zYuLFCyIUOlFiqzmIA0B1r z^$lofNXAdq36Q;E`8V$-78cR@QKZj2`yRD=uaXN2NxODb+vZ~*h(P~y3;9|P?t+0$WL9xv zui+;lyqJob5@@2aOQV6;cBg~GSyay#b1Tc2$GrunlSYqAtJl8kL#tPX!c#Fq&Em^j zFbc|%+unk$Cn;eyAgvP90SX5Si9YP}z?gk)MoNFrx4YqWoVVJ6I?c0vm9IFZ6f(6s zE>HUl)z^i2%5`p+5q^?N?CiX>kD+w#+w-Ng?*gM^u35xOOKpT78A;!OK-EiGP}i`I zrKyh}oyER~kSw8{mC6KQ(|+12q^Sk!=StdN1P$SF}i z%%o+!LzWl+iBfB%uO=HY?K8epewT>7pzO&SQ9S;QssmETcUeeRHPYBueX*_E+m*eEgyA8*iS1 zMeGd&&ft_GowPi&@B$_o`;k{2p3GuCq?iEryuv9@d+U*cIwKpmEA%rmCY&~#kURl9 zGWGj^GOH<=o~r$MVaEWRlZxs;Xzh}78|tT4k|>~{nM^Ev4j}YaqAhGWw`B$o)7jU! zSR2v680J|)d^7IPnew4MjJ{?=g$*T)VE_?e_4MRdJ&)8ye;6Lqs*&B^nGKU33XJhd z-sE){>gu7Fc|GLbEqECh`h+ll4r}K#&$T?7Qqb|c5nreId)b9ii6@lX-ShXRS#^Zw zfO7v~X|*ke7W?w*Xg=lKHL|y_q{+_BGhgq@JiF%k*iF^FIW=gb1i#HTW2XT=s;=P` z(w`?`WZ#PyC3(N6u;hFD4Ft+=5{MO;)H27=X#3b;idl$CVy1v3rdg^v#KO5``q5^4rNd){osx9*1Z~E93W%R zLmroz*+B5e_$vQ&tDfmFvi23P;g6GVJyOLfGYyoYo8WEcx{fT*4L_Q+D*zYs)>-@Cbs{)iltWFL{ znT3;8Suby1MvD56x%CvmsVCDJDId{pb}C{S8^9cwT0V<78%6Ng3!1NO0+{QMoO;Mk zhSXo7G?(z$G4>5{YaZ_p=Rk-X{=ch)j0BJGh%zdVhk(O!=e^~uxa_kX;Ri&-*ppb< z4C-NgT=v_;_~djJI3)$~?PZns)xzrIml9Q@ffc%D__46ybLq*V4Tnr!S}YW!FP^T@ z;7M6YNi;b4R?w=TU>9~-0oqZ*EX9qu%5y_WkMaKUO!eILia0>>osX4zVltWEok~qI zHmI7!n~o{*1&RDbp(C8HC&q916){?Icp|g<8^0^g6493&^xxx~EV$c8Xzeb8-+=rl z7{XzBaF2A3J72AJPuxH^Mi)484QEuHg2jyvmks>x6nwU>6ff1eWUoI3a$*Zc|c(LuNZrQ2@}R0k+<80A~*>8hiz(=9zFqDS(0Fo3Vl! znJ|AW6MT`9c-kge#qgJoxU@2j66<>P`d_$NUTvzJq+tr6!wr^dC!20=7&+E)z6t4i z%1oKo6MWmzsmLVWPDjTwEHJAP1?P?VH8uHC_y!3S+a+4rK>Ue}k59XP2UGGn3-P@O zZp)xisamOvB{1gZ;sA%&FUZoQ5ge zd4jxO=Ay3R7?_3oMG*qRqK^cAGADBql=oIF86G6hnx(K001#Nul*Nh_gq01iRsu1IOrt<1lI|Ivvf+=+f z;TIm2Tuho%GUK-XUHa}=3m&s|C`~>2Zq`TJ)hOzbKSw9P`XK&*PUL5h3-NQ_ltdwC z!C>XF7qAyt#`1glW7ysmEd)ITJ&EwujYtqR(Cx_${rG_RrvyHSy10#?=D5kIY0)_6 z1mq_TQVvXn5Pss7vcssIE`h9!CRM_?Qmp8eNYT5xqdF~f@+D6Q|1H}8D8ygl<7jRm zH_=}o4!SYp2-43;zq=1syKj(9`k+`3er*7&G900QNDgl&I6{~G4L>ekDi;p5+Pj2il)qv(%rwh2}>c{MpNJXa~;wOS}JKTJoATNHe1ZY5g57tvFu5+V{YQ3|AFST z^8ma607bcV!LcxKq7*X$V7H+jAC#qu6fLNBvPZ5chm=Eey>5 z8zCuD-{<~jvXui_Z4iX4Uf(<3YZWafvs79pg{GSL!#LMr@JvFne( z;siohn)7(KsfUTgeOU(vMm*(&lfNMRWd-DV(qqK7Z$`8#%WbD#5 zbiE1=DnX!QISSAOz`))NNrPEbYt%sXl5MXe&HtqmQHZFS4CX2h<{p$lmFUZc)A}<= z*l87qgMSrAOl(>+>3sBL3gX`ekibY{i8s$zi&dQcet>Z5!8D`v^@xxHyT8k2dH*}N z|7OS@$i!543dbx>AS>5R4FDco89emn`92F=lYX}zdPrI{0zK#ozGjyP>~aZ0a?Pa+ z1n6S_yFLzs^{v@?&ND!y9YSfsyxg(#Rsi6{r3bLh1Ry9`0JYpgL=@ZS0knl9n?k4yr3F|472q#` z47&y5RlxoC0L>H0huNm1y+_s|V)5u`%gYPpMWx9O11Ps90B4?(YOHs_xcL9l4L<62 z*^i#G!RBa0Ncml-!5jhLq7&oQ3aU)o;HL>gpnvt@>3vSQhUW&w1YH0Z25=C$E&s=e zG7;z!9(j}ikphqsktsRx8y)ogigQZ8fqjd{cPBr)%iL4FWO4zRdC3W)ZqwQF3{lzmz^ zoqn6A{)7IN+-aMg!O5qi6fChYE_Krfm0J<6pm|}{;&hIc;aAUpejLK$?Oz;yPOdt} zqVp5_L`;i)T2ESCh0mFX!eP3t;xE3or?B@$bO6?l>u^77OZGAEbh)mP|MuRzDNqu{ zE#w``|DEq2-4UhJKS+f;P^7L!oUsgGv56WPfWH-;ZU*A+mL7lz8L#a)HfCCl0v(~d zsCe_B9!UZeYz0{EASMwg4U>@x;5^k@jao|%`!x15y$U;8hZs`bmBu+*Xja)2`c2-9 zqmFnexioQ5$G!RaVJwW8S(X2IW-ao6MBINH=O{ji_AWBP0YP22P`vyQ2x`@IHY0)g&g|gZTLLy{c-uV45wj-7R zo`7_!F5;}hIAFBC6F5R5mdGLu;oE3(7*xgZlPi(j6pY-zyVLgMZ6|q`y;vGHEbWi_ zQJ*7)P69SB=Z>1>(eh`y?k@M^3F$_q{@=m!yx#op*4A(1RlXtYb_@K^k}{2p1vm=k z37lGa702&LG8PdMIZ*VxFbK$7)mKxea1a0rN{=Ld2W~h(L4WQc?oc~!7+B~CeVKF- z=LY{3d3!r$$84OE@aAkBf$!^zqm`rG{eQ3uSm0^5t52#gMf?q!I`SQnIq>vp;c^=TJwK|7RMq^6{4S_3Vy?m zOb$$w(R{4=`!=ag3LA8`LgU2*PC(>Kv%ktSzrP({9?T3xx0aSJKcB>Su3OE{)_SeD zc&}4kkl{4g<>WUeH|R)vzOOTeatr)G_V0M;%T6BT&HOh^Iwy{|cXiZIrB|k3J^pU? zW{S$T#B#VlYTw{#vel-g)To9Kw5Z(@h>>+fVWUc0XaCEwPbLYD-tiQ*^>p8`u<(-R zr0luQs$tq(s0_uwOamT@_qpT36s2cPHDp*JWPoMeOwecOM??OmdcJ7c_v2T;(uPKu zh+hUL3)q7>T;VKb$}5@RV>RN;?}AhVqc?o2Iy@G%z7$VrFl8b z!d~*MV9mkzjIvmp{`wm$JVlhKvj1XzJCNY-)%7Z;Lr>ENH{@4?6|w$EhS0jg4r`}_ zfP~6LmUB$@lg7%HSrT@z`!UarHy!kzf&KzR@2!W z9W`5AY8jQs1)+!D>@u{rrgOcqh=fqPJ)LciL8C)}c5KNQ+-ernQ!+!I_no%`O>A?P zMP-f~KpexoB{wbzLD5m`AR(>VeA;+DSuj(B*fr%D`kZzA4Mw3;=21&3lAO} z>tB{3g?siGuaeeF8MzF}d{pG6SyoKWJ%GOyUcp+okAcsu%{{+AJ6jrPs?ebxr6nm% z*NQgKPWIV%43w^_U>Lz(G3_>5b^CWFvwG`3zjvYMclXRf2B7|fr-Nv-79QwcLA4cLKC-@C+qzslr^@4ci5FF2pziGT z-1%*$!Yse?6B{voPzL|HK`EpHa;RFC2%N86ixNUhYP#u4w-gc;gR28AsIGv`A=oGpP7siPXc7S3mZ2}w-B-Bxbfrteh~O-43ut@vWh-TvIX zyaITSE%K2@Ln5IVDtAU*Nnuf$u|?0Ua+2hpYn>X&QomHiD+x=N(jSwm`C81ojQf=? zmo8C?pV(g}q=Bh&UeRoOHp6XZem90GF-s_sWtHaA&U~NcBOe_yPfub(10{a=Yhm=qF1jtH2c%DeIi&^vhaRGSICABS%k9OdDI!?)Sy|*)vX7b~N`zp&zGEg@W zVFrF&GKtjG+$H=Zvv{eGl$gb9XmyzN*@R^e^VyPD*%saa9`s^ z3AXyQD0f9h>bO$1<<1mu=Jy1-T~oG@lTb8Tnqo;PMIHGdC}B5$W=*-F37gGF2d}3a zE~dHNJ}}63sKU?I3hCy1*so20brC&{@0u9vAQG-CP2SvD+1|I5$$^u--fC$#Fn##A zxaWu>qULiC{I`BS6GL9T@cox8*m89NOGNgI@S%Kj>*S=J0y;^k)^SvOkqS}1@w*Xr z#JLJBpmoYGtXCbJ*w70|e~mf>3e(qvNffw(rN{=EIT+KAkI7;7rG~ey$Vu7@ns7mG zBdwZWiobH{=?`}lrpu-We=@AkaX9Wdt7sO$%HIYS?jDb>M-+jRD?jWaC?gcYzm7y! zv`+JJ3zR5wa7VnO`P{Q(vQ8ub;sSW^9}AwJIj)a1S|qAN558u}~_h5Wp1s;@Bt(h)GHlUvyqF@H}%090`neBx%1Q zqt)Wr_2b~7I3sgd@s+cSQ%#L8SzjeYz9>I0&jJYkRD|7EZU$g9Xs|+OtV*lDF070q zb%LvwE?541)#T+8>W{Du$BxL<4PKDdYx}3&q3^R*>ov02IsZigZ*FPm`7GtN!wYd0 zkfLI-_p{H=4R1+_LzPy3Hn zEwkeuC9O&L%CTAX&AciP_N!}}aw;h|Qwv}(1>xovu`c%ZK;wbY8Ch)##?!ci6q4(U z7;+(%Bl}hZkDV`;`r3xB%I1iZmchbPX&p(&;r%`|v9=a~=aj+%H*e5__qyoK8h~heD}(?F5g&fNv(DC302;l%myc$O&bh4~fphR^RmTva~B(Yuxdl2>YM z=HenoQYu}YWjNv`C#Z8~@#-5_1z(hvp^~J!Rp#OAxDRDRy*gM!j>CG4BUUyCda9Wo zcaD!ieXN)eEE;;&S)Qirw5Zm}2i0}AIlcR_4{T$fJu3@8v2n3+*0k2t)mHY5IBwvn zsAo7mhn2lEPEPDC<|0O8`u)~D!hQS?dyfiUIa18*97QfgR`vXtuBEK>Pd=~Tr%zE4 zQJzON=Uf$8DDML+^FA?u7E*pgIWRUSuT3GJ!oOT#pq`zt%B0PAr=juh#kVd0DI)Z- z-R6eh`NAB_&89ACk`F+esa6u&xC-!M#tzj@KS-SGN5C6 zw#rOt4aC7%HS4ue1@wKo71lb+={O+rF^yRllfoO=FO7r6DlTVyhnrWx*RrY_{!P5kukYB+__Rsx&Vztsi3)Q*Q?Y|nNFztbdHWM1}d01b& zj>$(^TOAzjgXJS5-egp_XhGbaIfe_M%2U}{WL0x$LXBLF*K*p2M6Y#>bqv0w{>tm+ zq(@zqa?d6g(t$62#wW7WhEek{Ex&0)1DPPSvf6ugm@_2l%aPo0OkV$yzp+X(daQkG zSpOx6R2z!kJ61&dB}#5F2o(Cmu%G@YpXhbFI-H-~%B|I;0|LFu(b3KH*bvKt?+wa^ z=`}DIG)H$S@WLP8NsY}mYq1J*Dvjr&*{ypJdQYY8X=E2NCU1d6O1=v@uF5!gJ)hhF zJdZon+R)HbTECP!P|)L7Wl6q4l^Pq%;2+sAx}dhJW5!dS(s$<8j*}a|iS{UXg^I5J z1MyJrAQqQQ?V|5kvTeCjMm98S`4mpzUuC0r56Hg~pHdBzhGq^ut<;qZ4j!Id@u$Hq*vIJ24@9mFl3HF3oJH($XS3qO zmzeE(?_4vc3|+2Vqu$6aMz-A)YjT2k$&b?`Y>nT&4%E`9rWIY}QHdHu7-?k%8s#yBe-9h*5kpsq*%+S|V zxR5A`@>hB|ZHl#t*2btV?iC!593R_6)$c<17wNmm}gN@ZCR(*9x|dEYPf+j;lg zH286VM8uFOUdv|*9+2(soSze;p@q+?AMX=4Ra4k${K>)_O9)uUT3?+Hl5_uKalA{i zVry{}7WN5?XOZIIwLr6nw9hvMa|HX>e;Y)v`EMdQS%N@g34)<)tW2X1^N(fjVyvoM z15%-EOrw#}><}H5>@+fdAfwi}Pn5=kHkQdtFa& z#Iq<-d0lrp>bgCDwGvY`lhHNSsj5Dm{vCo9aTHfEl$>lzC8%Lt$B*>grrUF0`7v)} zc)E9Yb~FIcP{A6>hi&FcQrF`%t*#(mgBfzL>C^6G*_-rA$YDI3kX&cM=R{0uY5B%?G|_dXu41b1iE2{cHpu@vT3<^$`SD*n^GiNCC3#0H zqxzu{`NcyJwU?)S(Y=_Oldki;F@JKIT6jXrevwlMCerRc#qs|61Ncqa$@{Jrz^JSC zO|9q4Zgbm84@XAp!4wsb7?}|MboFQU_ib9(y@Ec@j63jVTc@U_5hM{kCpRPApcUqJ zh!w)x=BVASCvT(-2vKX*;l}{2_4c)%N-qUwq?DI1@cOhMwf)8Ic4_*o>ss`Ue7^g_ zwC3}uzU^Xjp2^UD?RnA&f&yCWD&3VlW13Rg@G?doJ!dj$v2nuTfQVncTtCzA#5rkb z1UvBAQSKnx<;5H;qkuyVq}yl*Yr*ZpF;)5*SoT?6d~ZSkRJF^H-@dlg?R$MGY!h)m zb}HadmpQVYNR}Uzfdg2!>z9A#3u0plPb$?bmgy zr^-f|F^Q_h&Qw}||A|N=*qXwd%JTRyC$-+k`G3fRQ-jR3>CZ|XARHbCs$TCD3e*?} z%ajybA7k-`!n!^tZ`%8&TC(f$t%ENYcQF%A)BysKEs%Dtnu$2SrfB!BDK%aAk*Sgb z22>0j0@FH5euFxQ*1C8`imc`#Aeh5`1^Lrw0z5G}c}Jkl#nO7Nv-2eAFnKLw)TQIh zn239Qg;qH^$MwQyWWtH7$N2T$RawK4&Rn9Mrn>XC%;tOn4oF_FG^cu=YN6G6Ca=wS z$LcP00ITy)vmIN+469m`o||{Kt+M@}JBWW|8AF_stNV2pdDEVpb_pV+tDsJvS2Nj( z53ZdhqZTZ;PHF>G`Ey+B(a=_kEDcE0>Kx>yM}FxKObFm;Th?CO*bG2UB#zZ|CrO<%9^4C&FThWKzz2Ppm5Ry6PiVXaX>XynZJGsH1TCKnQ z4R>MD1OO6D!_N1K(TbiB^*<|B)0Po<||?B&855Tv5Ly`KPP+!7c#bLz5zvaa2i8 zG-D=~^;O?kJ3&?WYCR|7sVwWM94TL>U&GGEI{5DJ6KOs3>woi+1Ud)zYZ+a1Ti&XdyNy&0^d#+({+)o&NPpf^7Q#^vGGy zC#(SUlQGUQnW!l%)!>D{pf5Lq$(y%H5oa#iE|&V~Q+uyBagmB=1|$E?mxkbq{rSB= z>nI(sDsGK93vTHqEM{SAD9KkymF8w)1NOH@$*g4A#tOSG{%!Zmzo&6PtY>}iZt7Pj zZ)Z(0o10u7&3AMkSvRtY`?RB&xS57+rtv%iskhK9CEF$Eee6w)OolgH>xM}FKfc~N zEXua)8yygkmXuDVrDG^*5RmQ$DJh3;5Jb8J>6C6nO1eQBq;p7-?k?G<_x(KI_a5)D z_ddjb44Ap*y4JbYuhy@vnw`DL`n{U^CeOg+s76-XfoXOYFBA13`Fty@T~~fXn*=pM zxXq+|TGy$Ag?l~EpWx87CeRZrzx?KPS~C86iZ$P}7?!w8LcDR^zKnS;7&UvXTkO~w zMSmsIS(To)!Jo-Kq@-7uhXV=tTlw^a9&@RgR!^+C>YZ1ekV~rUc`uI*8u~ut7aa;! z!Ec>9D1+_2Kzl=jONIZZyM={vsnNy3T%uG1?VH}YL) z4rZKq+GiX>A__hpE(FN=@XOuAr=%{aSII}?cQpmyTXz@hE1)9w_6p>H-4VOfL^DN? zXnPxC@0T=DuEvD6+T(+hAMVHxhb8G3YslI*F>9h1PSBB0ZkTH_=R@lP9;3%I2Tg3F z_;;SvOzF#Wo#K&xb=`PMrx?9J-)r~TnGjD}tXy;BDFe$?_*GtLefQCy15SwSNaV!7SG;C*0 z+E$GV|H}$mhVZ%LeQCuk&{<&&N@zU4KPz;d$9d|is_J6-bYijlU7NNgdf$*arJq5Q z`$-)Y>6TWi#pS9lRi)s^-uI1T} znnio6$wh_v8fq5Tmy0J#KDM-aN`MyadG9fgqNDI=)#A~Xxkg}bkVdgd)x=uR%<3By zM_oda-z*b2xR%7E849n%jr3CQN3tVq5~}#2`8@1X=08#F(01s0I&&g}AOP>tm>E}3 z&T!Gj`n(f7!V#x*WoYZ+;^fjlxm~lA}E^yjeQD(Xsaqt=UP4H@^oP>#-^+ooC z=4gv2Ka+^*RE|%S9!WFZ$`*hb!PlJiG3YtLOogS>j*9k7D{bPyq2=3dD8EJ|O1V+# zZ~oSDZw|plAbDl{#V(t)*irZxlG7nyuY2fF4_Rq^8_K~$XvekV9umdDS9_UHFXeiM zO?IvqToANu88lAJqnLsz*wjThu-f)Q^xe$uTTu6s<)~<`W$N6pK)pp>kAX-9lf2-2 ztf-#T{fv2$XINBR))U`I)@awFi_Io~?cPkAq09|ga$!$N{P`i&L%}O#qQ}V~ubW$`?(Yv*iuQb;LtkdQo1C%RQ+&dNzF-=j-kt2wmw;DG zIf}QhB2g|>N)&eFFmp?~b#9^wc$C<@c@r!Sonp>l__dc%fHfH5*5b#&!IZZxn0>+4B3?dLvdEUW=?T%Znt(a)G&vi&1-3TSJdR%{>+a$aNT1taG1CN z-?o7GpH^-pOSiHiRBK$V94R;Nl*oh9{%fZ70gNm>8pBy=PW@0j3|>4|TH|HmW#qGw z@-#>-HW@b|nUb|U8Dr)co?K-qZ$k0({gRi%BJG;#cA?1EXGrw)p>r=L+(}4=l;7K+ z_r1IRH6d6>MvhI3738zc!bSPv%Y)C#kHd%d=jZ55EZWhZ@LMv~WWCs++B7e>E+|s> zg?Kz7B!2UNYS~e|cOw+oU_hyD)-Ki}z92x+^PO zd9g_%U!&#{GXqV{ddGFgVnYByh72X+hmAA3#WR6S_xeSICu{&ieF^4D^W=_UCqIvU z|8EgEUXMRH1rklaj=T)<`lw`9E7bEu=iNvj(lbc>ul&Sc`4?ExE$(;n3V}=_^uity zMKW`KIchHApTam4_4eJTOdJ~K4*uXGOKL;iZtnQQxdft#>`x_Xj8s~$Tw5;#^!Aln zv?NtcCT-o8s%KYSjLX1MxZm@@B>LF?7+H(7X_7gJ12va65<4VfGfX3hhVpf(YO!Xx zvTzOC%2!g@^r3){T!rRl9s|;In!(J>Z+IA6ADBjPQs~1faRIE@+PWFvpM{@cT4;}8 z#bvdg(-oarI#&tHcJY=_xB@+enz9JZ@rQK}@#nPnH{R9iBq31CH1l`%`val%g|P>A^mM-frQcsuW#$`EoX6LD!ZRg4$W+VCi1K6-lOZgnV^=yk z)XRx-!5kZWd&F;pe~f?5>ERnSfaw^dPc4qM)d(|i)473ivX7m_lgYO4kOnWFDX}(pi+5%sREEOqBM`CT`kArTY588)#oZLO(!&ZW#R=ZLGkROjR~?)J-WcxwK; zbWaL`{!;==q-B@J+gAmYcnD9G_(FF3Qg+_i4hA*pyqC#gBso>2kMC8T0_de=^we*j zEnXh!F`f;VN}B{k$csNAO$S%a?;NqN8!1m($%I#}!|BD(wa&b1EyfR=Dw%5~Je=*i z@$kPOiET&jjJ#fpPrmsWHh5~?dM^)0aMm8vFQQo2`twGrhJTAQguf^}&x??wn$b%HR) zPhQLUE$eK|{hnGFBo1a{RPJY2JUAq4^ZM>Ne8E+#m7tlNoJqz$t$+ZjRoZZ=@A=~> z2+y=5sOXd~SCu!DL>Q<&VqE`~%*x5Cmu;SC&vqe2C)}d+nJWi>B9}qt-4u~tlw}5! z1VftSFChN|2vU`0_`^ARed;NP^hU$mcb#nzvoT+9iZy+Xv@_P2D44$nk8Z`f@M!;`)Pyjan^iSqdk!BFU(y_{4ny$5I<*G3e z28z{QGVqt{Syu{nPbo>-eoEU2oH_whDkO%0NOwB{rZwe`v^c7hXeOX^)P}R55E)Tq zzmNO*RLDC7kSqj8AyU%Bz4T=PsFO{S z1Wa8b@J)LbwY*iiiR*)lz1{@F&|>sCMqL@(LRI4)0ANTLZmd$n!+2(RT+zm&>O}cP zId~|W3tE1+sA-;4fLjZ4bd#wL08-LgE*9RA1BZTCtW^SGlI=Wy=41cwUq5hEi%bs0 z6%_Yzm`Un?!lCfq{dj7IKmFtTQfqc)2p_wrPjC1JhEsvFSCxWea39Z{^Of2gw-W$- z2!AU!4X46`gD5PuKOI@k)Gz61CT}VM$Lxcl1exG$?l?21aHod371oo>ve~}i zY03_0oxN4rgI9kVssV$5v}GqlAi1C~7_678n~9&VQRx44f)6_-mFVY77h71ImO#+4__xitcgp1`(!i=>B7)mK#N}8gwYeezAu`IRT zBf!?4n50{*?u@*N&Ju1bL@>)UOOy90E!Rl_sfo%IJJ5yG32V+Q%nlK-wof3 ziJM1;eR$MUAJOJh5E&c=O-tG=2BludYLi+yFwfqW)GrQkF4-lJ)+lL1$k-mnl$U<^IEF_ z%bR9dG#luU#TdP@Tj9ntb)kYuflno)O3-_yrraTXq~I__?Sx*1ycqcGBA)Zam@jg|JdLfPq{0F zKU}vLpo3l$*V2I>&KYYdE?^Loadwa$(efx)37VEj{OFI|7)At_(feDE`ni~2ybrG< zBkI)_F6J}U#bou=BB?z?F`=YqshfYiJOFsKS97%(*$utO)M6%<==-f{0r^(MzusP4 zLiF%nq2s42ZUKayGeJ%DbK1>(Q=yBVX5bw4)i_;uVA8LGKj$snq_v+5il+#XJK7TM z4AuX1^vfrxZM!sRYZD|#3FaCtERJ0c2r+2N2g&z8?|sF|L-9>|z7KSZROw~H#&dg4 z)z)&H2)cL~sy?Rx}dSI_ekg-1P3Y0?!Y~Aq2<(^P}R|1@ao~LLpHW)lf}~!k$lxvqsC#@*Nxm z;7m3$pS0c4^Rh{8q+Hafv{C)jp|0uYxy!Gpj*?+{TB63;?FoQsFvCOoMismst`c^B zj5x%JP*ZTRGX0+1KuO%#!`60$g*$Yw+{)^T&$s4k3wnnb!oE|p$mMFG*vmymp|-xI z>kdx(mH)R}adn1whHk*dF;iGak()%6O3%*X-FSQnMtSdYX^xeAu4aM;_#cX> zqm@41r|nhe$dH&sup`R+8APr>9N~-8hsWqSYh9!zO`eJF0&q~3R4XkduHuJg)gRkV zk_IgmO>Ip=Vp1ub&+P_}#3%-x!mL&0=`vC&+|TV!1(u)E)6Nqlkvks9Qgr>3(C6?_P6RO@8x1pyx7ri!0aJ4X(zmwIycw22w~zi% zhM)^6nZ69pAAOk0QX`7w;=c*Ght--@CREciu2yH}oSNWR6q2AKP;Ybz6b&Ct7HL+A zW>=HHLS+OTj$k@0IQtRbjgTyEVFZ=~kBLC$x<{?N$lZVw`QS+hJ!+1Wb2xwW;s^fP z=R#1A*J2pV2?4FXVL?PTf)Hv3I{9J^6o%uaui|S?)$&26;YO?cnGDZOh-b;!%JrD; zDX2Xnc(&U&EDN`NR$Ur^Zj3{|VzNeee}oXj86m6553s$BKpFLAWV`>yS2uEu%Dluh zihUxy>hXR+AB`V=04WW!#mbP(#kWl&5Hx_*j*kv#T!^eWG!SCu#$YC|uvT5ZkZ50Z zvEEeW8`!4+8QDi~T_zs;g9?0gyg$fGny@g8vbg*4ivuc+TcLjHTLJ(i6maiWG;sKmddAC=&suzs8stgfVHbT!Sfa4~@2L+${Et(Gb_g*4MZ!kq-+=)u_}=*{|u zY+BhSff%d@gN^+8dNeMfKe>?@>n8FEP&jBlA4L}>#3#Hq0p8=WAq6(Z%voH1j^}tC!AIb34P7+qWzfX;INLZC>P9Fg^sxu9?2QjMHA;6s%GJ zalkL!ys&4Or*SpKFS%GIU}#2{_hW@~vg#KCDqLY-Mearfh#tA{Oq%SYuSqVek`n|k zH)i5<3L3LI?E9Bq1&IDFV42dY9=@x;Z^oA5oAwE!ei9H0iz11xst^!z>_4_goAc>C9=;RNYdJv>I>Qx=JPnZb#@-zo5>D-dskpoRvmp_mvZRl1#t+QmxwNSR$ z8N=0z2%q;QNfm1a_+f?uG5OUwmGrH5Dh@>c8!1h99lIj#k6k@P1mN|$4d=DmPPu}i z;wCPL41t{yK;ho*b3S09d$5;44;}m=6I8CR7wGHMR1fIDh#9@q`P(zW;TsF-)dCfS zXd%^KRMdAezmeY1gDN)rBy?GkhA#RI2RkLqzFnwKQv($hn3h#C^S?8o&=jZOeXD>r z(j5GX;1Y|`4kEt6twEC*M36@fI}Elr&Jbtq*77-5zjwt_>kT&v!4=>QRIa3#f>LMw zDACrz8*uMpu{@U67v{vJ8IeSMDI_*T3!ECLu(>+AS>Tv{y%q)Y5c&k^U z8&tsTdm#qH0LP+Yj5Kz@qM($J8WOIqVeF?22XC}!UWHx|bN~utCIt_cFjWmA1NCvw z*)~OYFmMNEs_@YD2hntox^^nF;F6fpip-#K+CXy5JK8Q-l~rqW7PPed#DDq7A;z8k z@`0MaRP643O8J|Ygm$7b8A-um0@GCezXJXkv5kPXrHW+ z0u5{b6=k=Vml0w75y2J ziPBAqdS$Jc$Ksb_hdtUlj#!Ft_&ICs2Oj)!>~@>~)+fK6=;iCayKJMWVBlzzt-Gz2 z16Ran4vLo${``i!4v{>0G<3+`A@JG1ub__=3kF2pvRZ$#eW79{LOAZJt%t!3Y%4@I zz}1fP@!83I6xlI6#tI7T4<c5 zL0jNGL+mwXw8MYw77fzbSQ0+($v+S(-1$I%)smfDlj7|MYxs$yUR7LojD~T`9^#b2 z{eh9^i`&O5YdR03)C?L`xg&&*0Dl8w)NvT_H$Wt|*d?r?Cg{LVG!AP&uO;hF!sxDP~)fVrJn3JPy^1c~jB%{?vWsotEz4T-gip{4~*{q_bCdAO1;k z{@3{L*ckqFSj4d7L|W}ExmzJiePZv?)~}H3nf^?a8<@ci$PlO{gYGmT(D*>@v={~* z!FUxj<-6zz+%-Vo7jq0uEy0H}N3G7q;o&ktBFLyigTDxB(VO1r@zh>Y@aqPFA0OI2 zXir6z@oj09!E?t+(&Akc@m_l=3Kh&{yP=Kpk3;m-6x3(U)Ucf}Nmr?95&9BBL!sUD zB>j+txaYNK?yCq4&0%QE91uldmA4>}Wx(8K{y0NhSaA+hT$)&!j>H_)mP&OQMSBpM(O{mM9eB4zIOr5(GW^s5I4ReBLQ zF-cp)tN7^BPw+N+CN{(h!~p*`H_Kq~ak+tHl0MJ3SJRt;ko2o8y~)pIiw1ZkX7Ld{ zp`6$cry0P$04zaSz);hr+=RR4Q*Z+JCz(`0JA=n`vx8f;-F|t2a$9A{OSzmh9^Ikg z!#enth5qD2gEnqr_J?fo{ATYKX@(aUKy9Fomos8y-R!q+nrq~}=c8!5>EEAK$~Y_^ z{RzoG^TXKsrY%D`cHtleY@D5CRF#>KmEyjX2pQ zSAPJZ8;?!?)bB;VwVl3XIyz1pMd=Un#qGGE)Te3w{n_Q--wOR)t^>#+9-BXVfRH99 z-8_@Q&-ZYsOFwbEW-}~uvwyXE3dsC8V+#NblG_;t`8g-#^R>#_XFM^M{I66SC?C|l zmmBkgI@#>0>c73$jWsI8PHsi~T~`n-(xMfYNZhh}U(E)+1tZ{EZWoqUluY@H5jot{ zdA~awU2#2yJQDV0)||=~d!J4|4&kLKX!>WIS~s~>FvkGtWijB_5{V`VTu)4W>vfGa zmpR{50%@5nP$IhAq)r_GZ95CQEWV8Fk+0484*&bs?{7_b=*Qz@$yvyE)f6L)O8W<8 zS3I5WB;Kiee*uKHUTQ`rdG+Q|{=uKvv30Fl`QzD(jjDIyI{PDlc{<06mJTL^zF^@Z zbM4GH-b?sVDW?y3X@|qO=u)5~S{8D%u-0{}*R`(}`jlC^y-gJr%~P(EOhjS{@dpx1 z&3JQ)HkDnM1|mX>ryI}LXK|*bf!>3+<{~w!F&u9+D7j~9dyhiIc#cQ#&9HnFz92R6|zyY1(p=Zc@vQ-_XuL!b9Ae8M3`i={lQ^o#yOe<+Kq@8#3X#FR?HS z5|^e4S!E~4cmrbq@~N&^H@p_Ah&kH#ItwyFQECQX?Eg5^NgEl2p;nP@J;EkCnZ~2k zRQk2b+1!eYb|5~J=q*4=bN2Y&?oUM@zp>Q`6shCUEuC>7H+IiA`{q7GTrkKa&y(y5 zs_S3pSJ*rjSAv@)eY9jhDDkwo+!t{FVqd6#>VW$r|I~S~QU%gk?){99%2l}P z(VF|VZ@3EZH6$*n>qIsPMGOaqb3z}7SrofwG5@pppxH&7^hE@%qc~Uy-(EcgDs>tOH<8q zhZd$2zclL@!)NJ)3u#fgjL|a5xztUS4T|(zse3Km0d;UJ%rqcJNeosd5_5vSZ#d%~ zKkoad0|S7R`vDma&?^04co#CNVQ-*o`qLUHaztH=-^=M<-1b(K8N?TAa6DUoS~~n@ z(iWilXn!9HXd1ldXN_L|Y)#48uy0{qIg>VHvRvu-9{TJg+~}P|N!{C;o_cK6%Y#&n$YRdP_2A=<`?+WRq z2hR~59nFCG&$S~ft9{lHMNgmGlY{>iml(s#U@@@8#s;#k+R+N)(&BoB% z!mxMz#16s_q+vee7c0N%035cm&Fm;<)Ht1*mhuf|O*0zT@`{aUv%pSA%K$$4_oDQE zXMd6zTfqIQ+#sH4hv&e_qjQ3Q)o>LbqSuI6$n>xwssij@3|bMnH#Xk=IWGBXs`_)_ z%Sa{hw_Bq=*$tlBGYq0UTz^}lc})6u*3w#Ucg3c9ro(wXm71DP3|@USik`E`==d#nB%fD`^KRqkMv5AqQ>kvBLs3J5%F z{3hH|>btU&l1R6E`q;a7?`iLeH~Ovjk5n74fkX>AkiO&?q*ukkc*M3Vo<@6;j>eoz9fMOZv+sP>q?WM;sw=e7)*6hSUwL&H zD1d&`d}+n4noK($KyX}`a6t8VIkw7_D=0_HMSt4cBB`3sz?3Ycm)Wh^0jEG3oX#*D z*l1p`4o0IxLG99vINjCv3f#xFlzeZQBVNcfqDVnZ`52P8POb!1oUmm^KjFr&T);Jd zk1s5MYKxZ!pM#64#mCuI3h-whQjlZB99O^Cv=oTm#Hfy&W@SPG=zGWAQ1{gqN3KzI znQ&o4u5qymp4l@%69mf2Yw3|gkd%!PPSdVxh%Cn+i6zU~|Fj0@2P)0SXZR46g-OHY z44)=H&(w!*=@5(jA3%u&2uH7SK~e58yUC5b-Y3}JcryPV%A0zJlmPa#zT}>L%Ov)` zG3%+hV#hh_4{eDIKcp9{b972odt`!AqHeOs}_?rGvwo@s`$;1D$($KnGR0Y&N87 z6k|DQ8z`!BHG$Kj#A?)AR#Tri@@LKE=Q%mlReu#BNy zyr-jM!E8W(mSH6|l#SWWd@)Ch38U&WkIhDBCuU&;#g`i7QQ3)<+`wYF3mym|If#>? ze&0$KlaPe-^bH4bEgi;q(?Up)Je^<$a|OSEa3=)9l)^a|6viV-S0JqzIgk1Q+?HD& z&I&%sdbtCvO6V9fj}ShpVn9&hv~o4WdehP!zP(6_C8`)_j2q7xKgC;Qn-;WIXH4m? zVN6Kv?^ASW5@?$0uO#n17N(KgR=u_;uKW2P*Ye=oEH}v??q>A!Q7fcuIH2Aq9m8>) z-7Y^WN_+7xp?vFNA#MHlfJ_8jQtX8-$n_XMaxL_I=Oy*oX02R%|596`i*5 zZTAF~-aY=SC!q7rCJBzlyrdg_6_h6E6>^8s&ax!x=Gtka%~3Oa;Bu3sg~sdAewoJY zxet#c@15Z3ITjvt>dK8%#m#)iOsD{$Ujkz!8V2b*Hq0oc0y^niIHRK1(Xv#_l)yF`f@j`8f&iIhED6do zqf*?9gc4z-NUveQ#skrI#1w1DsKJ8gsOg?3Qc7>161JRUEP&ww`2=)?Lg`<>wyt)> zhSe8w9F@u_|8Fw;qfw!eR%Ue;hv7|SO%fGRRtR56TztYVJGrl3{$r4$KART73#p(0dIQ$rd<`$GS7NM6?BDx zUsdy*6xXS6O1f5OJ9$MxmQ@ECGLTqILGK*7lI0_$IJBTvwvm z0;FyE=Pb}c3%8mDtza|Kfumhdvhb*}q}2?)_iE-ceP@qix+tNOy>4~^m8&f_gZ%Rv zE!l!sEonkPHvT#-F#CXe0)b@~pJ->qz#7Oqxdjq)7?aWzBcnhk;aE)$;rV_}`BM84 zL>?KRh|ulCGy}&qA)}Q#?<4W>&l;UE^+L^FsZ`LAiRbnTczp?v=7>_%xkc%PwEx4s zKHjr%u1BKlYd^a3hvLeVY5`Bv42AHE!AkPCleUnod7(V;GIsR67h%{Cz?A&uw1vMS z<|ZIj@bz-^BoGNy_ViqH*RS$7a1!r0^XZ5`ym`ugJWGLUa=u0wXaM zj6~q51RR*dKjSA3@SZ55CU>64nYrx-K0*b4(uv2V0*TzIu5s&bgY_9XjDvaiot1)_ zF*gGv1*tHZ4yoP{Rf3*I9Y3WPr33|6@*$1+q10dcm0G)}Tv6BErc>3w?GBES3rA!8lc( znkh&9Ws~*5En=vaN?~(Dibb)`*sth&4vzyx2Am-XV%A3Uz}<$%x#~f&x#o)w`Ci5* z5sujrofyqao7bn|V-DPsM#(8QRbHv;X(3z+%iE})G? zb?%9*P_pv?K80OxB{XdYA$Xiv4PZ5wo+a6)HR&d@56SIN5M%K-$`{W9vjynlZ4$<9 z+`oS9D`a8@)8cP(!W|xt8gWAaZGN_aqCz&J98teuV$4wawtX&ON-Y>ndMkHM6o>-_%AopAIL zJ6)}f>!wD5t{M89c1R3J7aoVjUe06E=2FHAx9Ke*=YbeK_I5FHeavf?g-`*BUlI z3ZJe5pRy9*qqL9=sEZ>CdtCz%|B*c3*~A|;FZ3|AG+`{jVbM8at1Z1@pHadKENlvJ z@Ki4U#zaA~5p4@X8FmWarDPrkCdD~pxGrqw#4Y({D^1ZnknwKYnL$pZ#P7J-QE7mxiMCr&tRxr*#QG%A&eBP3P{ARPpa50bL&v}B3~+G812FawWO28< zn+>EgNqrqC>jr6A=MXfIPIAQd?|Y7>W8saqXsFgsU3@`CM))0OjeCI>Kz$mvTG@|` zyggxDObZa~YP0ZErktnkX`c`Xa2z$+uVCGD!4r|Ml4$y8j;!dmvi8u9C;>>dI_!-$ z4U@GER(UT%r17mf*k_pFaMJ=r+o*#b7dRkPr6L7DC69#Pq1ZqR%2Gf$*J=a|hdTbP z@sTyus?8(n%2%$OS8LAV-2^an;hHGF61OWn(lM>h9!mp$PO?46&ht5n$# z)U%O#G~oP>ag#jzCryLvUxaG6>GrYUL((Vl&|T*+tpE?LQ9v?{f2QtMZUFDszqp3%xong8 zYv!=NE%8v}J^DPiM+JbMa-li_!NRd1g$Ywasfh;gCfD8|K#=C{2^N7e2MD+on~n{g zHGI(a&ctkM?TOZkS%lAB;xxa@-X;$We}8@0s_5BSH8U_zZ6RLB3e`3p@Zat|a>EgGc7hw*D{Lu9rP++{F248EZBC$P|O) zP+h|#lc&xVh}OQlULc6+IT^rYoGkTd>9MJ+a(f)rbIDeiv`3h&=&%L;%f&ZAzl*tf~eaVkknU}9@Xy)xIsjq4H+EQ=r`}ymFiLAkm_v`Ry zu2B@Q#9{f@K4-12mbrftmqgnBv@Cx$Zdi$>u(ho8);?VMV(h2f*ki}%vmN(jZ{B^c zy)r`deuM~+usmrthdU2r6-IwXW<)4SV2!crji;+qha?wYVUAU-V&v`{8sU ziS=pPm6n>s(2U5XhvvJ}v_tYLy?w8Yi;jKU!SE`Jdwvf@%pcIdx3f8$^M5m7Qpb#x zpiQ<94Wq)}5rlBWVaxU@BCP(;g~h?WC2?1a*A19QREqeQ2u|mU-CosT{{fOM)JHxX zL`kWrTSHM*&NO({!2|AJI80&<1qZy(7#3otM$e~Llk0G%4heN= z6B5$38W|C`*kIi-Alj{@s-dT5r>9m1u9f!#Q*Vu-z@M|7rNrpW-UEGQgu8c#m0#{I zY7ZZF3t{kUfMUHPOC;DRz<9WxUkJhU+K={5RJ;_~ajJ8_6m2$B44gaF|Dacn=pWQ0 zz?^T2p51Y#Z2hO>_(X}MkWFKbf^GHut?2i-O<^kU)pOr4$1%5%(|qVfxpA$PqvxM7 z^(13>t*9u2BI{)rcJC?X@Cy8&sI=c~WQl~i5dfx3Qa#Lr6dX3cQCx8wloolwI0y18XN`2m4dVZ5;=~7gR}zuBpP^jCj=0a^{z3!p>s_x^ z-&n~L>WLMpF{N00(;f*ITiY#sf4{vpZUD)$+Hq$;I3Obri-@jw-Sj*Bv9Y!reefZ$ zzAxpwN_<)-F%cd7b0T?CBDuS|5_pSFC*o~|lyhD;YqitSln~j-h^KsR7iXWMm0#%U z09W1jrD~tK9NH+ogro$o6N8QJKwd#+1^V_5+_K2XzYhr&7yi@R6qYCun((%QXQ|Dx zQnlixTWdkBbG!LZfO^sOzCvuzn{ot{i~F*yMtvnCG~eFDWoqs2iIP_0Mxiv=_?Y#* zVPVxJi73yo#Cpt@7i7Nt4I(hgbUrgsv^KIavRs>Lya0(WfnttI^49N5j?O&5w|o7n z&8Se<;By!eqWFs2+gxRkj@S4%nh%VjY%3t9_it!Uz!^ATupFyFd=7veo-IeUCy%-K zLRS*6VL0_Hh~y6HkKUtXd~b4BA(qC7aDM-=Y)tg>nR0rmpySt)LO*_10oY(;c)*^< zo7)ty6nn&A|A1_uU)HF#2+$5>kUuvEV`vfQ+r4#YU#=IH%*@skm0wntSJv+4x4l1_ z`*h&pd-*1~pzS6lr0roaX_}SYSS|CRiB_L?H)+`0GaYH67s+%C~mhPN9SP&q)R!`a? zB795V9SE(x7Z{MIX)W#!NDvQ+8x)yL@RO~@e-mZS zTk~wazg=5+T55O|VRWw?2rcprX>C1^&$k?=aefCxr zFJT7nE2~z^FO|?a10L?X$j}^Bmv7eMF3a>#AzwVqUxTCC%=U8mg0jheBD})yU`#Gz zKgvCNu|J{m4e6f>@QPkAvB$&q$cP18TW!wAxmFuq@f|<;D_n_rLRI(wW4rzNzmfHc zsYVd`Fr*MRWupNU0E0xoN&ouh)pd<*)L&6SChN}Zbd2oyc1&{tgsuuUNw{}+i5!2e zrX!T|v{uAlD`ba=h|%F@CB*FQmO{yJY>#Gq{arTLf;{o6NchW(Y}2!>JZmis^bu7iV=%MF=1Mb8S^*o}2`^kUE;3)AckYH*he zr+0cziyin$iR{dajqlMQ=6UphSrN)O*rnWPRUAxWV?-s^q`M}uZ*dox4BOV%E}l~Amv*3_r}eW z(^J~a6t)GggKQEWm?)669-7@L-IlA!$Zms7Q~ms_)eX0P*I&bY8+#PDyA z)u@-poUyywtes8&M4K+EZn=^ss3Ac9>s&%q`rb6P2 zzK2`y-Y4X39^iyz7}10`SvQo~tbjU>?BReEv*N3LHQSvRwJGPm9D{R?BdZ+t#8Dj@ zwqc3Co-<nN0C{cB6Fwk82Ud$fwP8~WW=FG{{#&1Ws!b(~Pj z{ULPfz&V4+7=RFWt^=md_eGQQZ}$*Cs}5g0L=ArF`LuZu+W)^MVPX`KJf|= z|JT-BItWuS8~bne&j!*laC-`t0}s%jgC4l?-LFSXVVnfWAe*A~cqBIS&uR}3ArZc+ zY9d3Uy`Uj1xWGC!JR+Kyobt5x=Tfd#Dc*X{8PHI^PO5M5bI`~>Vhu})88mC-EHp`u zDt+4Gyb>>83_;goXG$?-9}~}zoY1gy@vwjRR-gasL~td}DM3pvdCucnZ~bSVhn>q6 zwDqW7ybyq(Xs_QW&8Oz)^EI7jJW+aiIp3Po?6O)e^w`ErmwDgN_vO9hbR=hF$%}Tv`PP4s5#a5;LEn7fA5+XT)Tj?25prPg_DJXqJ?Mu+kmWScIx>BqL#< zp#zLBp5lTKkVn-u@+w9sKk;uMadIsfo)%}cxq}o&K|1a&>tXbS2+$?F=atP{jqnv|#}w*S(_O;b8d zD>pbTHPZRcU?X-yTjmEnn?bqXWz1+C!J~LnFKsWI-&NI6LGghnA~I#|JGBRGR~nIrR||0Tin&(WiF$A)*u&Xhs2?Ak-fQfbFs4&Urqr-E04TBU{S+y`~dibH|g-InSUCdwz#Rd+Qb zOW8^8RDQSZK|}F6$>Wh9H?C$b(!DG$!{orZcvO%;H@tse(d@j|(?%5$f!(!Mg^F0G z-^S?+;-7;7=93O0W`V?zkz^U`JA_%t9m?6$*?{#mXxabPu*Mw zm;v6teV(FtW1Yd+<+B^1{AWAi<->Udk!NPI;>{<~DglOPXpryrIyUb74_7CYX>h<= ziC!Ghzq$Qg8Sx!=hCpD{tBG#doNx1gkDy*lp2?6`faE`p=0PSGcZ_$L(c|9@1r*OYvr$FA0Lic z^E&k2mqtb7m-k{YTezgqbAc!}oPLFrRZ^7_p89vO#E zl~vQU62FnZ@=#%ZX=9L~b$>LSuaui-3JvX!H*IYjY0^@Vy!FhY*)?7dY(^lhC5x%jS6zCIa}xgTL=8J01oHnZzI znf7LQp>^9!InOf;d3=@5tJ?%8X(pmEx9h~SGCWwK-b&m;v zV+#?FF5xj6hOs~fEBrbv{ZOX8HQNVVi80X21OhfyfQlBFgn=lTw{zdmx;&LK0zurF z7c+l%7c|=q$FH;|xU@Ha&7s8u+dpF;Lo=K7+>5Ia{7V=IjSUioo-E>s-2ZY*kZ>%_ z(5#<3Vt+X5?#_E>?n6t@wTI0!@4p)#o6F1mV|5J%t0pDv%0l>WQhocoTUKsxOB_z1 z$~ONSx-ZoJ4p4Ug-Kg;eBlydqjKg3n>kRl)87P3?`i8-H1wI3JS;B-T*1lg=I0pY8 z*1j^Xs;6ytBNB?VNP{#YE#1+ysw%_E zFprw-d}rJMU-rRpTTdV0xCOo-aIiOgXETSyb-(ABs{H-TB_2}2_b6xF?!%S#lc!%* zR~<|x{@|}bHo-Wp7$D%84`mIMpr^Fe)$M&O{KL_MQwRhL0|EpPg!l|>1a9-FOQgX7 zX-1UYty|O$qyhvFnyp4W;FeAozqm?JF@K?sMa(ndf(UT`#J=oOmo8E~^0y_@<4#)5 zB1BE6eKk<-n}WagL?ilcO5gowO*_9M&IK?S%WF`uoCb8eoKR;z3?N?C$@>8t@E{N1 z?8-5l8m-zmGDxed_z?b4-hmG|~ieeBD2mH`F%$NK=L|H5+Rf%%`l}QMJ zn2Grbwy8O}+jtR$eJ+-^)uG!XuvD*M+5*N3UH?AbP=H*!^lPe zvGeEK0)>D8s0+kvmucV4seimLi!ZhkK;*zTK#)p3Ee2RleBb#1Yj(j8FfV{T0eGrJ zU^aWBN3Y-+FeLzBnPNe<^Uu8K0la1eZHpuuoB4L5T zwaZlG!PKCb?X`zcVcHdj5pB{IW$6^EARx=R7FHrg%uJg-2#I$UWc}dW+GKO%ND96b z2F2h1v%R(Fz7g;U0J?ih>3YhD`nm^Xoov(5ZT}`w`Sf%*p#P~qz{y2%AN|J3A5anc z9o!~jF$Ajt-_8Cfq22aJcT?9BWM_aOO4@I?a#?Er58{Y>RXRTa$JA3YkoYj?Lh;@B z7jSt}f(_5f04$ZMFpTvVfI|SFsCNVz!MgVWHR&#(Sh#oO`A=@nKN4>S(FTcy!1UDq zFNS9;;VZx;hUlT*NVo!sHqOD0@(G-@Hj{rx+We8J;T#eluuflgYW*>e%n_%;fSn2l z*epKv4?OtQ2zVHfN7}$#efjB)=nu1x_aL0zdNw`o{&}*4BcV%6T#~l_3&=0Q_QfUn zX<9(oF%%0DF!KcCH>=0uu=RazRS(zSGuQ7t74`iTD*k-fH;~IwL3tMr)^q{fO8Fj~ zKS}V6cOlc&TiG>^w|C=uwA@$cS`v58%uQ$Hfb&q43}o4IDAv#(@0H z4)u8mm^h3-Ds@48dKX&?t5Hav0Vq|8?(Q{&K^w?uSccYNpFBJtLq;?ML1_OSqs3Cz zhiZWQg-d|rDr^MM=G$b&&KWtfNkODh3qPro7vxh zTkg+-AO?9r{tzA4l}vDh3YADJrvtW86o2V9$&6TWX!k6f1$7 zgn*60lK8^v>KnxEJ@DSL0{(R5-MSz1U@q7Q>2Wj?9)Q{KiSPiZFyKrCD(qg&LnXLK}f;vZ}Bv@Av4BBaRg6sDQ%f)l%cq z#lWq=)B8US4*lnqIL^;58J979%oFE7BGw!&t zSjL=^cRI_($wwrCRrw(za!H+fd@DPf@u>JdpswFdOp6uV^Xo z&D?zR2rI*v%-^ND+AhR%Xp4EX;*sCO#+u%ALx0g&wna`pVOxT4(BU9_Fjygf25W?Z zQWING)jT}BVpJ0eiZ)`jorYaOE&P*!HgynzYWoNRGV**`TY%G75li>ck`4aD5wIiq z&QKl%B`rf)NrT#fq9*76hI> zeh30c$}p~^kh&()JxymAEkRuk#KfuW*MyGdM3fGu{_2+D5As^|9eC;~D0yT}YNaR) zhs;Uw9FWlwxxyCMfD-sEALJSwij@KN?ifO-IyWaI-L&;rZ}4hnwU}Plpfvw^0w0xy zSyC3QhLY6Jv@Z)cWpw_n;H2SD3Q2Y|6N>lvWI>HtPRO@kOgA4X5FaNA>J=2JyF%TtR)7C{f5d-za~rC6F9bi>zW^sz^z_qP$BiW-nPG( zM+=Q++qR6p+kwxkO;6sf!`C+x51~Mjj?Mgo&azu9=wM1NsBg zw`c#Qz2Emkbl;xjXX2e9X=XeNs_&tpHTIbB)_9yyf%ksks2L7+wBK7N__TsXO6fq+ ztf(@s6dNf&tWN*%r9db%(j3`ZN8+;T49#6f!E^6s%Rep5ECL$21Bis2NW5Z^j7)gz zOP{AMi=uuD|K5?2!GX4B)B~^0jE33@Uc{hxcXnd-U)CVVAtnN)0VbX8<3Sc4aX$6$>K7d6(B2z+}l@>nQIM#hp8nVTZjx ztFsmOYFBF+;^i(+zMhAE_4iFsKBx{Xznw4hz8V@vk6tn9*(-;we;apAfLkWnJuV+K*j!TtDCTh(;wyUW=POejOSySq5`H}z-XA>QdD-_Z?CNf5I zTi2b8CeMMfNkT&65)Zw_TAbCe0&S-H3jwl&_Py3RXtIa?dO$*G`u@%JhYpuQLHC@@ z(#lnD*fOcE=k`;$qd_FjhhZ*fkNBWdbHFdY;=ghF9G9NH56&kf3e~2;d#S1Mu>9a# zhzj__Wl0cr5$Wx5F}oGuoYj4L2XJaR{uK0D^4cWrK3>^{Drn_c#}!Wi9}JKg9V5>@ z$Qfzfz$|ZUWzgIc zk`@lt$iTA5k=58~L2};ZSDl^^NNb;^cVAPIn{N(U_^MYj>5e1;SmtX?bY>EP@5V;= z)>PkehD%?+QGVKhJ5CJ~h7oysk4VgFI7b$1SEvu^b6X-{^OH zdo4G7Ji2D`I=Zdi2%2v?kvEci0a4!#Z+wq=_`hI*6zOL_4xUEjUI!{jWU zNWs)0u8Y0U@Px)%tJWbVJ}1)dQbEr(r$r&`$T1*q+<-vx7``PR1tn$pe7c+2#L9 z0|%?!=VADpNIcxA#H9NWHaVm8_K-JpVOH9+o+80^iZ9G}_pieDxn1As4!OaE z%|pZ((pyr^R+P^ylk)cQqt{>K5h2flOMFpsFqED>>%2avh&R&oGM(Ov!f6AT-RBuW zws$KhQD1y}US)lbigsm5O|h}1oLCy!vrTMNzXJsyK4S(161q2gMNBH}$X=w3RaY+* z_6E$ACpUvfQLVx_*S!AVAb00A7c(CUL0+BQpIc}&dsOP0*$3!F1qvX}lHg zq4^J;rmvPJ{SdNG2^h;YpB_>RP?rKE`Mlq@Oe#p-tE4eWzDw zi3Pb9m~$HHU&=gNhXm`dttFt%P7$nJe9jrQQW!}-q9jYklM#aT7r66RL!1IIbx)af z5S;+$gCX<)S&BJDj2yh-()Ql%;`xLmWWa(Q!pz0TXt_^H^kKV=cgcVpA|z``=6`}7 z{_$fhp`HETcs$ViW=MxJQd&;_h=1l;(&ZW&q*GoYL7P{Px^;_+ij=77ZOK%|bO%lT z{6*LCRYW3^Pqr;cGW%+i*yM2h3k<#P?Pif*tHBSe@Gu4EQ#74C8&7ESX7cS`*ouE_ zV!WE9ppfDS?Dn>IU3cEZg{!qSlrBTb6cnMtKbb;N+t!?NCz2m`Qn&@ca^YwdT39HU z$C;&>ZkxXMAd+$)5qw*3iH85ZLB91_R*j5`UU4p2FXH$qE`f(y`=+W4pqSyS4FnI-|B3cE zPJ%aSJSa$pL2Y!kE7H?xIkmA;d=vy~sW^D9*S$Sn+a7)@1ynZsH~T2wUN;SueU0qh z(oN@GNFbzL$Z-vYbbfM@_aJKjdMg=r{LQvZ?|7=MMKfZquCkyED$(SXQBbyDYjWEh zt#YS9ZEiLq0_C;dnNFLha9Dw`l9H>j#3m(J0qMjt2p|qfp=i06M%Z%p z8xl`>%Ut_AX7KkYKvWekK6Obekl-iQf4+YF?*;P`qq+eu{Hs4+NLzsRZ>QIvQR^9e zj6)`qLCZv3NAef^1GmN2-Q_|33-JOo_b+<;8|=BmVg4V#y#JpV(NpCA0;FO5pTC6r zPcRSJm$n!M!!YS3@&ng@y|6uY3N76N!td@>=YZlG$lZq^DlC0;)9?*Y$t10RV^4i& zh)m;@n9HS8n77!C{Q~q%Kc?<|Vn#v)X(4NJj;*Wuf$j8Zk=L>F2OWZN> zWfO@vt=M|ha>}ua8Ok#cSne>!&V-K5wPr%Ou#e1QVzI>ve}!=|U|UjuAY5PwkrT(f z|DMoc=3lU3O?(UuK=nRx+tj`X#Vr2FA0XM_JnG_sUSh z(ZV%~pZ{&31{;r{Vn!VEpPpO$wC?INIO94a{8jBP_aZs6rhE181}HYi!=T5!qwsGR zfRkZnt6H1+J(h;1kMf^(%Du9EOY`@o zePwXYZSN8Je=3WyAdKUsq32kPNT>Z}II?b%K~LA4LHn?X|L+R{k=W88aalUAH;S0J zUj{DelfO{H)=zDLynSn$U*&z?lMz?gn9^&3yUk`^|LCs-K~v3%_zT6{2}Sizz;JO_ zW$5Xb$EjL3q=Xl85}7V}5mj`1vw)3md46C(#25og&nK$FbAGZjsN!|fK$Ux4wMYA( z&)Q|j=Xbp(@3vFenRzP82|RqGacg<(z4YC1LLfdM65Z0)VP`QiCTnsb!t3;?C>iE1 z#E4F|a%a9rcpv`??X!X+W!-I^vz@x*bEB||{oBksn~i9ae{X1NQrL-d2^QAvSjw6V(a;++_23Bhd*NEZa@z=XHL?mBHSX_|d_DgA9S)#H*Rc-JZn=kb9h8 zN7eEp^@qx-KeQhbIP5fzl70Yrl6M2PwC#9ayntt&Qtl^n6@ZA~{Q7?mPE5k-j|A~C zb{Vy1E&AQ^3h!*EbAeIm^8$U;(p?R<{o6FrT7W)E<^3ZVNz5+_f2@3f|D#*+sgpeyzrA zWXRrZ^)-mqQ<0{EfDI*yOZRjI9?Dm2q+%p@46G`+=1oV~ic1mn4Bh*BkRf7UOLuzW z7WmrbvaQ{BELUZ`XOrWjjxw@H>HGR!H*H9RkUakzi}>_&iPWZ9pn3H2`Tr(34@CZL zhK%atnSu}y|4*Th0XOKs)DtY4?l^KEzT$j=G?iEN~*0uqwMY@0nGbV-?Tcpu+{ z@-Nqq0#e|7)-U=!Pv*dx3he(O_QUZSb#UJsGs?1THb@0Z%9v>i%AX#;j<5mYW?Ngt z_kCJvn3%L*9W0EgfPj{GRi>#@=Mvjjb*)a9`lrjh;|$OG`@1A>10&}5ZEF}+*d_b9 zmCJxN1>$;=R8X*&QupTTzoa(rInv=7>q%JyOTo_o7XoOWoX?bY+ebq($!z~~&wCsd zFCIH7G<>qqsa{Dbg8-2gzww(^1v$A=oM>oa&+({dEE9~EbEHZ@bno270$aBoj?snG z;b5wSnc6-C0+zKv+DjVCVB{C!;hKii4>;q0-YW#rkqpEQkb$|;tYLHV7TK1wm7jQI zA(SkPwRJY8Mq(w^?(d`l*KwJN4~C?C(4k|tZ*WAg<^C2@)0gK*y@l#pk1>sBDxl}N zAD5o9_tHfvA^#j;t1vrF<(%U`Y93Pwl-C)`R_T87Wa+Kg-uI9AU(&DvXVH7r zwucY9?PX%<69#qo`gQ9a+4&i$=;*MnF#dUOz%?$b`va30pM#5!% z5=D+WP+|sKn9>uTqJ?{y4Tq3;?s*9s=CK5@p#2p<=qpO#1}TxYdIAN1$*bNYfB$b` zAQlwZtR3Qk-peQvgpL||F#un1-WNOtCteULS)i#?2wW${ z`Fh{1Gi7E{B6-{E50#$Ib>IgS);lV1hoQ>{E)dgDGXNtwO;Mrg^VZa5!89qZ&WlHp zF_9IPld0Y}?J=X~quNdljh6~A8xN2AtzRWMf@_Yo35+p=-*G9OBq9yLd3L7(2Ufo2`Cyd*DCc01+5)#Q@hy+);v1MsDH?s<(hpwXCwW@! zgDG7%yMtoW7=uCh?aN~n2pH7Ho7>=Y|BWx#q0wh^E)8v3p@`ag)>HBOB&aV4TVw-f zuM{wa)491`vt7+CIxy_=gD_GlsgGeH;gUh8H>J5s&&G@B=Nn*Og@5F0Duz?w)MUiA z_9VMqQV?|{^LXyfxtiN7vPSy{u^O zW^#Z2?Hfiij-$L}FD?!q51!saEv;*S9-NWz#3v?A%#9X}<~AMW1pc&)0rti<82t}a z+|)MhsK65f3G6yqW%5FVG@eEE-&}cLpSQ*62)Z53z(Z|NZdY7j^G!W_7(>K?f#SxV zxfvNB<}YKI;G3b1$6+6hG|x!6SOr+jIPee25t+Gm#=9^-FZN%r(M&M>ql`QG0^%C$ z)@4h06N;{HzQ-GlGd}O{e)zR+oUM|S*FhyineVWfe=5F!*`+Lhc8?X`gcP@UlK4?; z5Q6^8FDtA()(7>DO&*L7K`*yr(C0F*(}&BizrO`C-G5sQM; z1VB)l+|8f>n~6MRiGATM@jEG&_fSNDw*T0=sxHL<83Je)7uuDSd-U{Z!grqB9`DXx zHJ*&xcyE$|c(5Ya@|k|mkn$hox@t|>a@rc?)tSdiTBAZ?BdWHSyKRp4y%VY`0ej`Wu((4V;pVI z3)I1y2hYO$s6u`T9&cvRJ#kN0SjLWoU4_h(@OriH>Q`CoKsP9$CMG7xHeq23*DEGX z+|Ji*9i`9J=r6L0Jjob25Ft8VyEaS>=j|@AWnHfu*ks-I25lh+TJwI-W&7+0TFU$S zT=!jE#+P2vzWP2;B!tp7CH#zGPu|wWMd1_1lK6~~cB3GNCA|M*+E*)3A~X}1wZ24N z7h?|IeVsRzdwa9YG!lWNCUWfT>=$NdMd&2ruI}!#Noz0I7`QljW2Vuk7zi&LZ1 zW2#TW2*#67dL>CBBt+-sk|PtoTsCcD8~0!A{%A!eCEbU43U>8Zl{Rvy7EZaIwiDC1 zPqP>V^u;%c&Wnkq4bp3tc)@<8ndRWCtzOOj^)ZmS8p8qweynctiHEVHxyUi z`*oCSSk+ZBG{&>aLxW>JeL89ShSEaHXYXupI>)xM%_720geCy8Ng)s+COWdjp!x&` zH$IZ?(i8li)Km(rhnLP~YipL?TT2Dnf&IEQ7tB1jn~~Kk&#OoRNO-*0hKT#6(L8xM zaT@|}kNFs(^P-$VlJr=OM6&~^O#0U5KfiLOJ&5Vf;i^5fujFIQD$Y(X&h`&7wErMm z$jrhzP{i+cSgE@z9c0}cn68u~pCF(hDj+Z?da_|R@_E?=35~>^Y3IF026bv@c5G}c zm-Z4xhkOLVi;LSC!S|1P2B6uj1nqe)MnI8ubW~ zp(NxCG&VBY=9n+%W+P|K^=i<-dCcDQ{a`C>+C!j!dN?u2__q8YX8v~R*j0{TtjYd# zt@($+zF^Q(@*L%}(c;5x&K+iU7CUEW^)j#Ng_LDOR&Gow%Ap^+Vbk?gBSS4SU0r$- z8@G+{;;XA`*oyMb)}n?ZK0gdr?7zjkXLKl}28P9rG(ZP@Q^~`Ux%Gj187+*iA?v5^s=c-{-iv0T3{-%BRrAXr%itCwk<#^#d$2%D` ziVj}4RTmY#H#h$vJpCf9gKjB=fN=r)v9uW%Kc24-j^`emq;1jLPSL-#H z^v`wqA)bD8wKck(fi)D5&bWo3qW%m#v(hOuKRl%1wahQ@N`lsD6coC)3h>wUBpwTr zo6pq`77|-@gp#zB?li;kM@g@qC0+&53N|ftmb?~-YB)h9{Z$LbzH@N?jF_3HTD9!D z-j_5};W6@guv8Zz$DZkIY1dw&g|{x7Nk`=<6;{_T_V}QUgTY8nn^{7x@8gZLgq2o0 zEZc!LDs-oF@Df2A;K43?0o$s(z}Iq=&N4V?H!T9)gpSgt?}4tM@6QjFOZoX;-?LGu z61n2opQ)^M>F+~8_yBDoZB+b~;a$+x-8*06v|5B>Ld;!UVHSx97DPyx+`#I0WjZ9Z zoeI6(A?yxeLiYTa&)-hZ?H*$?Xjf)_FE-ulpWmNu(3{^wEi;i*q5XP!V{E)yZZ+*O zUx<3VeseI*R5oIMx;eaFqjlF4_*^xrRQBh%yHh1+9~PCryjB7eZf$+t;qrXXDKExS z1EyvdyfWVQ{8yy}uf6T`uhk~-N^wDbNp-TKHQa7eT?%>1hnHSc{uOy%Fry#zGBOS` zyuX!7@(mu*$@R~|T08z@ln{J<*-+G1`^r2j1&dz?8&E?KegVxa%x+5mE|n|yOo88tMFf|AK~ELl`gDgN3e2s zhE^>^PnJWU!6TiJrxq6niaK7e)I5mv8lb{PK6kMW#2!rKg$8H4$2ixng5L~TrRt7? zDL*^Sm^giVG_6~;?+=Et+)QLPWU9hEf!jStDiTBcd7TEkU*-M`E_VFD^&8)DDL1BT zILrc_hBq;+yfhI(*0T>BTwF#O%%*E|_QY=9RrKjrV`0Z*5UqGK?WDX{pQ)2Dna$PV z=j~6blhkbyYr1vZ`8g?gtCg4-sivhQD_U|G3{#(W*$=>01UlUjdtf9Vb75!2bzi4i zJZ+FFTQe&lC+7j?g<6rhr6C?}jF9Ns6XVnEv09H)@mWMGFi)nd?fi`8gl)m02m)!2 z!C4r1!OkHX_L>`8Hb{5xRqMJP3p>3B^VykmR>b}@@2CQ~nwK9_TlC4XLST)KV)~ev zIJh`!^<+_kzj73-tcf|Sr|f{}c2nGCW#xEWOkZ373LtZO(wFRZzL7I%kTp~9U~}+& zPE`5TD@jp~G1YeJjI^+`y-_hvF~^sRWSIE)Q7;~v>Dggo28(6{zI}>?t!QW0HJ`!C zGSk#>`{B^Khj8tOsO)`qDXH8%Dv3I&D8jVjd_toM@N z_ZvGGZSMo}Bb6yx$qBLJ=!KS9z;uEf(I zFZI@myw)S5Ts|o?Q>^3XmC7lmG8eg$zWuN8#H*QEty>LNSo`Yo+}xf-L=q#X_nkl> zmphuakmmKr=XeuE9i-lcdxEyI+p2Q?iA~olQkL@qvnQUKbPIcHzm^Z>lX#%BC)}un zV^*`J4=`(LYS_%x_pd)Zf7E)iJ)gEjq#jMoZP{E7ySZL3tqAds-_>k;&is9<7Ipf9 zF9~d-R@2ZK6!&8N$)a233a32k=c?AR{4R>ds^P)GhqR`ajJPWMJvcWSzC5W~0To7RW3%)A+N*LOGPa>bTER&7n! zO;0++fSr0GPr`(Js?njyE9&!mI7~6|HWD7kRCV%;({Ups&U~%O?TO&BdD&|+uHvcl zLyBb0)m_Cp)q%sv^>(@QxvY=S@PP*NigyD(NjNb-B`ukcvvl+68E!eP?zNU~;!lD_ zfT%C4k9sFT|0hI{1G6jVrHzubrjH7;aW}^{=oI8g=v$}93d1@kA_B?KtD-UndWOo~ zi8Kq&loxi_lH}%7>F+}#mj#W7DrDSIWR7o;BB-ddY`GG`wqcfIl!mQqiIG`-A7v!t zpvO=v4R$JWciw4YO|=W~VH1c6U>;1Nuhkn*bqwT7FBaewao9q3SVwXJ-#98=LEJCAz}v zVOcpjojK_O)vR>BitSv32>~D`*MU-R~jandqC}Gtxm06elVT zibTnYN1A9-34ebjglG5|BA^JY+kDN2bos=$$_T%&V}OSq1V4P3A1?j-Z-_81&OaX@ zPw#X6`2<0RL;L$t*a!a4M<0xZ|Kr8~_Wu9&BIN(yLj~-$l;N7Q80pA}qyFjL-E#Qz z@At|eeRyUkPWAgrv-h5}C{_vr(%&DDHUB=efIoqt|JRE`$hLnk-pTEsfB)^p|GeMR z9uDn;QpTwH{5E5`hEmQb*ZiMbld1OVe$n#t0xDI)+HrBjRP(6Bo4jhB`cp0e?lSKz zjA)~eRHeOFj2wl#nv=6Hn^e5?x=K*=Y7pAA(6;xNHS%g{FlXH!yWHrM3&^1gLgPmH z(UNKs6QV^#^~vTZ=SuY$lCgq4y5GwX$071gzS&SpYB*yq`kro)r{O}?rJ|)xoF62aoFbpK#!h6}WB2k;hX-Pa76vwlQyM?@yW=H# ztoC8Mn8ZKTt&$k*QhZ<*HM`SFN<)DEv3_Q!JF^LsgaYFr0BZguIl*n~mnXW3Cdvy6 za#j{B7aQ%m@*tw{y$@; ztv<;#TnQM-78Xrntcx`KLzof`VoG1{iRU+~5QXYrTbEnlWL4Sw}WY5dRHN(&!_r zdwGORU#LRYh$)-3JO|T?jgelea!%RtM@O4cg5HLp^ZXg%SxuQ26tj%i^@(=R{yj~2 zSZkEXqXfg*~+wqYF{_WsEX|Gg!k!3+F>>aWRVs1N=IcmF>&JrDVNpydPq+JgP8zY`eDAnzp|G zOvT*YqRiOo#=jr&Nm!^1_)jH^jq*>s2f=x!K_Ah@Q=7B~kkj_{<0U(bP#hrjO?_!vk*eq>*{a_CCm?KQ=~HHVfAoeKfk zm|%;+c`fLb&*dJyyx!qtuTRgQNCrt}4j_xBiZ*iPTdKcF7L*&4Q_-UBsARO*>cX2y z(SZ{0|{%IS8iPb9R1c9W4JcM`zJbt*@9`=z!;*oLBg6q3f0f>N`21CwhI;bKl zy>yKKej&`^Rrgou8f|huF30pw4P}Y2dmbdDsOc(SRHY~>R7LaQ%=#)fAL9^!ej%O#oSmgpbXv;7OH2^+KONa$n;>3e@8 zF;b2qDsZm=i`PWRYwNLDh3L=2GjY(=T=~PcZOYeemJ~x+m>sN;C`2J$(NOr`Z9py` zAuiC~&@;1(fnS~xtLWH3!mny^LkAu@As$=|r-BXb_rA{kiiRdepzCQf9B2Xq)9ffs zTJVV|Xw3tzoNff}&yQ%IJ@fp+(yV0%(QTe7DH3_3e(7ry$^(B+z7~$~f3*T2|1u5! zZ(IBSWJD~y&U!`bV1K-7-^SbjCU10YWeqn*QXt8X;j^T@{V_X1?^S30_u>tPN~IiS zfQ!U2h`=O&EB+RP^#%Tz}_0w>aoIhlB82ln@UMbpJ43bn_Xv zSF#>h{G_=X1KzUBeSUiqq77cwCXBk!>``;*V&r~(LK_uUghoN;_4)Qy-berRueWJg zmmC|f%8dG@Uf|vuq`#fp&*L|*koJnZ?US*;-Z2{gzJ?NA=r)WR55-%1-6W!D*TwrR zKsv*G+QbkvL7uiOSh>xyqqhPTgw1{T^zNT3m_8vXfga?bJ12T@-)ay~RqrB0w}^R9 z5^T42PB~{i_L#P3^IT-*yId20LR%;ZD@Zc0#>;OyKhO8@yRC&mxh(d~!3{519p<|h zU3S=0Ugo6~McV&Dmm#PisWgBFN9;bzG+CinuTQb6vWvQ&;xxS&-S@VNk~Xq==eS>- z3YISzBp)cr0|FV@ z+Ir#4)?kSWjzX2w^w}99`)LzhXncr4L9;oWmw=6id)W4<<*VldLiF!w+PEAx+ebC^ zz_VO-c#jmd%Lna(iIGCJYusXLzDe0S%}+04>dKujMzCwz@ivLbsO??fb~J@PYJ{F%o_tJ=05RWVR1F(&daaw-)F0a5dl1vtM<3fzT#LI0mE{%WgBeFevEN$pH+5gW#pq zhmeKWRmaVTT?T>GJlq(cr86{2?O%9)Vq|zA^{j25JK%_CZziI%_jxRb*TmNnT};Jo z9STOBrq{330SD^IBFggW-aC)=+^Xyb{7CVJVVNbojGOKL`A5VPZ(Nqy%s7wEbMn@iX03;csSAP4`n3E`Get%E z6=)QUA+b9X^L+bsJ<`^d^y@@57S<8Bur`|rA6L1>eZ5pM4Zx`mdBPV?XC-AZTNS%? zrWX!YLX|rLT6ro(85UKTpT*NI+zx*s?q1c6nhu)$G}Nw&2^qH@x0((NIwRrM20t5( zcZrgutk5{U^c-D#0E^dsRxS2+*m`)KUX}JM6Yja5q2u~{-8w{ebkiZHp`H({-x8$V z{cyu!Ue-d9g>Z6pa`9!fWY5H^>SykKH8On)fcjY1+5UL!|&i#iV65V)orZXgD0ced{V|W7eApCnol&_W-VT0}-=^Ym!Nq zd3n3&(%5KyE5dWlH$&ib`igV&X!;1X`p3L4!2eQSiFZ(ADz?6RAB-uH>CGD(g!m}A z#CrH8x%ueoc3c?J2G+iyN1@(!3Yt#A7CULF{%(@}i$}BWxpL!0iFxH_!>8K~NPVjH zF3(Y319K(B$;QF{NJ1fDU#%`scbCL~x_3O{{JT<)@ojyoc-rmWC~r6jcA<;hLR!wA zbZwrJyTWCdUD7POs)&aM(_X)H-2XBB{Gy_0ekl(jgmZ(jWoY{h8b(&ocyzGO<}s7d zJ>IgB!9vY*k}#0E9D5R)5ED}CIsV|e%yHW>4d!4tKg};|cI#ilu-b;3?b8eEHPQ#c z3a5Ezq&(w|9h`-YyS1murB3UEr8ka_RQcl`o%Qo$Fwc1Ud6LIN;}zytaIGf(9|Q-f z!WASpXVx`wlPgg*yx4*2VEPIU=A?Y@N~{aa@1%QpQJ>Kyn{?tN7@&93<-8-HnAar) zG;v@=d>ZUALlqvZ@vm-0r~Gan^(1V|de)tiid`Ex-!vM3^tI=DL(wkpH!)5Zzuk-r zaI)z6#?e?@T|KRa?WoWe{47U8UiW${o>W#YREuc$WHTb6k?Z!VMqqBw01--_`arNp zw_M+#EWjx zSw9nPGsEpMB>T>cFMO;)oH8^0hS|;#{Cdo4ns;}7K3J0cvopcD)5Z_%#A%N0vBHbW z28lqqgd7z0ubMukZmQ5z>&fc5Mv5%>c&GRVQ@3}<(ZMC33wwnvh3%E>a|MiKg_Vwm z*>0xoVDY%>1;2{DW=SO4&Ik^76N@E8%UxI7d+X3V`Sa&jSaf#9%Csw%j+0AUi%bfjpuC&>I+45D3&xx z$Tni1ZLCgFq^^vd#GVf=$FUhK`es<E|^}xgDUz&bn70F!e zuhnCC*WjFe3fdYuV5%#A9iIt{=NjrAm4Z6=e;!t}3#LFi#d?6?@T7ptZtvmVAt$@J zDW?d$qGX<)XMjf&Y{0EV^68V1plrPxAvIiga`VY_`M@zUQO667iSM7wdSpY_VO)J} zU3+!kymuzO*FMaEnaJWXLu6rbJSiCZBv@28>}Iq1^D)!@$;m}Liue5aO@#L;5nn-R z)plo5?Pe+tvAY6~-P%-k%Iwvdsl&-ilzanCjxrtj<+~#$nP?jq2PeE23Hn+Y_?(QC9T7~T_Y2;M^eHaI@ly)?Oy!#COG@j$6lI(W|#WfOToiWdT*Q( z6^x)It+n%Yu=M^P7cHb@w=Wx&_$UKRo~KOnD?Y3)Eh*e4`5B^)w?n(%1dFoO>MoaRunm^Jba>PW6{unl1|1%g zi2uCha1qWkcEY8fD~27^lp=%#g+@xIJ6WiB?>RKSTP4jzvmjCufpV}j0N$;X8~2Js z=rP)?`_{VdnCh!g?>CA7irYv{jUjtp^Cj^e83nieQNN#ZU2quT6xV23c@-wX!cU<$ zbQR(SgSqS)72?M`&{#Enyrp9LKqD^t*43x}P_c8bmd?oaqT3Qp<9%k3=9;18=lFU#F96|e7|4tn$q@+bY`S@M2 z_HjVB_ctj~Vomlr&vRv2k1t_SZ78Fzt7{FoXGh27hfF)G(B!O!SME$deK__7MjFM^ zaGLtaQ-K@^oCvCqn@dQkqtEm%?0!vz7sO#G%6bfi)u9`**1V#njThOtH2@`Z83;$0 zkKItsk%)QR7RO1c5cLo9=q6`+R#YUa9OegoTT+|WVErvUoy|2ks-m``Q}s$-CI6sQV!Am7 zEas%WK3?Z!)2ZySKGfr2)19CsR1H*5tf&KM%nLO4t83#IFAT`z*jZ za4ha|H#lY3xS-4ASlzENYTUNM~le9lSi3m`&unsyQ!) zos1GS-X~y?T9vL4m$6|!pah6eR9sL{D=Rr%L|ev5P2Sq_XpY=4Sd@KQ^=n%@6GfVJ zDw@u(znyIf-X4vAI)n|IvehQj9w+x2nCn^Ry3>zOH}2D7h7kc{Zy9s2wG)qg%KM~e z6J`9Qrj44iA(!&Ut;!vmXa0(JW1#C8N|Cx1ebF{IGI1_{p0>Y6-`Cf>Y|BL#CC#ZM zK9NQvs+{(2b9_6%$($|!wO>%-ESh)ky>jcJ?_gRh46`CeTzPeEF)+llWn*jItm?h# zZnS#ED+z5GpKhJ$q2yb7fO)eYkExWiGu|}Tt5pn62)EwY;*J*cM|y?;C_+0b%9YXW zYBM{ECA;*{DQx$ikwI|0dU%kRDpDP~_xi1a zyerpDjrntxL(0@1dbU_^!suvYFl}#^p%hggNJy`CeV++l+r3>+jfs2{8y~Qz`vO>! z!ODesXV=&3)Z8F+4V^+CoSbbXbuZnAQnQ#$*gamE%;FI}kjnW%cGGmRSH)nl<}VmZ zo+>qr+kfrWR(7R!LP_^BN7<}m>arqlu#6F}!q@YE5cU;7adh3bNl3^SAh<&y48h$U z5*XZq+W^6RaJM9Qupk4$gUjGHI0^0qcXxNU*Gaxx_ui`iz1P)6QC-tLr_c21v-jF- zt<#IlyFFT%0~qfsP2SNwd8|(`_d4VINBT|$-H_lg4fvR46+dsO)7u4^;)s~ehgTPJ z^1U+hy`T(aXQZB2>Fz^mIw9rK;YLoZ6cIFLVqfvd}h~abFSr@mP;+3474!@hK zhlSOWVDtWAa?{%e!!{mA;9h~zs=w~FqTj!BFq5Ti0`j=z&G~#{Wowp=s(5%M$bzxa zw>yjSB`P81W*op+9{DrV^D`J7G%Gn}76L$+m>4+A9OI3u8&W1cAGxa(LU|XDkm?Gr8jnIJ?tw zU#F5i0JyJ`5Andq6g> zRqMVGL6&T{FcgD9WS07F$UUVsQk3R){^J405;SHOt%1##kNCY_+9z z8L*dL@Wy}TqI65P20tXSoaNwl)QECm)ge^vB7nt_*}1w#Wp z=;X4;K=&>vZN_!ulo^g}Cy z<8wtCP@KulnWd4f8D7%Y<3bND-4T+xnKWNr$J@~{-6VqbH>r(wg~>ndwc^g~T+z@E zrQIDM7YFCd#JBSfR4Gnt@P! zaf>i`W_>SbPa5+2gw&>H)R;9kpSQS?;tiG;#s`HWf*7#20*QxSo|iG5e)CC2rIAcJ z>ovt1%CZR6XI`yJ!f+BYArp@9#>CQrfT%KT(rL1k6A-zmSmNz(wgtkhQHA0XVWyz-xmrM7c(UQiaXR^P7IB8rBnhy^L8))jxTp&;tdE&KH076Tai|xX4fEpDQ zc9q1dS7~k+KUc&D6=`qS)8CgmPkpA=MRq0UUozgb^winOp>U3~oiwmA+1lPMH6F`J zx**dNsOul;Z}01C>uI@Ny|N0`u(pPj81b{s)<$h7O59udM><~O9AAOocr+b^Rb{siyDvm0@Yg$+ zMD6Kt13b#kK}eksO#=|p!h{%LjS70KR!eCb(0PHt?$;SPQrpz2dV&X!r zQygJEy&oGVw_bwiWR0xO9nsVjTqO%WUlZfF@@%)h3&I*9A)CIAabqQWB2FL7=KQ>! z~#Rmua&H8n?fRpg$EdkKNex z82YjAYu%@6ZhQbLytkkJ2c~`3Jk{$jy43GT!o(<-#8q7N@axJp%onaQa?lmhYjB}I zRi3YtYr4ZtPReT7@y$SpTqIGvOYau|SycL+f0j5@2u7>Qv#KK>z^X8!aA6I6;g2}>L3&)p& z=s}d&jl6uPiP<8Rd)!UlgSK_f*6aK00D1aO==nem@02riBJZ=xLxJJ91fpi=-(wmm zCWFn`dn|@wq68lQv35(nmm+;G5>jOd$dL!F>8!dd$WIbgsf>Cso4P z>U3v(|5rCE7(lh1>`wG4oA2zG!=90%&(!GkA9TDN;S$gP{^+zYw`0F5l&1gIWED{n z+|}RC=F|@|lN10YUhRE*9+}A#NH*zycv+Kv*E6u)!rJG$64qSK}jyHLU7_F?n0}l%rCl3H7{ZDVXO;P~b*2r1__W9OuoWVDF0gT(@ z36E@LI{eTM^ev9Nq$NCZjpdO_|5(*pNYvNl#OOqdc!uSeRARzlktK}hMKURFa#wCe z)B<5E<67?zbno4o9J-y#G;2&c%V0a_#KGc?bybkVk%>Arp*l_x->reI3Z9768g{1- z8~H2G=TIYwc}#$8(kSTSt8h|SW}$7zDN|I}xD8)k?_N-T>-CwXu7a`6V0VhA0z2Bu z{yMLRIk3(#dAe1Yo%zN=Yv+TYai1b_IQ6gQo&u_c9cbQJui48RkMnBXPHt-ziPE zM;f`C@Kytopr?vSykOU)FtTY~YFLRTg2w59PJykreV2f?9Nwiw>!5soWg+Ub}Nn)G4+e%x#Z;4 z%y}y4HKl})!Lf1i;(4EQ?#dO;4z5t`FKuFH3G9fkrp2w!MzDU1ZXbJ+a<(5=z-JMe$MRe8(`z+^fKU70haem zOf|8!%0AG@h)GPfu(Zxfs$GHkvcDN__$(?w!f<}J|Ex;8XeLx5(?Cl-bBGnKwc+Z6 zT3FPO$OE5_{z8`RDyr<0n}(A|LHEUq^1bDVn+;+G*+KjlS9l_V zR#nrZm5c&9vgbv@^(dh-oR(+3^q;yl4}9pcIRxLfA3nH;~YM&j^;O?Z!`YE z?Cg$CVjmhHqDGm=(3nbVPk~+nXiP(cXpy=V6smk=^1#W}JKg~h-aO>j@K^5CM$JB3 zh44T6=z3`f2I~#P36e#cObw<#lUzP=%u(g8cGLWpLd|5);dM0lO)j$s*4y(+k@JX) zS}y_N1lKO200o*@7xf|C2_hAEG$|=*K>4~>96HgqPY)tJj<$8ttKhVA+sqewoJ!qYmhtl^uI$}WpthD5hQ*&Jb2wZ1TQ@UEVk=X=~y_t+6RwI zR353s9H;%F561fE>1})_Awbf3@u~+E*}ismA`IH_{=pVlx(q}Xc_ExZf~V^6Ow!Co zYhZ;msMX$~lnH_LOC;_cBfc8xV|RD`>z>hvhkT!|+|&t4p7|Z!gUt^o{B(QP4_8AG z287Q&cM!~BKwQ_{j8<60sOLV{6cpsrs=>D z-K$?bF*4$91X(lmZx*-bc}vpVKCZxwKAUc=-gszODvM}dRPUDPDX~dkkaw!zI_79+ zE|rpw9tNe?xkmDmF59(bO0cc3gWqgUtDS9PVdV?E0gOgrvcdrJ!L}GKhd6!0fa%|a zm+Q(Wq@w6SRO|Vbm-&@7nciE1X82Fi(?XtMX`%RIppM$6)P`o-$UpReN5AJRtnx9m zP#R(_UXJFEmFy-*r|7(&YUSf;eqS_n=~jo5##I~N3rl}K2#7gc50)GszH$)Y-F^y| z2*(ch*xwRATl}>DtaD)hL_kjr$sR~~*IbaU4CQZ3CxJi|z#EnD4rh5V4nBdim}K6n z0nPhCgTJ`Bx=68XM-&*SdaP#7i42)PI^Cewtc4||f|xuA>J2Xii+wo5zxn4%4niX3 z<*KS#;W)c9S$bQi>sJBo_2?;)Ve;6A?q^n)TRg(w^i# z#y}CtB8n$!0gATW>Uvsja=yBSs%2Gv+0f;Zkkg(IMoOKvq4j%#Qp@(o5hxCU7m}}t z@;z=f@vzcSFla!_a4w&wFhAbd(+6O%N=gX=NpGP5H+YcO=)5L&eBX zh2Vg3!D+Em+V8Yg9}i#JM+eK&$Yi`pTou+4q2-ukJEo?WTiGI;rWCg$(nc;u!07(FmA zx8mX~x$^Lq(F}?5d0Dy-j8A{n?0WW_V}xNQO+YPZAPJ970P(RCAa`!ZRu;+(xCoNP z1JIzmu?ch<^yXWzrRqh5qD-UL$-5Yj$5Ct{TM4y}%_Np41~OnhXhe(;M8bD450u7b z@x3;m4GSnh$0w#XF5WEFAp#ADZkwyKvrM!Slk^(z?Cb`)>wMUlBdQTCAk;5!)bXi* zvljawtdgn%w(=gos&(`CoVXO+Pqv_RDzPc-6Qbt>PVUC*NqIhSdE)`pTX$!l6vcg! z$->T;yRD8f`BDEsT3WiOT9Bn6OPL_&e&f=8dxgBsV^Yl+2q^T0XUP&v0P#mB1 z6&~Xrf6K@+_zXe-{Q&TcbtWK@kn3$O(5M{Aa zCgSbblwxdH*=Fn5QGP|)*|jgQOx9KfCbh8v%13yZbUC7mm5cjL2Jnu^=?H{Zlcfq4 zOrRn;{vhGHr9&`;XufH1*?FgGt(-efL8RqAWZ$hj!&P3!PBIEFV*Uh4pKQ8N^_w08 zX2(W)v+o#VLsIrz*cMelAyWZHU#FuwnH{=(Xkhd1)AbPL=)aG+%;Sidt&kK_K`(j6 z{;QVfS5tKX@;1rx?w`wI<`3?lrLvXQhK+92vR3at-fyCGz;5b5Lsqku;mQyL2>YPbd75`)c1ArCBjf zR8_V`Be7aN!WIZ^pbBChh$+ug!_D*)Qgjk!xb_ZpRdCmP#%oh^gtI`zU4tRc1vViVBRZ>>C!lgfG`{IKTp*0Agl zLEd>MHgNb;7;<|zc65}O^=7I-?e=^xM5@WP1n3pT~Ra zw9du_M^gnn&Kd6<#&JTG^i^i|r_8iZfOYXax_vb8B;@OjAr(Bt?{_Y1a& zeK0%ykdWwB6tNf{*3%rYcjfuU=Eug~ zl8t^yemmwHuA^Aqt zroFmZq9|uI`v{K=O1CJJ*@BvvbMG5$H4#zkPykg8NE}u8^_rZWN0X)@1wymHYr{Rm zaLeyOoiSA~p;B93o7kSWFucFMzxlfq``QH)_d2!quw~`+2l5Mra4XgltXH9OQjI<$ zmQI6lwul7*Ec@=Qsk`ZbMO>uY(81>u7o(!9zRi1TR+SKR`1=9|K5g_(WevvV=7B&4 zg#KlLClZb431ZU11$tD@WVRu<{h0&cKEF-V`j{CPU^DedGD_x3L#`%tvIg;I;*4`C zMhCSzCP)X+uN`k5#(U;$a{S!7GAu)*Ty-=?Ijiq^-?h;YsZMd2h!jzNettk_OIdc9 z%O(VHXkd5cM_*&Y#Y;;B3P=}Gd3-)_=vd*vWE#&F&%9~&&-YYGoPn+b$hQqCF6Yqn zZY35*xmetR$Og5M*>g)5OF4TBjsfhd^3T8f%h-!KC^(94{^ti$kZ^pb_(tqtvgR93 z4)*s}oZu{FxGQNh@%fwi;n5oJ*4O&3G@zbtmTC88OI5=}xF4(;0f)lpXi91YX7ri} zEG&(GHS0>L8cu(5L=2ao6x0cvS*YmKF5)P?i!#1B>QxG{fHCk@785KQTcs~pI4Msr zg}O>Q+ZM~dctk#-LCW0O(Zb7tkh(ZOg$1ARfU2}@R;JYw$4-Wr1Rc4SZ_jAxt8&z& z)aIfKlQZse53W2W4@8`8k4xjc$ZU6h?f`3+GNa?q={y&hPQU@CkC#FYCj+fuE7VNW zGp{FJx~Bq60I_}2qgXL$x-J$N+HcdY2}w=83@~U)95m+obZC6@!GX&nQ?9Qb~074P652r}vDwl+N+>>DF zburPZTXFWfrc{=(UfHWgdWyF2$tj-Pvr0Tqz*7`s}6RvXjg5hR!sX;NSrO6 zxbK{&jRPgn?-Of?`;TZ5zjWCGjs> zF(X^QTtdXK2H$pxb;b?~{zzAz3lFX*!E!y27NvU5F!%L`D|zRcwc5mc#?uRzBIRxh z5Hl4QhX%8Ti-q<~n-nCoKr)??#Z{K_0El5{;K(M zsfjR#7={@hG;Ul}u_pj;5c4&xJ6I~`{e9I57_nXjNQ&(79|?0uW+)#B$~Bz49vYRh zwx$JTkSra|X+PIVB&p@q=7j640gnl&&V{Ag3jUghhJgWf<&*BtmLwsp7p8yq&(Trk z-~dw`UF@r*=Y+)nh*^3}X%b7en_&*YfYqe=C%8DUJnN>zc1NT@F+1F|l^2OIDei#w z#qPI=VY6Z@Llg{&o6|zr1QxE!xNHZ6t@3t@C~7WJb3@HnR0oIWCCoqKAf4WRC1s3% zCx+&hp!tJ*76^MSs!lu4GYR&=m!9?baZ=4X<$yS2WK27e$g!4Gk_6SevUjLMFheuL z)5c7Vzhq>j4Z*JCrw^=%G?5p;GMJ*w|PWM4lunAdkeTiCXuMP#he}vM7VCRddrE zWDrGUu=4N;ptU)j;-CDMowZTRtI3LHWUZPw+1ef$Jj{Vwe)5H*9Cbr+EASdnvt75^<$1m)%`_^^k}n@=R69x?tCmR#6V%*BDfK_I)=Eypux6#~vVnAc4F0Z!J}JU4o`Y;I*~{`!4^Dsgz6 z2@yzHgoJi(xUbY5X#r1XP?2crOJ{q-Z-wURm6OurN0(pUC{HzZ9-(vNL(n^irf)l1 z3FmNnZIjTmH&z8^w2fDB+o;Vjl|sNST!Pzcqz$@zw&HCvS?r)X0;0hU`+oVbWE&dPXkO~I>srmjcoTj9+o zhy7NrM!|XI^>YafSaqMA2lOIG%_~_}7mdxLqExeRvrSA3D9}hmoPx~{WeV>^*0~CKnj#}G@$@ew%{BSOeTJQgFW<% zSzg0GRnT+gok2)tYBQoJfDS8sbKGn0zC!e|e$M;Rg6-6}yJhoEJ?8UpE7d#qe&I5y z??dJtXHYS)=wn}C(u7~6vSFfd63b7RR*AO^Q;0wFn$II+!Y>y2U}mx&7{&WYm|B)Q zb=^TTKzYsFiu=2)F355wYr5{2tjN9n`)u_YtppcKthZnr5)FOC&Tyr^%ZVGQnSi6l z^In2utQYQ?H(Yu+9!hT(WsQ%UUTte?5#kJ$>QVF}lIvY~)Zs(d9(*+dI=N=}o7`J7 zW#_kel8X8vzZ6G-neY)gTIQIg66&Lej=kVFB8ov64JzRhnX2@e(d8kulbu&ZC*8L5 zkc$@M1HJ3rX{UcKz0fymT`U8rlqt);x}Qx}Xcwu2U?jo%$?f@Ikf%GvkK7B5g|5xC zgOsztI)df<7im*V47f7kasHn-kl$(0s?ozF7z@n#vzDW|zZ_agE)=MGMO z!KZt*zzuz5MgD&aMgLn;`X7a&|MB1-_2?}Pp^C~Js*UsuOQc1|=B0!Q8R|-A?{r#l z%44q=h@3|Etr;h*kf_x=s{XZIrVcffb{PvHS_qT#)G3K@TTw)Cb7>!=R(~mCu(hS`i zCZs#gh@}`KgGaX}lq>+9(8xzjK(h5mw{(QHxcHis_iHdN0rOXx0F=j<5Vj{jtz480 z!i3x&KTv|yZheMnm7E`?on1Ua0-+ZGx})D}1piV=jEMUB>O3j;SIy&3yqYp?53fqn zk~c11TIq$a)^2C5XAfI5uFOW5ecp=lB; zsX={(VDpP(l7|uFpmdbS!kx|cpykAL;zx@dCq9yRJzrsvZiU9LQKU3i8~N+AZ5=Od zlDD;{Xa0FSHB6A|oQjiDu()w|W;fD92_*Hp5B!36;kgYUYf`;4u1REpnORFxVb(@qq;26 zu54;R%o!&2!^oblaeYM&MxQ~i_8#NW_fGAxRh==g5bzZKAea+3G13Eo&fyME2PgG zAVaCv;O8!sg#vrR_OIkylmN!#L`|7LyH>@tYx!-a9Lyi`gG_` zz4kD3c#|YpmsE&Yn-3}z{54OF#rSv&nHLu&Tc!v<)W4=>K2f!}@B>gP#0k|e)B^yF zcPX-KGDs8{cz-pGzoYA%w)k~9qV4sIl}szKxmzdOG~BfETt^=9_GpwWaM}nPNsbnXcSOvNGD^fhnEvn>vK89%A=6xuIo^1j9|$VRNjk z8(uBsw!NKlqXZZiwBkwF3b=H@JLYPfgm&AmNR;y-Z?G%PH5sxZM6iV1Nb7fgO+{np zf6^SywxN6|NG<7!@l*d-Ck}MNj0ZiFx;ZBp*V^>t^y(*9hsULr6vJwRy!5!W2yuMu zbcGmBp!wiXXfxvso7uL;K|!BG0Q-?e$4J=jSM4$Ru!o2wQXx;uBa6VYC_)X4#?D8Q zS7N5drfYj5E@dVw+Et&uZ0Eyy?QSy=K@|WLzy8Zep7`m+KY0#I+l_mkit0xWc!%z5 zro9GydH)KOTV7|{zUy)TlQLs5g}!jbB>IvXX@XmT3!tk2h|t30bqq{&SVJ!WjC4G2 z{}p7eUZ*~gXv%#{tM;J!kREnDSxa(_sJ#-`fC~L^K55DyTjN<+1mG$F)nH>|cXBAD z1~CW0y77vV#%xqsegTF|TeIi7w=_o!24`)$P3Kr=0$<)TjpC$5fpc&EP3(5BmTZS0Wb`4ss zeU@hI1%zEi!gk9&dxtdG`F&&E)ruRY+;OI0RmLdjy!WxRwL=J40$e@5PEl3Bh4F%! zmhpv<*S)lL^v6N?wr;*>y#xemQAyP`xU+nAQ*NsH;;awSqm4jXibM8Lg+w}9X3|(1JW14CDB!T}p`b@`W9=4zL{psHOgvs8 zwh}_=VO~{fZjuMRx_;G(68Z)w(3za?I}+B|i({Mj@I=*|OXoF(1PGhQhg{|&F*0$g z!g&|X=J@rOen5~Ba)Jn^E&0CL(;sA$IEsyOd9B3ctJO5p(&u)Zr&mNgA?S9z4b#EM zmm`T$(?Rc~$v)c~4jbH{66(M8?uSZx?$}D67wTkgr)Cli>eWhufwJZjR+(o6q)=(D zzQC0V5(~~6YqG56rex5dk1;XXkTod}>m!vO}TSr1m5`R%=%LGvnY(DB9DH~t(%2?CxUWpJ1113c~tQ&-^FugQ7>U7hVi)LnzU zW8LcXF{saOX#hLkgxb40&WdW*GZ$A&ENrg>gGw;{$Q}@PAfVbiEmfs0hTUb3JmF~V z;XBB`7IeutGoL%}E>zVfgrt|m!!uLHRsf<|=4B7la~u`+rdLxVeQm-2jo452wdF}T zAG{VB?B$X5td}x5e$iTAWu=}QUGa*!2Sw10lmH9HdJf;mkvJz7$kG9;w)l0Hom%U` z!qX*p3z-r*|G5{n^fMrgGYFQ-S6=y3?Rxa_A#VStzX4I8f$$(R{lzi+c)JJ+YXwS~ z1HEbwJV|@5N1mWOnZ5%b;V?oVIY*UIB7`J&^;w^M!6WomJ`Am{^2OFH|LSu1A(N+q zdkz2SVM*bTxw;J>1OS|kUn>`=*5%-XRoh3_ZpTcx$0*jw0vAK!T7gT zx@oz!`S$A2Pxm$}b@#a}^XNiu`vZ4*!YN7Ho+X%3@4GNOaVtD_4AS5JSaCQ;`Eu$P zxxR`A?BgX{W(Mlhx*$F-4k{+Af$09zi(u^R$J87+VvZ_CvltJwG$kK<*LWwju%i4L zx#C;92N(b!KDjcFop;%yLWXb6m^V;~C1P9IiL2B>Dv5-KhpK;`p-UENV;Ru$y(@=C z)5W78xlC$Mwsr;oc@wxOar0HIs`6w<)9`#Op?6}Yh5fw5x*vnu87H?uBJo2aUnf;| z(WH~z?&81z`Z$`{ODhcwAtzxj%Anx!J>K=DZPqLelE8G53$l_a7ce5Ev1l#aGcq!{ z*3_7mY&^H9B%T3lN?XT{FPTrJX;_?j)G}N-8yHn(A^CMhZV+hwx--v#u!WI@IznQs z+@$8!{p#}BVH!0?Srt1?#siZkT;Ie3I$R=qA~L>b?^;%(KcdL9`W(w!pqvJVj8L66 zn`7W56-*HhqM%3cgoI`SJ^;e@=N|9R=w0_E3q~z9By~c-)ea~3g}V)UDLT0EQlYY0 zITFZ$fxt>tcYTL$qyS7BMJI$RQ8?Co?r;@!!7b>s0=X%X7xBzeuOmo+){t5u%4UC{CaE~U|8b8tWVaxnHO-pEoAW-WxRcNZp&i5%QL0F{? z^mFeCTbREF#(CbBzWY#*ZZ7kDu|}rl@JQcU5<0gPW-x{L7G6bmUQg0dTYr0#Zs@fc z^E|)jRfJTR?My>zJzQ+kFE4gf4m4d;!5KYPrY0rz>On)kMKn!`0I%#LLlj*$`?KP| z?iZJYPe=_PUsUX6ls{O=1;fMuD8fZgLf}TGn<_vcCKHIUw#T{49UAn%rog|du~oah z|LRS*vqgfN(we|sJ(y@CY5LG4ojH_9NP@OIKiu0N6@2Xktv1*=Vq0LrLb((Y;GD17 zd5Q&$Le0b^f1xi*w6Wb5TFUueZ!hAUKYO9Q1jhtkXja^9u1+xkS#8jXM&nGwDAvcl zg{rGwlRP}lwfWY~fZl4HsK{Jd;C*-XOxy&Avrt!vLBMw{P7EjL;?Tj7c(}fQK9fKU zBW1&G5(rPUdGZ51ze5;%qw8+%sfZ^~tyOtSYcvhbX~*Zd?tS!ty(DSR40rAWp#f5Nwx`zy5=tMx1?R?3(Z9iB$9b|!7&P%8>>SS}N{08hb} zFToHeS$D3#l>qnZ|6K__jqjYS~=s*k`d`{kURDXu$E$mWB?yBsh$Z?vab7@P)d<|bAOpbhS;GPn%7p9Qfd!d0iqv`z(@&R(^j6zW!T2wx94?YBwpbbr=#QV!VA^d$>YB9+zVV->eY zCW~gr(TyIwVW3EB-DoON=Xj7NfSILH69arC<$MR!H?`vIpk;eLD0-X(@)L;2pBLDn z9$sA6a@snrnk9&x2S1S{v=+h~)OuASA>zf-Y=NkB^yd3PF=0O5DN>I2B~-1)5EdOA zRwIbS%%V$8#}lJ~PIi!K4Wd|R|A|bnO!H}Q4U>(%z4=v`7=Xpr?3!tbqqT0X6LRxl zIr3SnH>u_;i%9pe^5Bz@pagiON_A~~fA<$mXrQzVm!Mba!R`5MsHK@k(5>?EROw6f@%F+_2!Xv~m|ApAcz$_3H&K^g^I zwj-l}M9J{+0SB3f%EeTAsQov>kf&Y>>P_IB_Z#>!4yaT${}$I8v5#uib3mUy4lda_ z4TTRf{dfn~_eA#JFfpYwwk<2d)91Yxa#HxDcutfGfXw0QaCIv+%W#>@{2Co#rR;c< zTGF^ygGrVT+F0IUK!kzS%ByKFYmAZrp;9SOr4QFW5%x&`^UME;zxmij~TUpX%O?tSBkgVq&X4a!L{|7rXbb1br zsEBoWTMOtVADzHa~@BUhx9d;Wj{Vlxysp0(j9PsDA zt-t<<%h!KA2&CD6AM^ip{(n69AJ6}f2mgN;JY)v3YuAQQr5 zve%&SxGaZk?GtVS`XCeV6SA9Bmh8V(QeKt69d&wDwWvwt`CzVnJ7ZJNz*h&(CS6;K z96^$SNff+qJX^O6uhuNUJgODkCm4+tBd_vOT$25B>SYVtp!OS9a+MMP3+zQH7=AN- zol<8Dvn+Es-9QO%P^QI;SFZ$j#RF@gO~xoNiF1|=5)b778Cl3Z0p`jtOJInrXOH9J z%ZAFVI>2O#08!UJj(@KFqyA?(T72tqErb#&JtX~WD-iEqNwtt3Q2nr{rrcT!U^ZNd zK;Op-s0GLsb14l2Ce*rv(j~kx_r=0B9-FB93C9We0FUwW4+`pn4Y-qWg1UA4Q5 zD_73_`GSuZ$5}Z;zt{Ct)@6j5t>PvUqcX{d1Duym%oR75#}OohlFVT>4Udb3(OL!R zdW2G<@^k>AsRuxXBH`Qm$Ih!e%V7L&aP~xOKy5duzC()T@=~9S^t075jaHhuV8eq~a+xi|E zFB{KIL7p={YT18fWe~+C4MdWEOuwpZM)*4<3?btOg@Iht4w86)x39o?iU%Q4?vN!U zc^CQ2+{*Y3b%qK7G_~GKviN;s0^!BZ{P0-!zM8v(aJ@RIdEvjW^TCyF-^th&q;Q$n zDsW&m5CG~h(lEu>#1I>iLC$XGF8K#)+U1=@K3TF5F6EVIf8HY$AbKT?(!BCxsx`L+ zrdw|Fkl@|Pl0ZmwYQE6bIkI*=*V$Y+Ndcp?;~EhFY~gxzeU_#hyS}v<+zCXG&oj^< z7TW?yz_{_3r;&oaN+bj`vB>Kvi5?27$U~0M% zxx0|A32JoNPy(7&{wXqs0J^b?Cu8D(-m9&ZIFQWywRZ{9bhUWg|2&_FuUMfPNXk!- zoG3DYblhFl0f@0{h|a%tt_6-3jMqss!DQ}MmcyrNpDB)103^VP7pE2@mFEDi;saxN zrg}DdK>NL5gVCYb?!R9X2!d;3a@`PX@gkpfuaow?TY-j;67E&>>-E2X~asFh&4{x}oe{86o6^}ORQZmQ;-Mo`L`;vp-5r_VEEDFzUD~hr^}8=rC6=f9Rw%6l%tD17Ic9MN3w*pPbBkR0iJ3ebZM_P#ftDqdQuC2?j1 z0onSnvnNjUNC+(h;=@9jEMsdJ@vpMF$eVei_mpnlDhgySKEoMg$cjl z<(QFK$gV!EM9S;5-${9D7^>Wlt?VQ9q6jMyb%ha?R&vm(WBC3 z^d&lRiZ^XQYPemP*V@8OJaf#vstwa(z7(Z}yi+FYxS?ekXTugN3Q{cS%T;L7N(^4z zTGvzt&G_DyCsoXapdx_QUwNehajrtYj6%N$CQ{Vf;>OByttVFSQRRT<+){RaOdTpAbB! z*bhRnMia8MHJWNLkVo(37nq($_ml&hu`Ec-DUi(8zrw1mpH8cF19UiTG9Rv~+IYXn zvi@sr>IMEHV~kIYe0mlBGu?X}ysD=cmlk4TtfXhGM1~cjsZdZ^6XSRD6IjNV%^LzQ zjP(3Q5&tXcLXiR#Aes=DAO<$22E0_B0a&QQ`8cv+x^^a?_f%rG(?z<>?a*n{F@<0``w zi(r7?OtG*%@Taw+<^`60>dR6~E1REdcI$FiGCcc%+C@qQs-lm{dHkC86l=?v%ig;! zX@7&qq)5F%^Ca9ewv`8)b_7a-R*L6*7MHf2);heS-hZ%w9v4`PRN#|3WD{%rtsQs? zuA)@!TdcKWv>y2&k>(EL2=KY7a#d9>qPC`mmkhN{cZadWT8-*ple<>BZj|p%*F4uc z=7C!1t1`M15{Z1*2}Q0d7^*d0+iSqIIZ5rs_hX>HWv9dD+zbiNUiI9ZOp1{T9OuyR2_ zAr;XTx&S9zg}@d*y3PMi7_2JLb+H)2uwQ%*6H2xX5~+RQbumAvX4%kcZ`ESNx1M#* zu$sY4kSlZPRC=6tvDcMaLzKsf-S!)|$da$%cfS&6;Mt=Y=I5Jqv6u)BF3>oWk?H5P z+l^MvX6Ildo~-DHL*JkWUG-_(nX^hV{uvuys)KZ=Y5ll2^YwYVzQj0&YhOWhb;&8) zM%MFf(^pd3v%u?gh-?fMhJus&v6bBx3y``e8APGAK2<17`Y!1VZXu)4JNpNRnZ3M(k=EZ5{d;0Kx@>U?KjW@8`5tNr9_W%Uc29nDJ17 zu1(VT{$x3jBR!aEB6NcW4)`3DcyjWSLhpj__uL`OSXEGn3bV#8uU$151h~)dj?`-P zf23#G0AQU&&W6s!JxQ8Dy?0=s-leuamUt(}SY;_CWj z9>8wu@z1h>a&h`4dHLV?|Ko#sPw>STck(FM|ATnAZ(&|AY^le^wVRHdGGB)#!Zfcs zHd7^=gbC_lpiLCEm4ARTZ6n`o`(6(KTtqJJ>v(xnz(y7gEcyuu9Eq4{>4Af{ouo2v z*wKRk{ucr57;!%2Y@h<~MUCJnyQ0F4ia0O@1iY>}YOVaTsQIgwf++;o-}U z5{HKjEwm;B;6q^ z$o(#c|78UVSYv5@Q&|}Haadb4mX4}V?@pWyDoN;WrV~TByqvHW;NSO^Z8v-;9a5;} z_nMrAAo)NsShI^Mj())=Fz>gb0oX)8uAGgPmokwo(kjydD6=yb$%V^#Q(VgU@W9wR zV>f1wEpm=49+ShuRbJog(&Prfx&dltR7~<3NtlAM^`9%!gyp$DY|yHsX5hP`--Lrd z=~_uiN~4as!zd~$4pqPjrR^9eqA@WA&}KjIC*1ZLvZ9?7Y>6(#{Mc{^CQMjfK<}Vf zc65h0Dg3?5%jCxRTw#u;(x4cPS~zq)r&+c`;kPS$3R6SbP06Afm(~ z2bOvLvjKOqcj{8ixPG{4^Iy!Y)bL5m*Q-Qd+yHtXuyVOPVW1nSdfNu^7dK>4GX9*u zCt}v+HF!5M)>lAh(6qW?yQ8Q?-S*MGsr2pg*0aAl@>8=L!+$-ZLEg-!;L~LGt0w$= z+FNq=AL&MvoSVy=Q_uR@{vLevQTQj2>HfR@wzT$=qKDBl35mhSd`g8(O-&X6XDy10 zOM}@a9GAO}SCBse!a!9K%&8 z&(t6vej9f;y$uj=r<9N{Sk@>}pHpud+x8VPN>$FkeROkYdFjtQ_guf;N9O_dSqbkGl-irl@ii3eNYH){L!u9(0-G zAK-l$8SaQFvpEb0X=@1$dkg7b^^FZ|B6T$ZIg#rdA+>s#tf*Yd*W zJ6{ZGo@3A#6-~k8)%a?sspV_uVSMQVxB&s9r4$HzoPl0(fYCc%sNU9LS#3T3PXMPy z`N!Zl%6kQ{o~$?FB`h-)1d%4vMLB-YVM_+YMn;yyu^R{a+M}`rY8u4_V=}`g#VVS4 za}_#7B)P!-2skZH&v2N?5|Y6AeB@xM=|zx)y=fQ?F5qF+RLJkEkdg$a0+HzCXmLPC zapVt#vn9RnlM_2f#^HlNLG;n(n~Oz%wkNXx^0`_si#||gWX>2T6(n0)ZGhPBF>e?QG z|A(=&4vXsh{yhewA|N41D@aI6H>e;;cb9;4cMJofQc}_l(%msIFobk>4nueMP{Z8g z$Ith7?{n|(KKGty{$Q9nG3V^P*V=2Z^?tDpxQ}g|?(;2MTFo9t62fZ_)%~oP;YIH)vXrcVjoo`(-uSRk8uaLW3azOM|sJ!}M&Uf)=MVYT2d%Rxy z1Vq(rqIj&*%fZAP@@2iG!F5Yi3$ops)eQg!u!~2E)sxdse6w~n=qu_Kd0KxymVgJXqMHQU+z&B;_ghZhI^ z+Unb?dwm~hG6(fNG~(poZgY3;T|(ss)0FvaJ4uD&(vQ`gPjYppOz9bPuLth?G94$Y{A#U5EsDy7h#kk8rn?p4j>g42WLwRI~# zTQ%N?OA3j;-(|>Mn(c)M!y2ZIC0bXbjJTj`9jLeVnttL3 zl4n4p;CM1tU}6oZ(^krt0g$MVax%O;JRCecBV7+WLz9zYQs#2i$J*OtUN4~PT;X=A zs)XXSZQ_9no8L%;#PNiK!%Ik4*&{z<;ZOpSwss3l^RdjJ-FZ;{Ld(eIC8k6SfX6zU zEqP}M1_SUJf`XVJ6%`d)nk=Hnbn$H*oV>39rIfHx9GoW|#ueRTh`re}ID?|$@ZR$9 zQZ%4wb?;sw%*SPAEefEOBwRED{0!cF!v?!OGKo_FTykKL8qCPco3YTMOv0{jKUyam z*ri|VjcD)Ta!r0km!sG02paxbc6m1qmbzE70}1rzDFw9JGV}B60NfgtnCD>Ifcgs} z9}yoNFUbd`%zp+eFMF8U@89EoLr6wx*{R1Ja(lBB_r!Ch2}>npW@gCP6?tDO0Nrv8 zJE2#7x?Muvs<3lDeC-51KinT$QEOCeqoqo?&MKqcz}q#Lc67cD3`nA)#Z_FoJz=iy zCMs!Gy{u9Gm~CquW@e$Wu3P(Gzw+i1GL54Wo~DJ}*m^wZxxNO>I>M zUlIF3BvaTnQcNR&d!OIw6msc_2~`KWvy)4?P_^&QS5Gds6p>G6cF;{^ti*VMDmjgy z&kYN{>1Q(p6wIFe&K5wNd<#?r@GoyxuI=N|XMI;ZzH-S|@-8lOky&}0+V0PVbm7TU z3Mpc+W}7>O>L-XAlajYB?hfVf8k4=_9PD6=VE{o??dhD)Hc(3m@(?yiH_$gY`DLK) zRIlfFezSINt9yIi7tx2-d%k$EvAjGEv&N#)0az)Gb2k7u*SK$B|z?}Gus zbRckzsH`yhepg0%Bo`<#i`z{*2#Ji$4Gx~{PkEUxATDa1t4E)gLQ#^(Ku(eu7ChIA$rSsC?rbF;B3 zj0+ka?U`??UhV7*&A=Czu(Tu-f;aE94#ugdqH!IvbFKDvWeuJAKU;PHm$ADylb|Ip z8E|e{$V;bfV%k6(mVHESe)V!OE523r?kBOG!)rM z!zblk*|(>PTyKBJCQN@{e1QfT;o-C|&x;7|Xq;`&c%ILFsLTJ;J2w$Xm8Agx0s)H0 zPdtuZ&b5Cp&`YEg{c7lDq#SuZr|mD(@!-BwaY^D%a*U+p_>0xph!$@u+Sjkc-hF(P zt<*S3vej(pJnhS-f+_Ik2|hp#%KB;j?C~fM*K5Y%q(n}M&sOg-{mFENaPbS&vYGQL z9;qrFx@%y5_^eC6Z(@8kH~af;NieC2Ma$}jbv&E;b5fO!K|MmkfS?q8EgYan(FP>|+`tE|uNU@s8krKM^V2X}*2Km*`+BNayY1aQ zkR!jID&b0Q82MbID?2mu_2v=R17pV%v#_B2U*$i8ii=rXwAAUhlyiA5MZYsE zlkZ<>QgWBaXJzRpHml@_xQB*52?mf|_{zcA5-$kKhi?~HvK}SqMq)c5sTNHDyjtp*2cfPKhM_jmxS~&Q~Q;a zB#v_fRflmw`}4}EzR@_{S2Ub&el<2~hVQkmMTIbfP*5F`?m9>Py`>(4$UFwnR;CUg zefOHIRaih!cdOq(?<75)We}r~E+J)3f!fvqMqq;wIdSgmNQ>aj)_XV+LkYlc@3KEF$wG{; z{H1vT7{q34E$1seX=#2$DErdu4HY zx+1WXHI*7BohD-p9+fD4=C2m3^Yhw)B;I08NUmMcTi@mrl2RWox4L?NQhY=`d0Jwu zDokhM2Xf7D0NFny3y{Hzv}wNt+08X3$0yqx+kBV(6J=RMaPpYSg_71JvGg0>$h;;{ zPH$?&At!o|ud0^6H|O8A^c24yR1Q2Uws=5hCUv0y#b6QW)AQ$?^2tscL(%Z*a;miA z9^J6sqlgaxy|e)oe|+OvV|NUs0Pb|b%MCoQb7gXWZBOvGwo=eoO{O&1CLeDII8jCH zQfeVs-q7IVkhR01>aPhn2?}bh`O z$Cc=bna)N?OTX5`HJ|x$hUxE5GDzi-8g-#|4j|ypHyu@r)XyjdyfN?{`BQFD zpnk*h@3#e)olRgVc{v%A$GK*?d$ZiW>OBzK1@L7r4$blLv4fjid1dvuRn3#Or^*Kg z`h#f=bM}k*z}}+Zr1Pm`*ZH*l5*_Z+x@my1B?Q_(E>|W5oo&iVz}@#d03IDM4@wIq zz1CBD%aU7v@*O&5V6Z!WaR0*x9dU67_f&|ukl(BPFP95 z_~o`&C-K>&O)i=3MdqD*26K(OQB)#mA4KWBvad9kmlZxfU*nzg4N^-CQWYgSJNxU7 zyo0~r|JvNf!6J*gIwE?kQt*)_w{n0xSDrA2$QtJfDe4y$^e&$vCB$yMHH0kDZ6g>(`L5cFA2mtVK)){la}sl-`BaOnum7TpIcjD7);ZAr2{ynd>8w9){fbLG%8 zDc_gpjT{>~A-3jDl8H@;N7c6sPOiKDI9lm1h|cX7c3hrY=~9MbVBzEJE|{!shdpVl zwue`KwI#WM#`Hd!A1ReT(Tr`BLMm|i=zWyPXuu^RA_gWF^kF+?1{Ht=Admg5!%GG# z3|Dc;-~hgJFRJL+>MsXv-sK-J_6tCx`Q^N!7W{~eDx&bh!D?##PYn;~GzhB8$9BR- z<{&|rP57U>SaGjkf9NLo6)ZcutA{`8*jH99(316}*PNj17!aeGJ`f;hf2 zryg|~I$#;9^YU8LR694j?t4(boP2L?MMbSw2v}emzQpur!u2JBG+mKZx9R!)H&3|` z4Zie|cltB$Vo(YiwhS75B2|MVgjH2x2O4U|M{oRqKil-R->rn(SyH7y&!N{P?rRd zRiN;NVHhvxQ}v?VUBiyE<&v(WosaPOQh|*dxfLzLhnBARS7^+v$bKgQtQ)% zczz6H@|ho$h>6vG?sYo*W$+~cYg>aWSaIvbnF4|S-I4+8YmgH^3;v#<+d$7`rP~(< zeCf3xt__2(mday;vnMG5ZIx1n_2_#?QxO>Omqs$Dr9eJg5NQYWL z?SW!8>k+=~yl;gW51u_AD2~+@x~$$)YWK_C&gZD7Z|MPY#R|*g%1aOdCfZn8dJ)Y` z-6d?R1}FJX92Da!6Po|f0}x0%urN`OkO=kDTHM(JiegjbO1+6vDRwsu9Lrlq=PrJS z1;xi>V+sQmjty1vMGtPJ3xImtj%S~LzX_GenY5}gh}{i9+L)PHb-xMyGDLXj`GiA{ zO{!(%sE$J4_#b2&|BUvuR>CSt>{DeWbqGPQF#T& z3DnX*>tZSH4+9W$hU~*aJY4o0BSoH=bZSe(F9GhFeiNbg0KB8CO&RhgzfiYA0$4^J z`JZQN!3fl(6EalH)4)NUJeDO$H`^lCaH^)K(UjVm>S>)C>uJ~W-ZN0Ex8`yJss&48 z>j8)@Y0!@xPOr(Q--1G)e2^f*k5*CATHe_j&yuGMNT^#4eeAZeZ^Mv$B*$3U)Xa*w7G!W$wx2;_sr8Zy?qigivaWs|3JbDnQ?=th`6HZ`hHE13j%eCWC^ zfHbFkRPceWa^rDm(SP09Zf&(%>ZbP+0meq<=?z&WmvB>KJLBh@J8swSihX+4;E_;E zV}!oV_62B*_{y_k^;sN6^YdI4>wbA0IM1WZ(Tk50gz;@t0cob%onsw?MNuL!$+l?V zDeix04;;_`YW;U90Vs}Z16&8iD-7;G)U@>zgV1rt7@*Xtt_ITMAyY{trH_ zQO_1Adj7L5ijl>_0za)LY?LN}0n5$SP_Cntg`Y+Lhb%u5l~a_0 zxEo|Kku+e+=jeu=0Qn^CBvY8I8KzxDvhBvP(uGMCYn_{8zDUt(KGY#nE;HeEdFk6l z+TcRHyG!h_vX0P17z-{aB(Ciems_4Fpa>B9ZoBQ;2)HRTAAbWTW2_9qzz1z&+F=>A zS!TLJ#jSk{p$3&#koEu_go(L1d9Sz6?_#@xJ|vR3wt+3CB8q0!=8-(Y8bz*Y5?^{ z%&`7)Z^pl(blvCu*vu=|+|pH+76MuIFgyE!*wW^wTAD6BtSHsxgre+_#X?i;eo1ur~%SP9iQTaD^NWr@JCYu8Mi>aVH?!T201n z*q~--zMHEsA?Q?c?RVmM;VG77e|ssYKOWVGQk{mJIg^!8J52ipquC!Y3l!M-rwli zJd}F^udEFqh;P!Z>_6@eub#=H}+KfAejkq0$xp z>iV|Ixyj*Cbb>DAfc4ts9e^Yc>TXUtNOIN9%3NV#Weukmi%yDbGM`e$0twL+8kT9m z0&Lw61TNZ;(Jt`9i6mBC_b@7fi(8Zw5LJ7_{j~Ye@@DGzti~EsI;YZ=970YOB>PGQ zHA@0?w&|H!mRqoAa$K0c9#Hq6gDvfDu}~-;e}|lR*J7ktxjry!WoJddK|`r;Jq!Ra zT*(XN%H1aQf%h-%(5)te3b;6A;{qO=fYfW3h8~`%dSg&`cehf8Qd1*4jSj>SbdZ*s zCr_ye;4-FwR8MSQ)JY&(o|A*O@ZuN7Lsp=qd8K{LsVjoi2i3VZ>#94TTPKmD;ml8g zC`5p8ky~Pwis(qOA^mLK(E{;g21R2N7GB~?6MUg z{tF&#+hVG^nokF5@_)f60JNp zuGS^REWjNxgec(9K*`UCJ36FE5W|>3MOSL|paVZq^gK+kOuIpyJ{n!)otkdHW;Nm6 zw+~Z1U?X8O@H}L6>KX*obL6{rP*X*Sv#$mcxig=KNCiG=2o+S%8(I#?n!~_*Z zg1dqF?%l0ZJq^=UJ$2x?)!9-T5O%Vgtd+0IUX1}lqfDiNKj>b)0u0Sm>9b-(l?IKc z_y|1TizF<}FMl}Y9Aunz?rlE>$$1avNTKNVU}uK#eQq9}moy+ya?2MhiPcp#!4f$j znj%57G_sPnGgTCu6gOWX&dhXjQptAY>?=eV-4%YVKp#C-rU}}PaV*nLtH=u6odtg} zCFNfD!u}&R#}mlv(v_07QGzjtIPv+VXu|<59&Q4@Jg@!d&&nmR44_Zbre48I{XBble0W~$N zSf60Pe`fa`_;&Xn3}A$eg4=%XfDmawB49!6v3+G^hw9FXH+&I-JWZ+mSMcC0klR7N zE}$x9H_N@+9jPi6o>p01&Uk(OrK&26?Fd3BwL|jYfm(>S$Hc^hG*fKTaAy>gO*{Ug zArF5y^#I?ZESHlOI<&tSSksK45dCSCmMpZprn}qTQw5;GdVch(?-(??@Gvp$_e4)u zCf{73&-aDceq@E+yKsg%IGoOBKYp0`iKIbt7ctEHZ?_IZyLJmzaaSyPKPt8}ht9aVBEExU^8a(p#PjRISDEqQ#KO zl^;x>7CXR+&2aqkA?yeFNANOX{}z1+68hEAkgRtVT|bsVE2dE0R=CR+1$rOO zPB?P3lGl9UHQy60t>55gQ%GTFd9FGpinOh#v z9=(slD^_{A7xa=iMD%(!_4QafpP}znG}_tK(UJtd9%0xlzd1isJ-6(T(A<2n%^+04 zPfvdgb2sp`S|y(;3P`9usI`L}$E|9Rs zNSpb_SCcBj9o_uw7Zw)A+{=^n7Z@0CiWo73iTEiLR29#>MI(kbGAQgGjo`eH^MDzessYINCf@au7)uA zt953}rCk?)by{S%ihqZBEp0ue5|yOgI?Wy<#3v1XMeyt6-!E^95iK$@a^BqLWmf)v zE5Y7qv9ZzhPT+T&Le9&Q@Lh@a*7AP?fLHeYt&Ufr0l{`pxFuG1`u5=@;443>3Lgrudq4h$2)|IFFuHnFb+RIZ@^#%M_!jZACx1Qp z_aa8{9Q0U6xP0sCO-k?nl5+a>?{6QbrCtOw8K@QyPg{1$|7XBbB=in$?C}-#-B6`F zUfc_mf3tEiP7OW&S=;_|)Ruex*Acm;`8;u-w||WBRF3K*uj9Qcz*(1~%6b)q*w6kG zC_F90;tzcQ^-xL$o$}6qe96qyEu)?YdR>eqmKpKIe~@mN<(pq+m8)jRX-CIZ6aiSg z?W}?h7njAJI=qa%Ybat2$`cu8)e*HAFN4B>kyIs-Qi`6W5W*>mjQ34YV!{I$Hs)1??IE440qAm zc?wpOC8~uJtonu}xvti+zl;-?ok z(&K=#^9*-oGM1EWSCvG+E-dmjZI|5ej=c`LOw32W+GFc?hwKoA*z)EpR9?h>k$scB zk0FCXN*c$`7NOKR2n0%GXJ>+5ZEYCpe;g`zFFzOq)I->tTUL(tIk`Bs!Cj>yx$=pp zgSus6QDHUt9~Z_O$;BUF6HpUAysxHjdxK){SnK1}U}hX9dA4=$E`NkUPvddr<0;O6 zuJ&R|1hq^{xo9zVO+11_D5dD8X5VUy$L?Pldp_!xPN@H<&4OpA$5xV#t>r*ZdB zi4!_oxFp1u9PIn!VDLOP(X*ludWAIfwOU|{3t}^TJzZ}-B+@e!f(D)A+ZBJ1cUfR$ z8)-(RHCB$km5`wm5a3CEe|OO9?@54+)!GRn@*qYt48xaPfNu9~?O+g43TQr} zZo52%-1bV#?1O^sxHj65I+zc*t3-i#awT|eo2TCMl5%B5DvV6j;jP#S7+=}*!&+Cm zkI$7$)Y})Ev-M*s5%X1qA-3zoJw1^@YzF;CcPXfw(C60&P11aV?%t?9JixCgDJt2S z=D6MCGdMXrGvhqJZLqhUfua_dXan(fJ-wI5XR6XDIJ_TLO`I~M1I>RAdq|ASX1uP4 zkRg;Dkcno~>%Q2EHylb;e1!XWd!cMdmCO8%v-7KTA#`7vZ+3PrCg28kBob zoHT_+MGY>OkMT*L1l-8R8-h<#MZsPJ>Bw&(Atziz&04CevJwkue*4Sbi38ZlWMv0- z=!3RZOGV!1+W>i81Mte;ya~pg@#-}2gU8UJ z&3x(`{Yq!JkMShe2h9)^%A3z_mVkhQXsRjI^NO6$*3r%BcD-n5+Qv=q+Rg9It@^}- zM78CKhN0m?B3CZ{$l|+us$*=$@N!3>Sy}-K(LZEm1YNhw56c!}n9jtf2+pa;cg6Ba zIrQFmW-@LSYm{`(;QZ6gzhHE=tpr=D%6((8d5n#1bo&qwn=Z3=+lpp%>y*9m#>><+ zwkkSHC+j6mqFm>F{^F^roilCinJlR%d^rLh!zRR_B?o@Z5ZQT;YmuzTR|E}$iE=s6 zju6&NxP;H;C4;l5HyVbw4zwB}M1w2LDd$U&f$t6_35mHGrM>-7<*3v8fm=mIt}W=5 z%gL$3LZd0XN^xiwYTH$u$i+f1)ZPCh^dTQCxz;3*e?6i&grv&ZDKLTx>5jeV5S$N! zu%-LlELA=$YPvQu`1A#hPV+TeJIkJxTb zAcLubPa}Z>4L+uJnhZ%mcwIEzJS}G=OVVbxu|{6)bE+J#)#{rN{qNuJr;DWmY z`i8cW*6C&Z!s#AjY@(xMdCW-s!P@FNFl71I+Um>9`uB{b$q6RQNr*q7qfeK;v>qYQ zPTgHC;7V;k-a5C^&hTZIt&Zh!|cdTTOU5c^|D$Iwf9Xx0t#l=*O#K`{$04vK z70qKD9D@oM{FC0;%jTQY<0AVfqUU{1 zcy<(5R%X#RWA5p`M+10bsO9bD<7pF=*^t-QAVK%-Lxg6!?->G_?sNVuq6_4GlVEN( zM3Y%zBDuc0Hjp5on>8{U+~F+dWw^}<9<~~QC#NQxnADGaw4N-SEYS?^V5y&*_I}L2 z@z+DAl4i*|I-h6ea6Ugv!#4CCTTOn==R5qVVs+4fP-xlY+IPPj=RsSIwP|T7+j}Ef z!$o6mGUlQ}U|N@~^R8r4O-;=U1e&EFF)1n4=v*(Sq+r2Q%~9d&CZE&OKe&BUR9KXn znj#nNm=F`I$uA_3hzEK}ld7O;V6e5eW(2$a_JZd_gR%dyok{|?G!Z=9y>B9A*B&YV z@xw@lD6*dW$%AhiMFXsbG?^D4ef9eO4okPFsdgZ7Euon?qN@Qt6pQ|dhYNC75cf~( z|4Jh9Dz4J_!Qs|=J{Aw<{R(%qxfEgfjE$k;0etp*hcOQ!u!iRMs`@r>F!>vGoRvl1@^wU5EK3|kh;^TNK~eQ)mc2wA=@Babrcd1G z*I~*hWJl&FU4k|u!rW6H7Gkk@cvfKH;M>77p$Ht{4=)enyZ�q#}G;LJ&_r~+n% zscxM&9NFU`d*lPi;N>5why0Hri@W_^SELQSGHtPaSAFp=@nxG<)?s|PcBYs$%MUOe zbuk_15F9N37Q#JUtkX4S(6DefuyF6sy@P(p$5)$7-awmced)gCA{iF2|7m*)@8Nq$TD+n4`L5vi$hPo$)Sss4P7>%}v&cb4{6VV_kSY?Afe$ zergllM7_QzUw;8&@wa(2RCk4c|& zW=8$cNu=PxJ?+Ng_ePc4t9aqu!S%TBD8P8Hj(YyusTH1%zP#1M7P~Z>iE;(?GFc@6 zusNz3-`zP%h9bV_t6{y@o-bl2T+?r>^-4xK4Lj7V1`yewmgfBDD6bU}?@FUo*lsJl zlee1VLuAZhxAI2P^_D%AXCSd#pWqG+v77qaJb!X|G|Z`{_(BIW5al2xVqc_EX!ZGo z#NOxEae7KzmBU#najAEF-Vo(9m~l(4_XEw7O? z1r6w7n4X2@t`VD)wz)jB>Wmz-tTI4%-YnFg>LptjjwjWNu^>RJEJ?(|SJ9#8a*Nc0 z*&{$QfhADzb2sLNu<`wb3ZngZl5~o_t^MMOEw=S%sJc&WW2%9e7asl3)4QP|ek%SQ zYr4o356j7fYd50(((se@rk2&q#b6>%GQw*Y=nB#8OLNsK6nJhZ*9_~zBZ1g}xkzEC zi2wnOE!eDNfA%2&GfAVnzkYPRGY_v!s3-hypLF~<~&#n~^ozw-Qa5RP7+*h2Ng z|K}sxYbOB;8bL3?y_Tbs2j42Jz157<6-Wg%<4P8oHS63#2p)AfkJ zXo^?M@4$jx5FCcgLb91{R;&|jnXmU68A3OAwpr+Cw81OA1J};%BoN#q>hZj)bO_vU zWuu-#VTjE(I6u4C3f>g0s7UI@%hOP5V4$y?o@#hHc|zEX0`E1j%gxswthTPaX5rl# zuP@e)4zQVb_O?K?`8B2e5w~x?c19Fcbsc$5*$b{q@!46h(_^L@G<&x-#f09x6^r2b z2DT74<&ntloMhRrb*nF3&zhsVfS*UeC^S1FucZykO? zKIFuxt0gn-XKChb7_iMZUVB)6a7{kch?YFFF0{c*{W#;iYU64v0@U6%G;)H9+ZC$K z`Z89lDGI(Jg8UG`padKjU^rpp93z?zVwAcM5H

`+LFp8uV!EwezUT!p+HdK=|U> zBTNmH`{!gNg}bX0zcTGJ4J5r)WJPT#4|s7TvVue)7xvmJrY$MU1?zK zcts%`>2#*^LCimGDiJ^J_Cv@E6coj?8#G)yE%6w# zL$+3cqzp=1ULPPIo_Veo`B~dkUQh0MNGT-GFy4+baau%xwX3m3UVX;9ewZZc^J2^tSbcX6RLmg@>zvnz zpUDQ%0=B2zs?RSbR9FhDXZTisOA<}LzMVa`!^##+oY$BRNp?*N^{QWvSc4mYyoB*> zXPh%NCf|VP-qPrlTbVC>KWB~ zZZcam)zRn4WRuGP zFwm8E_u9dPv&e0N2HS<6ssaHt$T&MWgcculIOWBgjQUNOg-anebh^4d&G!4|F7{iz z3thEp@ELaZs{7U0c-?*4;fh^2YpRt zKn)zXOX9u=AoyzPim1c^bv@a-+z*M4WjYI>lnQ3#;qpZ;WdmJWSj^q`}8u zLyJE8H!wtcs;DrV;O+s#YCvZRNU`Z`t{rGtQ+7hdBipB5Z8vnfvyu;dkJqDL`iY*z z+Za*(^f74cnd-CM-%*tK{(wcNs?Q?Zt3ESBxivd$V!N==6cBhUbf=VAcHmd-dh+IZ zX#Yi0TB?Z&{JV=C_2usAQrf=4yITW>D9!|&pDBC=lPS)bQ0U+BNxT!7b)jPBj>hFe>m6UirW)UfI)SnQfHQ)vu~)6_MQ5tsfJ+DCw(iGbSES3#qsNP! zl|82x(bUjB87UeA2I~fk0XDOP*QA#Pq?h)>LQ6eeSbHK-{Vt&S3bY!tSlQ5gQqNL( zL|Xl)o$;x3`GLtT9BP>0z`%#A%f@F+Vdrg{dB8YTJnQ{4D29oL3opb~Wm2|ZG2Io8 z7a=F-;d*{C*VmCZWDZO`2e5Q5LE!VrVqDv{dtebP ze5MjECihhj+XecFmwOm$Gj_{3V{x@!ZtNp-iH5!MVs3kK!NXJoG5e*?R&ay&?YZ2y z`IgWgPRgL3W1MSAI{LEDy{jECB%DqlZ&*xfKe&p;h?@tFyqE^qBsj#)FebH8eIKpKB?WKyD{1mGqW7MFr{ z>VpAez?VvtTNHgpH?kZ9Nu+OkM^jo_Vx9}-PfttsIjU4Bn<9S#bh=LLK*sU2#V5-TXGc|}{kAk*c`v#bc678S z08=l5NTC(K=SIb!dRvBDcJDsFoijNv?7BAFP)s!B!^t`im1t-@NsG8*Hv^UsQ5!5= zXLY?-GK_OlFJ1pV=rrHv#)C%1c5eD`&Uq?*p;X^Gg-eRp^oPy%cxQyzq^X|otGF=g zG7&G-x>a#OWEfe_&;a;*U#|g8X%Qr)m$}K-ql~SB%1*&jJ09@0{O@1!3kimjjjzo4 z>(K}%rU*EF`dSvB9GE=TAN=jZdq1TX_o!Ly3t>e*bD@gim~hD~F0wEnUeO$J4PsX? zs?wh7Eo!HE_df4=uoic@JA=Q9y0*T1Nux~8=##w#bz_F@k=JGp&4V)P(N*M7LD??c zEmERGf}s5@hv8=8g3hSjdTLAGu5*d;$AX)dk;=` zl^CM=nAC`4jSU=u+iINk9$xdv^=A-6_-=BlVYXUs^bKfMDHL9|3$;t$zx?CHbwF^~>vSX~ zG|SXocAnZY5TDBjSzD+jNdfRoMTlD)^-kx8bAx*j8_R2ZD-2)2qFis5hwss30YUzBI%Q~$0}lq_PZ1-K;ukD@1g9^_{tgv8F>v=$swmYo;8=!wn>Q(fBE0))UT`@#5Y~E4yD;C zhzNE~Hv*MMN?+W);STKX@fQhi3V>v<@DX4hk~;h0%~T54Ym%-f`&-*AIEQDO@lU(v z928UgQaD6M09tzYf^~P;({I85jt{xgJ5SL!%pH|il73&PpUrOrCTGI>S(AZXt~F8e zz_Ej~F@E3Jz|2-B4?~3_10RW{n#ZT|X5>WF6Yj%iqx(ob`Hx zfEVs#xt?HYLJgQV+`~ix$HUO0U`2T{8HxJ%kZ<>3usMANI`ijYo!R3y#32(U;x4wZ zlpx``lmNWl+pT0SV2B^4_oMpplIaOm1Qj)NXvi9+SOF{{2NqKn^3URQqwtKeP-x42 zFRl59eMW}pz$S9^V-xwXo2-aBKffqE(HDMiVWuI=*9UvPH<5IaH&Z_{D+>qv5FN%D zkid{F&C?a>Ex-XA4TBI^R70aGd-3_Me4+LHoCpb9C+EoU=hLVzO!9V`J7WU1*~Ls7 zqZ689X}&9(F5;$P#qUZFkDPdHP3N)NlV01)J4Vf7U3ujiHtznJE^dFlf!QU#&pXGz z#H2g$sc)GYbDcIpq+}D&$TWCJ=S@H&aBGqj)a^wfjWCJ1@!}#Wg**`fBP9*H45bz^ zhnt%VBba@+ZQNHpK@N&!)T33}(?CT_niY@rh=6?k3(q+mwgaiKS`cd8E94Ij3 z(uV;;(*n~W@*?koy4Qb?ZB!Na&0M{)rK&5~E@7quwfuha@yZmF{nhn!4G>r4IW8Cl=UZ4<1dT(Xi*2J zc1x-{R+|Ut)i(%Ax6@R7Y`I}=9szwdN>w`vPR_(g+aCl*jiBx!IO<~N^j2h9A-%8i zIaWJ&tiS^6q}3S(u5R9#HMgKurff(vq+zSMNn@+}X93OkyRA82qdKhJs%BVV^TTSg zX&j=C9l0oScdDJI>K=T@=8Lvg3Wa*<)ba-rECl3r6>x{A9 z0>0{icg#ZEx1JgvG^by-z=qIIozqW|^EF@BGy0lPka#)8zAkxu?otxV<1kGjg%!M& zT|Qj~bU48`R*|`vdH5N3fO?4sSsXO&3uA~iV}nSoR~D4Z3pcGvO^+yoP8J2uk7y(>>!S2`m z$zB|SG~Lon74bpK@BnIlpWDUY6JWLj*bs~DuMZAi0K$4187ad`jm~#5_J6LAzaHJ` zD1%9Qi{b~TgEivQ6quf&kasCaPC{5ZTR9_Ab3e6iz7t_tmvxSsP4 zU0{zq2SaO`^<4Ilrn>jMMN+fRZGY>+_?@dS1?%I>lF)-$V><#iyy;y$u0mz8JX#wi zqzIu8>2iZE?ylPtIjl3!i8^b&0`bjfr@QC@YmpR*-icxr^S%+rcl{BjRLElup-Os_ zS$5e=P+@UXJ`d>^cQe4p&-uKXNNMKiQN9qy$WUbX{)V~_g10&0H`Htyu+*P&m)^%^ zRV^uUa|fAjR-v`yPBF5BLm(8Xk;nBs)P^_2Q|}c`GPZ3T7ryrYAnmQ=qTIVZP}Hq% zQ9wjMNd*x_LZzhLI0BN=-O}9+Dk2~vA|f#Y(%s!HIfQgK0}LSyop+7C=bZQ5XWx7N zxbxW`HqHPuPyL>?zO|^5wq7CAe!$Mky2_Z^P*E+TSvfk;R_GI|*Pp^nV&hm)?3w1| z@TI?%qH5P5u@b?ri=dsqcRZZw%Uc|}NbXwxpTQT}Y5BKwP-7^YB_AAaBsOvojLjjJx5*h7r5-xUIDG zk!u;>&I(O2`sWZM8vx0JpPFPM~3y0XB)a)fj_wticdN6$ynW~hQ1%nOq47qz8 zEFG(Wg%qf1COZPwoRH<|G8SO#{7i~?gkhj$l~-??C!1s`gZH4xzI#Ze9?+}awi z-2Wlx(Xut(@lNPihs*qMIbXEIz1MUl)h@zBb?=O;gRyB;&W#DUpGJ_U-cHoe$h8r| zh62K)06HV%p4FLy54T8yE2C1%vZ7UuKYa?`={r;uiGT2@W~8Y{YCPrVj!m_inyi|v z6k<-XQ2RJf-0J@Bf%DZcr7xdB^X09vKE)lNV49g+j%}kXXU=MzG1!;aZEx+*zM>%qLY-`(U8qSA>jWqj%rkJNm3 z+bBb;*(MyP&A-P{W+yAAa*Btl-I#o~j6kD2Sw8wbU5R@laW5^A(6Kwy+iw97d!vct zDRVVx=bV`5HPr?SBrj=dXuu0xT-AyY&How|A?l(j9ir_+U|{g}^=S*+huQLsmLo-o z27-$--y81Jt8Rv|3Ar+0XI>L%5c)RFoZEG+;IMoDq(^`U_Px`GfWui|gVU!vb?$dW z^MCd`x3yUDVr&(#by9ri?JMgU{!jdx2ij1L-BX1@=pfqh==pL-#p&?97 zA;;ehj(r8*&iOaB0Ll;tyvcLjYasT3TZU+jm*u{nkdk>Z$pxSU!)pbe3VTW-x^mgc z#}7B17|$P+6iv-jH)jHr$_xGc0Qz`)-i|~gDp7-wF;-vlNxX1Z-T)iX!gV39mM<9< z!lB|JT@QviG=yu=0(=&`VbvLsMo^kb>+HbmVLG1()p;b*`tD}(9Er&B*mXn=y7K4{ z5kSChn-!kKzubLy9;(5O?9X=;mx_W1%9lGLIc5hK)TN`^I4IuBPGtgojZ`z%gpO&b z_Z3NSmr~;8?);v&CxxcIVt1b3Q4A5;cCxcEH?2F370+Gh=t@>Uknz-DCA)CxTz!Dd zuxFvQyX0VZj|q@5nHgE&AFAk< z{JsPWB8VB^E!7Ig;t&Nn`GNa})-v(kyDL^^^A%h(gdOAo3FfROZ`1R8M|vFQlFl3p zu97M`kgd@XUpQM?UU&c(A)JC?O%nnInUr2CAGHBSw5!%OWdy4?<&0Ev45VDI$Xd2x?Puh2PCJ<_B% zyK^@ae-rCGz5dr}K`VQ`x|n-T%RFCaZxsglU$R^hLqVEma`Gkh9M|OMHOi@dQNx9- zg{Ep;GVcs`UCK$rl&Vg)grlSm=`uVx?&%kzKQl@I&5nls!f`zMJK>6f z$Jwg6dG7-UtrAo8*R?MTo33n5FT zr@-$~*k?tXQmT2zz`S=99Vkr+73QU$$|KPURzUNo*QY#IliXR!LxE-cK&>|u$&=&M z^y6J5bk}#Uy9n?V8_cr;NbXTyEaXf#S8qk;;2-cXu;EtRDS>Gqe4H?sQ4M#Xf?w&6 zMI}Ww^;-!|FEJOc8lSWF%6U&#y?Ls}LcD|N9pP4KCm-jvOKO>1#VPOnrsu`khK_15wNZ~4%6=Cb4=kjx87ahP9pKmt*Y{z zm-Ot6jzdR>1k$p3uJULF(MZ0Ghi6;JwXN$Sk)*EyayBmJ@UBgHp2mEeqHD=s#JgM1 z`Rq`1!t>;w#fCWKx#|8kQdm3#jxzz;X>=YF@e#jub+k4+Bj&Kg9MJauc&o_nl;`Wt z8UYt>tmRvIY4ep>8DVdBLFWin{xoH>Tp}6%ZU!=-bN)BEF;6sFCg&$Mo>IV*-e^(z zL^)PLJz0`_=b}z@VDU0ftU_wUT0c-mTH|*L!|tC~RFcJFeV}yVM+IAI<-$`2eQYbENpmxoUb6k7BA;N&Q&)qT3ixL~md_pPjskQ$T%{J}= zn|dv96J?c-n$XHnP*uuB(HAnCme!3+H|TMy=5Wd2n>v2O53A>@R?#eR-gB1Qhs%2= z;E%(2^YKMXo2Fi40+IN}^zy6Xpp@W@5gI()0Ud*eK$>or7zoaH=C{k5Bes+$TQPX>Q%woQqNb%wg59Cra~OXG9u_g#P>< z#LaXyGLZ6F@{`=>AyzqhszM(J50eba3oHcqM-K7zj!H(_&)nxc@Kj>;wNvj7!6`%+OG|`Q(+i1Lko(2B&CV=FIwd0L$W#Ze#&qU? zART6=B@1w{s;*L(Su@4r>+q@&DJTD#k4F{I_-R<;lUzQ4LYb+V*{Nptr5-mMj-==z zMTb8H)U&_^ufoqp++7vl;$O)(HB5L?!1qYqBKii|P1%5+o_U7#FD8P16R2JODwGd5 zT041wmN(+cbqXDtF&z;by0TLskih#n(O_$n>$amg7vt5c?GbwEoEEyH;sdoTbI^OZ zg~xL5#|dd<9ITue1yT>2bxtK1V0Jc~M*%NO5+V81=WsCPvT5yeA1}<~gl)%8)HR#k z7ik%>-ECugg~?6%Dn#oQL>BbkEMF=B56|*8`qX0!U>N`$SbHbW8lt~q6=0;%(>LcP zna?<13;m)j`u1Gpe()(BKYTo0KYW3uC!nj4dnQ8fzs59s(oFO_)S~7x=`XL$H-E&P z-&*k-6}NwTvj1NqC2+|XFMWx8|4V{^%ikd4B#R09TBDhk7JT<}+IiD800i>X466|1 zDH*BdSf_J+trQfq@6H$DzmvGPb*_HJGO^z{-SmaMZ}y*s%u~JtXS8tRVsRO)j{~er znS&R!R|RUPau9UW(^1cfLSPk09$@#f`pwC&SUO}6j=DK|b`M+lwugN!|5&bnlFB#U zw)*6mksPZU^XES9;{ZjSs-3kH6>v~nar?{`eDz6p8XFqVl-Qjz$hW2as0QkhUvVA_ zMS4_v58B3$wGSA{=*!l-_Uz`iYtpbyotQkNA0TZx!WDeA?{n0pZb4Fz-9xQPyaIkidbh@jW5HeD&^O>v>#xEvA+~-mMjvuBrONLxvxaeU6a`+o9e32!!J?6m0Ztyekvla=zYIGGgsO`V5GBJo zSYyS&_wR4zl03La608yX^`JhFH-evs1#N0#Fw(38418T*xsv&?*MsV=&XKX&@s2}0 zi}}O!y>yMQ2|{ec1=vXw!65Plv++Z*pSqAp)~Y;=I!F@Y=8etWItWnhk9=o zZGDdtwTLd|8j!AJNf~r-s*0<)|>@mI1tPUe5h56EQoEYh8xGN;JbHKSG1xCLLdRmC=5OxD77oXH*@OR$I zioF=bPatN&jB#$qD<=i`yaosvMM8Yh2jJq?sT|;Saq5k8-s|Y6NOyisA(xq!lJK9} zWL8RPz4Mrnb{7|emFRjS96{O=zn?wi>K8#+&&#-F`}E1o)^$3-9TW@O_14-&4}zlH z43~ahpSi-lBB-RLD1pEf)20Gt1~l7@?~ZDz%SmXQoMAG+Mb}5OCF~I&@njZz>N38h6ht_K zE#c}MO&ad}JBdkuU7{^r(k&x3T{)G5tf|DX?Iv0GS7oDH+p8tcsMYcaCs>GI-ba9f zZZ&APXo`B|sTlP#@Sw(p`{{|KYMGYXpLJ~>=0c5&=>MT)}KkQ7`yLto(ZfGsR$eh;S;fx8(*GB$gZ4 zIw@vWrkHX`ip@w|Q*++@m(Ok|DOcStt>T(SMcy? zSg(~3!ho__^vdzhgy1SeqT(sR=rDY7vg{$0Vg9D8cO^m+5j89dN}Y;>IY=BD&<%31 z`y`$b_W83SwT!rsJ5%U0DZuj!%81XDv#I4Dgz{kNg%6vEF!Z@3oFUf@7f!)=NFH*{ zbdY1#-ba@=s%1vk>tgI(14S4Y#!i#t;qgCzhWHD1hNrCbGu1iJHKAe({8LH_Y?rDoScpt1rTlz z8Jd$_Ov!n0g@jf{xyQ?ce+(+6h^hN1Y{`1>(&B2JeNRruvx_6%s-%xNIhZg@bIf`X z=WIZG@UT+H&+mG=-p!-wxw`3%yZYzu`$X6+E~V3UCR2KlFqysBA_zo<E6T#!cTS6dGhFo=n5{) zTUQf|w1)~X*NAO+zCv}2e3WNpDsr4HQFQoo9osMQHDNpc{MNO>@_3j1jt_*{9W;!} zcbupt)yh0OK~)EbkMQ8THydW(ZnCbAZ^GFT$EB;qdmN9^B8U2cv`u*)F`v{;c}at? z2`)M1iDm@t($bu?oEup{BYIuZ3~+WynfH=(4g?!tD)#7@o1Ne)&OEGak5S9C!`v#& zHZv|z9WEmLOU|fB7zfoaUyt^SY%Sfp$q`B-7nv z&(>BsP?~O^e)yDtma(mu?hiCPv8EkE4#IQ z1xTRX`6Hv%6K4~s$m=e{=z$V_5Wqa>tOT{Kgm^j-|NjYa>MN=LCnOAOSVq{JvwP9c zN>locBha~|lshEdO%rS_?Kp^V{ef=Md2OD3l2 z{Wp(+6n%Ka4j6jXn%F~PpYsP1WHh|NKX@Br{P@SBBDm|A6qhcNvqdmYugz#_sk)_3 zQV?@8DKLg0seW9+L7s9ienXza?G~8J)jjCES$qa!P1Xv>(wts8YMQXNsT|k{1S}zd zEUQ}=zV`!B;?SOtq}ACFLtD=_Tj;5(!j+pVw07F}0{Y#G{oAJgIO|N!XZLFHlihOr z*`!MrYWZ8w!%CX*Xo=)?AI{wNOQ}fPZqrs;BzUX-B?tPpKGjye+^gb!L%meDi82o> zJ}_wN#GRQqsw$c^ji?S1wJ|YxrbPrhTZZYPM=0q_e#|_x;pVpX>*QU007OEQmERT>I5kWGC==@@yiO?7QJ9! zq@73yDTFECKQDAivy7+8 z?aMzeots&1dEyVum|(!bs^ced({qXR0biLnb_Q^Bl$z!hfwG9TXSp*<`vw0jzni~vf5S}#2dpbVv3UI45+?LrnVzkAk?JLU z=;W2*v6c=4&%Sve?_>YE2b0g>E<~0we)sB6MN@}l$4rTP=0d{+s{<~e_Oz=~kL$qz zRVi|5nRODIVF$(e0C()s=vvsY|5GZia(%wGyNrJa+oGd>>Cs@`jBsisM_%;^$|~FV zHoBO(INa}>z7cE1-r|}x;kJ!MeMG4k%eEzZA?N@P%U-nk=U+Dsyv=&M!tOu}nGRPs zi4i;8mfP)b{T3|p+0{+%Nfh}#6;`cupZ2Sw;yU=kFd8r49(0jwR{O4OS}*kV?O5w2 zjihd!_xM(%RFhJOPAS^;rgtljbg{KM*Vs!K*(>T?gIG+;44*a?XT8q5J^T`CGSywO zIrDr)Q;}l}Pj%Rt7C;bj@ zFIsS|SLZ%Nyp6^&L2UA-C`*mSp8j4D2(Ur10<1>B&;z*6g6c{Cbe_LRNy{%?GJh?3 zam&`HGHT(A<|ZdaX07p6{9P0p;)}RAn5ZMiqt0TMj9ogAozLQh8Lr^3exti8Uii2s zpGR)y%hDXa8(;2IRW9wi-;ki*5`LmM%hjJOTqX)B%v$-TcDTLBlKom;X_bX?g+)0> z)tH6H&cbk9=RVXRNiLG%4C0}~Web*B_MtC3i&LO7efdR*>Rtj!3u=rs({hy!BSl2r@LI&ew&eb+e^&(%j z*!+@S@Z|v!z%JTxpMuEeqf(W#&}qC54cux?g}bbuV|p^F@lW9yvBFcakiqb;$N$fu z)PDZsVQfra{dS79t~Dlxx_VD(cYZ%g zP%sHUm#SnI_}wc;}#QG_7rhh1DNY7Nj5GiI_Zvxwhp*17%5$H?0)< zdpSo@io(eQ>3wQQMmGsoc~C%uf5&U{^#xoGMU4mb`m3)e^)I#pWh&QK4zyX^Pttv~ zQQC!`2gIRerR$u~TSipBkQfi0KKNLS!vnn3vignJHeKY7`VRYw%N65=4fgvBZP4BC zm+w6y@)xtZ-%J_0lc05N;v`p^RrxpoH6sX{IdNiI3-BFcb1Vk);j46c@glN#WX)4M z%qwxW6C zQ%5drouwGj!~D~wqsnW75{^sK*s2p2S2pvj^_tB zQTFQ1t@pyYwsQghT6^++RFfKw^7yL;J=XbS_ZOIGTY!HNygFW)qw8$_ZD)S)ug2lE z9eRu!NmEH8*!UkX#mct}4Omt?8!3Sfj!(kq`)&hx2o8!P`-Lh=YXly+KQ5M;_`0`< zlmUd0MXeGuQQ1EhVpr=i&>n9v3(0WYUYM#9Er|>_38hb!)9e z(sByq=S=AsP<7sZzYN4QfU8ssXcy+Ym6N8bAi)8#nr2iYAXM#@3Wr8>gux$AYTJ5n zg!%qd_LlOyR=xPw$$``WqBfiV+5Rr@pd%UmK)ZwP$r&wAQ*+Hq_x0hiu#4GyuBB46 zVW9nV23t>AQ58t&&DA~>C%5GskI~hi_PYZGIu!08q_m_S9_^=3bf{ENYAae5Af8<- z#B^QH6?QG3CZBv<5cyaU|_!Yg@8wFP=T$D?h^AeH(~xHt#U zrYg%w1=?9bWpaM3N!!b?0vQl*G6zH@pgU~Y8G!*8D0#o7Bbe#p03If!5z6jfDr%rpmq4}R#rcQ*NhXHrx{#SVVe|I2b?|C=>W3ZiVz*lra7c^nig`H_sQVz!Q0sQhPYc9s|;^wvGv6p@LA|t z1j-9I**=1#hbr+CNFVxFdR$uoEeBWA*D$yA${V5M4-L>kb=ggwIJtBcq$E3JMNXB*z=S_lWdjDt^1;I8eSX-+hv} z?U7LnaUj4ua4k*kQ{zHr_AExoS1I-X1hY&W{cArlJ;r_g z#_a%?r_}AN7ag`XLXm{C8ce2hYX(+~Tr4sz%_Cshfi_L-+fISa8F(wW#uU;xvW2jZ z0-oYNvX?f=1Q&mEx?LHF0!h~(OQDot#HuCd6XA|6UQ-0boFmYY2Fv*j}Da!|JxrE z{^P)9{WiGNO0$KCi79fx@e&_=ReUS!$ulZKqowduzYQJWHbuPPpdg|Vnz&sNs+A1~ zPX^WOH8XSpXZ=_Up0!&n1)U#=6xMefy&U&{0@fp6sW8xgQsr)TLStj6g#-aOS;p`) z1Q&bHRpea&%T{K7f!k1%D+Wwns!GGFaBr0XYG{s%bRwNemVvwNGP zi!wuu#g1DQquoqF+~|t<{KA- z;t=3DKae-bscP=5UJPj>TFbY^9^ZSK2u5brau5oh2s|*|NI5nuqDf0DP4z0thz(v` zwHy=741*HLq(H6bTEzao2y#WfzY9#IEx41#Lt`4)MNYLS+=>yv^C0_bXce})WsJ8# z*E6jDZ*&OXc1+%QYeGey4)z8vy1R};!C}N7z1u3U-;=j-FCEivN`|1G+4`ofucP{}u$Mbgdn1wvP7qSK^G&gM(Z*LGLEW=TVYePC}BqW$Uyz8JhY* zt_7rs?b%nLs{6a4DPj#~rs2$Iu&A!N?=d1#G^54r#1F8SBjU!}X$M-<7S@IyzprK; zi~I!CJdOclPgIpv+`;@{0nIRYSd=Vp+S&X`__L#2&iz64N54;Ovl{oZEvc_qFK_xl zyKL`g0c}@U)nyzg)^-J;{Taj&>$sC&F;YzWK(&zMS;v>3=PT;XjLYlwSQ$p>}we0q4XuNjz} zfd)IUH&ezzKOAZn@p6q**0%$f23V>Hh@+mBJ^~SwvXRNlY|-jBB~Uuz#+UyD8Z*g@ ztml&|qg!Uhu)D{6+Yl%;*}pS_WdGcr8^Pj)&kz?2Ms8p?<>O;oBT-*jZ`b>fJNUm@ zjjRqi*07oB*~zK-hKwE_)`tb5*~Q6bO@sYD+(eqCYHHWXNdU3mS)h6%LLbz2^Y8S; z*9g%bS*Gg(DapOHSzrQ&cR;h-M(71|Gr>(CR_BsrWWGx)irmMc@_uR{^$&SdEADSb zzPu3?vaw}KT8VNdZ@1R~-rrid%3h*vlqmib0XzkmY0jN>#_m;sB!T^|DhzZ`URYdR zo~L5~0Fv8c^s$q2lhUyklra1@Tu<&y@;zGt>U`%$jzUqw=w3eBeIP9<2 z9{^JYB`hG11hzi^%bueqPw?qMi8dP6+4KH`^AWbw=5H6Wov*dvkz4Uz5emIdqyJ!J8F+gqW#uuE7WVbuDxoy8Pl$aUP zTV++e?V~iq{qGhfBTEz+QyS(fe&NebgV(WJwr2wx^>}Ts1V^bL5I`R!ZM89(v65?H zK&^`DZ-q;i6+zkpUGk1O1Spo9UdiK}<4nJ*VJ83rN8OU#g{wQ27}XfY?R z&c+z0Q zkYx|%NGm1whi7O1Fg7(HpyF!cxP&A7KKK2XSEpqp!Ya^n972MR+(&VExQ76Xcs*3y zBImvaWQ}d!SwOEuyWeEwrGqu2W~k*=+uZ%3XzZ9?rc&orjstI{NIX3qfU-S3g)u>H z$Dw+3k$?A$U_T@8zDrta9O{0x_plXh6BV@#HWx6%3TkB~5l9KyBdgf1$O23!F|bD6 zm0$0lu&Je~XXQR~m3M5Rbn>?ghV$t5RiSK*PrGhDP~fn8Zs`R(7-qx>BcIiFwprAF zh&LdG+gsJ7X(`xpP(Qd%maHm8k^U-cWA5;bx{XPqZ+b{be5F`(u}Wz|Mr*ImAMRRB zj>MAq_2=!`9X!CFqi1+fY?;LcJ~vt+WlpV( zy6cwYa!SDR4I}@UW@Kx$!-08HBiDrBm_`EqImZ*5+H<*LUF{z^-Ufu6Az7HR9)!i{ ztw>^6dE39aYjoI%xxLQnx2C1CCnjZS#VQ~pc~@ht&+`@sEngdPT`wD>9xf^h^Fx}N zOMlpIPa$zqX7pFNMRp;)dM@x?lBFbrK`8xsN24!dD=W-u<$5Iz zh!}YO)l#Bc2>}M(#syCq=4wxklLdc9TD|T_D$m)PtHZ7Z_}i)VGhk5K&U&Ba5|5XY zN$+t{hhvxQWw;sRyH(@|CZ}f~BNVy4EN;Y2|6rms?I|N=|MLzV$4i&|PoS;uW+$)O zvyk%Eh{gHAy+z`o!)-wP5!KlYw$=@~+QQr?Zp5=$<+(NE!4V0d*OmFY@RkaRhW2?`5K^6d04~p#_JUL1*L6gSuR*} zl!uAFuhnTUwRaeNnf2e)j!M6fyY@-i3n&x&0@y{7Z2WSHO}gsa-FA-lV0eC1DqM=u z`2p217)V(EoBd+0dgy3LYf{y)Nma*xq;`vPc8%2D4xhJDE3@0wfp=at?7DmH3x~~b zG-uqLZnf=^&(3?P%XB?PQ1xV^lo~J7EEj_?C#YI`dTDvLHzBq?1pRkJ2}QQoY{a*A_*+!buV3U}$;otiOuFJ+s~Euu#y2zajPrzoZfd zGa0}OxuFx)%(AnJnKNZCq?}9Tz)XJA-#6&(<96Ln6P3zc`RU?w35NpZpgbm1ah>H}-B)hLOu=&bEevsd@~W{I{q}uN(upu)xP6bR zx=CgGRFX{LkVJ1&v@)%mmeV>LW!TNIqPLOlIX^rdjY58}evE6v^r;eB5Lqa-W>$)nJ?sUvqzdl_-NF#HT zEwd=nS0!J{=!6_Ry$L3d`UrG zLdH8kP(u<`tG>WWx&4oWBk9!{k@#+fw>Wo-E8ED3e;Q^fP^9g0=TL$9d=wvOz9DM_ z?g^33l)3F0B(~VQ8UNvUNqQXQV8Y#LNCzgL`5BMH3W3&i(+JBx(3mYB)_ttGO}75)hG;&PD5NTlZ~8J8~aPJd!aMGETV6 zr`yYV5566_>LmJe8ID;-^h|+kOj4f5abCDB-)KzGqDV!?$!K1nRXlVbGHIm>;bf`+ z=;R?qAgrT;(Uu!XuRn^03Ye45<`$C#yg41;?Y#LN<6u>)*w%UVB_GLkiW^sdc4{`4 z=6^TDe(&XNIH}3CldKnXe%PpUf4slcy6wOgVO+C)luRdlh;-^R=M7PBl4`3t=J9^=FMZIzw>Bi!wEN`7Ru1} z*hQ-fAxa3*19AetqFJ>SCE(zazU9N`I%qPZSq0`*As`+Eq9iLb!HT1R~odRVUv6gMR{;SEph}oRjY_y6p{X z-LlCmvXU=;Li9o}MP`NUP`Vl4JPQ*n))5Ew4?(Q-R-}<#-gn~r1GT=3>?eL_V_%+( zZW4QC3|cZ?p}6!GGLD9+n!6w?2bAc@>cU>sQ#B=3>{M|8Cxyj5p-$a1We?)bHK?ey z4xEp7r#yz=6hCx$ywH<*#3;lH%F1)zQ;m#G9HD6V)LX0l9UK~U6&Jl7@IhQ4DwAw6 z=u(hZCS8L@MLuePHn*$*$;N;|05D&DWP$oRU>IJgd;GtxF$JpO?LA`PR1=CR7S>|~ zuOe7x=;I)#gITK_0|=+>BXe@b^YT5W7nF@si<2=R>I4-3UfNQ)atO4TpvIawFntwP zE`ji?c4!Jo8V*M}wt*_dh`pBr0)?FA$6hxptq}!mn^eB>+h=U>+G!fzsZzUf1%J5s zg8o~yN-=bui+h_Dur}Pfy5V!$^M&!Zy{dNPm+GOE2M;k4d27ZS;4ir>D~Y&_T`;Ip zl()*XJjOp~y|cgLH(|GH?mO7eQo*dwVUD5fnXJ+z%NpO?Mtl8q*6^}&3Xlz9;USN# zX7fFN(AP%V&U1};8q_eVO#&c`k1DpF!Pt4ZVM{MK$v=YZft0Lt?dqA7ZsW}z8zU{k z#yML^A2DCtuY~1^o~)2?JBG{ho6GI9?&F}yWK}8DZ~T5FE%(fQOh~`t^$6b`}x$d&UK`J*_p=| zZyAw3_1z!cS-*HLQwgcA@Du?g;K}Z>y<+e3t@ttt45FSWRi+}Yy25{@PioMr)N}$- z^yJU#o~C!Cy05de?bHa0wPGyWS;XB_Z|Fwv*C>36BC5us-xaRxtxQb6eNRuPxh-q~ zla~GHQEQ2%?RJ{9fnSoIr~TnB=-cz+eu`FBPBBToihbMaP4MjQ9loXr?APIVn0>Yq z?E-f9d3MCZcq^EoxOkN3#XLbqN%|vK^9@`Cy%I)9T@DKEzu7r{r){-Tg^8rIC%Vik zsL4Lt`~2Vx1u0Xmn9jKG&@bY708Ljqu%-7SvPcV7NvN^!_wxtUHH(`xSj5)rUAYy9 zd(BTMu!yn-QR+vI$No(uElR#VWJRaqgK=p$Uyj$z0&vPADS6+b=b*lY47~|A6MW*k zijf0Cdt2#FMgdQSlP+BMk9^h@7dV!dnsWBER$CJRXAi9SgFw~0vf^R3Q*o03sO?@l zJwny#kNL1e5W9ReT1ax}2DspbmxHi zf(18eQEbmW8ucWf@KnxF248?>L4sD~PmnbNw)U_Rvdd?9KY^}N&mo~Jk0ai z54FD75_FQo;P%Q_LF}G(z)sz0R+wSn5Cpt{J}E@up~bR(^lA}bO?f%5t(9l;T>-Ib zZdXX93i2Yu-^-P~xpOGt1;HI{1GIbv1E4%<>tCB&FIj&uCD}AX_QetF-*tvdX3CCT zgi0`i$;^1u*2!~aaXsVw)Q%E(PMQiKJ!6Hw+`&&o77q$aC@Q<22qNZaM@;B*A2pO> zXpd+@advBXT#I`R8mFI^r-x&Ik6(ECGg9T(EB~^6{QmwIa<`H4Tv>-pdpi0B^ zm8MrJ?!7dJ<(}F_nH724vCXEi41$p%ycz^CQCeQKj!fxR2zs1Apw3M1)XP<~_h)KP zzZ6yd9lZF!>!j57Am>=q`*g+0VifofU&qW>y{rSl#mn-hy@mLo=lFO|Gir(L^^H@Y z$1&!Bo2hBUYrl%Igp{){&$mKKAvt(B){GwpwXu|_^$YT5q=|qM!-U z~f_)d2|}iUa+{8#~ijXMp?EOLY2vJ*Uto;&VQ4$jhm?cX10)2F(IPCr8iN z?6C6Q@vPJ>ur=fC5D;-_T6nu4l#Q50rLd>5rMCMoVMJ5N4@e1tP$PFvuh3*<8!TS7 zr5ZkR@R4lo5nUBNly)20hVx_);%DvPIBGMg02i9%xosLLR;E)cG%26Lx|Eod6GyH4+Cx@b%1ftom#b9iak^&v96-Z%kr`aocSnV>&D3QJzve7kZWO)UEl zS#c;5nP;8p8CeILnYj2f5d8P|?n5d^IT0h!c(Z%g=>dQO^ZI|A7Kra`0fmEOEIgZn zYmdsn9RyOc$g*>ExcCW3gGy<5GZfdQNr1 zT)+7WUiw_8Cdf5mFU3XM{u1j>j`KON+HFqKfR)LT^+V5h0&~N+-H_%6`Y$-SQY*(w zVk;qc#_!JGFmNzvnN|6Vqyxyy8zmU4-~PG#Or+Y$3)}hTR~I1S2Nd~`@j!OrEb4_b z#8laI>k@vdHkx&C_+nd11@#sYH=|$-IW39jZH53pP$Gi;XiS6IEs$VwfZH2|OtJp3`y2fKcP zSNLSj6~qw6kCiM>4O7B)UY?(Xue*#ueSM%BjM`H-wK4+KsnResrkD>~{IU}>$og8< zng8w)WG@(&N+%B(JGhT;9XR|$&<+v<=H3q_!RNWjMT-r6ZJpgpIK05GFT$o-?ew^l zknz(GHwXVhty=r5;D3Hzlbsa`hU0yg(gzoL%!>dAf2JDhFt4tXAV~<$uis#&5gElL z5oM!GT{!s=P9B9fNjvpRkqq#zK^;LLs9e`wH0Fuu4U&Pw>Zh>INj?BvbOfdfJTjNY ziuSfnwCQjFrcZh`4E6QV8}rHwjZFZ%0*)md>-fVID=In?Lw( z(&Bx;me@)JfN@nWClLoi-#|i-_vaG@_Kg>U^H+FhJy8<#}r{#6A=zcfxYI&tyR61^EuY{LLJ?I4GQCTv8I z_dUumy_e!wBneLI-%_76*0e+Y%y8plu!j%i{B1#X6)6Nd!Qj1woBz{)n->L6)*a7q zf7oeo@uGEta}L^LE*6kS6U&N=(8M%>Pc^55|6j=nB2Xzb*Q0po(fGuqp$ebBD2FIo zHx0C{;KGDqT)@O(QBp?UxfNW(KCW4WL-hcptw0A?9qrNb(+o_E2y_jE_}$Wz)r;v^ z^C+xo8)Kkrh;a#hrt;D1Z%v549tqUQkeD3txCR1b@)?OZW!xWk?gC5xVvaOTA@a?K z?kl;?^ZWm#sO=THd0Z~kU$xVBI{0~4l~j1J|1*x8AUWCyJb-1_6U;}5-rt=Vqy4+w zQd{W1oT?84n&y5wkD`-;Zp7u>s0M?K*T#%36s-5JX}R0JN41m4#;mRg?K|2)s7esg z8awZUsm@ToZ7OMiqnZ%s)Ypvr6K=u@W;?mNxBvG0Ds?>M?sbpD?x=awceq1|SCTlJ z5x4L>=Ac5}yY^e3sa-&t-yOjpw1s#-zjYfs@J2;nw^-j14(t~L0Ba$sSTIB`u}Gyy z=RVVCCh&S2P6y)Se9lts-M#z2Wu#W)n%)}S?FBcaO0Cy7Kn7xzOi+Bh(8q%na(0PC z;Akbi;I3((e*DB?X=ZalEZO-i1yxHu@XlV?btgPu`5f*6G!6f4f}YPVW89pCPwXtV zZXr;w-av7UnM@VI?dOLw`=>W0(hu^Vx}D?(GlvxGz#yt` z-kaQ3dGOl2 z5V}eXul!OI!vAsK;>XUE+$Fe?9)~*Z)z;`HxTjpAy3Pxb?F>F2*5FYmY9`PaAq zCN=%HclbXx@Sjzs|JSzs&maByaVqXlyh&CQhlC#=wPd~@lxvd_`#upCT(@Sx9WcBb zxHI8f`8&(z(1h|e=oB7aS=_v({7K38_l%%lYR=WKa^C#EHv{*liMYLKT<|{iadR;# z?0jP)_&)uk^-Fg4FZ1(`Bg!}KT3foQgX+uq`7yX8klnYqwo-)q6$8wvY;xy6t_AygEvxRNa#wkPuoD)c z$tbqt(GpB}w=?DW;gshvkLH?bppwH(S(z?680@@b9+3d?fd^N;%JX+&tM;jWe&En4 zrhV<(wdw;8&EwEdUb#ufi{HJLZ`E;H3LGkuhoz@)I)t#>?)DlYG%9vGJJ|1=v(o}++s&+B(-T>2n9M{=JZ*LvsS;44zCYXnSw&X?b>{tU58 zxM21uO%=dUL4R~mz2oHy<{mGtf|jcZ&&>+JT@F9|%Y+NIY=m;c_H&BzzJLb#9^c@cct;7Qkk7;>$xFIEIW0(IcomO`+>Nh$lsozcosZlW z=w*+`SJy4-)k{`l?iCYZCOGfZ9K^JZ*OJ_Q!Et+g5rF`$L7qy+fi?nUD2o)deV?ef zs^_a0I^L}ZI2jgJ)X=_(EMr;os+>$NWgE4TxNmjnPV z5ZKzFwK6PP^bUXPUiKG*Idb2^jWQxt?TU3V4dk~kp6C)KhO0mMHK~!Rj9YqtDWtHS z&{PJ+rWM`fIr_0%s~KN^o3)hF>W@hTeiHZS5+M z7Cm6rnHW9a0`>A&P0C80W6id~wgpDY@P#FHZQVYxLyi0Fwa? zE1`Wg-}&nV=bjWw{)HH~JTcr9-_mLK>Yg@6KY5bbPs0F+#3{-3JO zFQ&;W4CBDOFe7TJtaYd)vYEi3#ehR8(4myclwq)}pjH^H3Q7gn;h<2(Fc-GDnuw6H zbsJg&@~0O1VT9IF!(0&%ZHkmiOI^hl0!XVRB8`^%G`rg6cX#rgb8^n}zQ5-=Os?;z zC*I^*{<DpIX>2Z6e_XRq$4=CBWWOO5#V%Fu_iBXhVJ3j^TB4IJa@8H31bI z3^kMEBB`CRHw3m)lhkl~34;qWJncW1HpI1)|JWr_6h4rTOjg4-#AwWlxZ+h8K2t5! z>>qAN#a=LJ?v2lO=7a16!3l2`3hHW3X0Xi(K1cG&z!~#e<8Uy!)6$(claa5u5by-O zDW17kN0e=@6>-t`~*hY?*Y(Se+$$V^ITtJ=}_!7e|V_)%IDpI^Ex(6>OteKkIY*AR#a zo+KPhFT0p=m0dJLoeT=Ly;*P;&2wFdkmzWxUmvdriwqFCp|8qymq0n9XwC*6v(9k8 z>Zr<&pdZWt!VsW5TFy~}y7Y5Jl}v%L}LJvo!t(aE0WXKEhCoTFxyPK zrybfF{;5Pa;~~ly6*04D_0!T1h7L!CxiLV|?Mu0RY|<7|DZ&th9e%m%Sk-A~+cKg0 z)&+ea_TJ)|-GR!>dHx{LR*LMG#$<0>UnJqS_jk;gbPAdY=;Fyu0?+GO=Snt(Y`Zt} zog{9S7qSeho-Cg@V_g7hZ>i~?{`kfNUSvjpZ^$nsK;nD-{|U{RPPw=j)I=) zaV>IV-+rV09hpJn?wGa;l$laXZAz!*tYeS-yl(LoKe@?sAaOJ4^2N-N er>7lNLa*0#EhjoUWw+0D>GwrSI#a&q>*{x+6h7<# diff --git a/sample-reports/findings-table.png b/sample-reports/findings-table.png index 28abffef37053ebd270bfcf32e66da2bcb2a0dd0..948e9ee19effd9984bed0882561606441ce74f0b 100644 GIT binary patch delta 155444 zcmZtt1ymJX{{{>XAfQr8N=r)%NOuX+-67rGIVghCBGL`g-5t{1U5D=O=9~L@?&tr0 z?^^F!vlg70IeYe=y?=FG*RH>PSvZAK$`}UnFa@8Z0oN6ShhvM2$?))BbKl{**5srd z%;rF!E4E=S{=Fevh7LIeYjN>sJBP&ww+}4!dhYh!YGZt+!v0XKwd2Y)s=c%R~~=G(>d8}vSX z3GK7Corey#Pm)(;WQ*U8O*i5a-so~Q$wL>k^DqXBs4#pp zQj&1vavSYxNO)PPs&3p=&}`v=*jd>o9CgNPs6l9qdhbQ0l{4i_6i}R^igmv>H7zg< z$Rb_toxJBLuDgd5V!&mN<5bm`@6HMHsu@AYFk0&|F3$^k9U#K;euSN!#d0JhKcMa8 z)IMI&ONmf^dQ;$e%Ha@Agf%C}SZuGc!6GlL4o}*+XXCV@+-Yzylype|%qht^Gnz_O zY)2N;M>ng`r0`7`P2YRFI=x9fJeTInFE5sa48+U0o}LGMdGIpbST`}=yyr11Cr{iM z@3Ps?{n9O;Y~`)Ajxju#44YDKE4lY{Je(j=#>xyGNRnGb0y!_zPlBxOzgXV1qg>Rt zR-R&>uaL^$`$pb*xDSKi^Z@lEUs4ev^Q+|pnJfh*wzH)KRpRe>PEYaG+4<$<^i&jA zEuvdv`&x1**#}z{qpLT!`;hEK9M5~l*>7SwSeQ+cZs;bd3F;bMj9v|+Y^PjSmP*6}15d-e;y@8)nS^S>or8PC` zYHGgc+mS6TEz!|9QN5@yU+&J7QKSyja7@%WnX$98Q&3PyNOUhOEZp9u6&A|mjL%wE z2mbRxik6CQ0XNpxj6Q!(OHW_f+e=JNMgu;5`jn86@b~XuYmWK0whW{0@DY{i#Gz!~ zg52D=gajTQp3U`jKuB2lOITPKbSKnOPL7$XDo(sij3gy_WNt==h^VO1P!e~3e!d13 zL9O$}M-vklZxN-Acxh)Io9U&@BBJyI7-NAv(UJjZoIBkj?}lTNl`vO-|20Dop{xEb z5IVxIEs&ymbMuPMP8@l?R&Lj5PB2LLn;iMGAKQ_D4jM{L?S#>t53Bmfyam4}PzCe> zKn>UQw6l7@!l5!N@$)lKUJfvtM6Wwm@Vqc$33F0tg7m*-iIq;1%)*E zr0S7On`r_6E}J_y&_$LJaDMS3;e+orc-?zem<<0^<2inZ)^JBWK?=NQXVI$i7G7Q3 z3%vDY+j<;b&_p>{5Flg8D$QLtuujS#pPwD&I1!f;Hee}>Yp~l6Pe!(~;zpBuSy@aY zPEWs5-!zetYgeGBWZU1!ZrlXnv*r zyL<{Cx8+1`Qc}{)%*@`jK02*Dm@{6GpI=#3b#{8%*4~bTjr|V$<@feTWM*e)=k;U> zA|gHHx}fQfdxrY@da;b^YF8yCCHgB_ZEfwxjN)Q+AUHS}6%})bY{`(R-Njc*Iky7I%S4w1@<2F=z0 zAM>YHICy~$qP-uR)@#}*%?SxhsYU|UaekX_;dN7Gw|LiPDM|Gg5EaUHqrT*K+8Bzb zcN>&FN4hk(GcAl&S5Q(^WwY8*b6=c91W(!kWRY#c-zh1+TSLjvO2hJZsj`{B+#byo zdr!{AHPhan`PkOk*{P_g=(IVYsHF6(*SJ51F{%Zm0+AHd)k_2yt!-==qk4aHKKMlN zTQ|nk*L!MdCEUXxC#F`MTU4a0rw932Maca^o>@~v1Mm}i`~3NHb6B&FrsnKlf8?XZ z2E13V{BT5z8yi_~Hy0ourd;1r#(jA7Cl%FJHa{N)KQUZbyOw^-rWuY(`e} zX9)@Qq@|BDa~eAJo@<`x2g`2-fm(O&xyjk)x{8mPqfkC^b9d?z5YVYUOo{{o+Eyr- zKcT)8kJL0sQW9`^JEoS782Ed&?A_S-P~E%w*1)9Gf3_svjx2Yu-+Zww4b5yCtP7c@ zx&I&&IXKsRCWHc`kWG1rxQ1LDo)JQ_HpZ&99yM=CZE}PY3W|At!5c#JtKC&_ceQ9_ znIo7XJ3BBqAn$Qmk9e1v8pIAt-XHMcC+efiZyy#r;_)t$Qu9*O(_69k@DN zT(jp2V{^8*uXWkOjqOMD`}+0kU?L}Y{xNZCY6^<*9j|h{1)g>%!Ga z&kF)pW64Agn;#ue(+7(U>U7bT(8tQ^?8ZA@2A7nSIZ{$eO6v6NY~$%Mj(uIM!{e#i zX5B3n7%6d^wi>PJ>!;U_NAMR;Wpy}DxR^JFauC&!{yuslexA7oL|FaV=aoha;Jxca zYr_@k(VUa>HrSIF6Al+!ykPz+H<;@ZHo9h()WpN>>8zrxdIKA)8?@=q3A_6#+|-ER zb&GtZc`+S>=#=AYmeW2lGcqD{lvselSXkwF^A+p$7XO^9%h}FYSN~*An06G6!*<#d z88O2AwcFMC9*5D;uZsdOXVhGlX_l*fiby@`rl$1166`g?eJGpiDIdJUk&7bz=21ao z_i*KBr=am!vcZOTzZ1C8#ji}ZwN=67nJ^%5Vbm`*0x*5}# zUM3W+IS2f|Wi?RCBASaGoGkq_Q9d^$ig=Wx^q;_acXI!?MIVZF0pt!SEa7o?!(xVI zWq;?9d0rg5W-HRF+jhbGg*0s}&U6eUi3Evx9!#y_x7cmk-)Po}v&CBX_AtGLCnt}5 z1MC;cK>p0|P%ug|D=*$-9QPqPE&)UX2rT<>RM{;wZ-|&kQwf?8C}$<&b&=CaXEHm8 zXz2Z!%Xh9Pyyd-&%ylWk*SaI3Bq@W$pwK7aysaQEE)LW>?~Jv7$G}Go)LWGGlDvXG`{L%LQ3I^KR+KMGch7oeQ9xlvIO}P#xu>0JelO6aynXc?O8KDZUS~O(KQJ(Ge0=P2w#h!Ta4=uP#>yIqK?*(b0gFbCi<=wD zXdw$gfAhX|XefMm3nb-sq-17}m|0QG{1_?uCz@Uz@~;<=Kdq{&;`h3we2jK0yK%Kr z-?QqZ>D)N|Mjn|T%z9E1=Cm9{!Ao>t11#HL?;Jc4|7c$5*ms8f69cZaz#9pa4nqeE z&483*4n3RZpj!ag*ob~9gOu25c|!?h)a9prNTM+II%9ARRXelyUT_{64lrib6gDV} z$^Pi?Ike(1$?h*4Sg9^S8~->tZdPpirvUipi|$OX)K|GiFxw+@^43w3X)z~g32>9?cCVUa6#4MY&zInt-J`2J-1y7L9mCXq! ztj>SHt#zS79#Hy8Cp9v@!fp$x(eu9a0?yz;Sc7x~Lxa@adnFY-D#_ajCz)6lW42!7F;35? z2%vje==tCN^lA-RbfZzOpMO8Ue}mekZI=2lF^UE#K=n}0#;mogscCjfN{S3MJrk3f zx_WGjc+PlGF(+Ce38kKQz-ZV}Z}lKOs0&saF2bJ1%vIFQzC-@0n^pKZ**D*JGKjYs z_!Mo!Vs^7$33;s}Q!3Gte>S2g`I_I4Oq&Q@rA>WUu|CYM6m~`cdW?T11RG*q#Yi#m z;rYR#e-pqc6Qhglqg09)qw{H*g5H-xkMYZRXx?(MiA*-Xvzd>i_4M@YO_wOY1F=O# z+XZ}XKgWBcB@x>UC(ng!_`MQ&{?PNrdG5G5`M!}zdCbY_G~|oesY6Xo*?U&@vCcMO z=rQN~ky0jn=^Eq@BLd2-_&=zW%ANs!BGfE96ByQC0-G6cZ*K*k?%84xM4%y!O!qEm z3@>P4^uxgoWqfT`CoiiEXTCiKw?86a<`srBV+Lhuv_UsQ&nA2JX8Bsf-5V}~xm830 z?RlqCio*R1`V<9*jyK5vGzQ%R=c@Px$W9OLyD-$W1*>%kCzDu6P}#B39rb=%p> zNmQF2OSh=RP0oTuKesgvT*$*QW?e@4CWFY+C@P3T8$t7#1*gY&EN3Q*S&}-cNq-*g zi;!5(IKgj(*lsfx94+(izlI7e74fXO*yWN8>58=OjQ&Rzdok<$NPV4JUoPPG5ZZ42 zO9kE*V(4oJrGs_?tqza359fv6tnt5O+@@Qxlv$=Ue~de6Of=#M zoY5|AWdlXh-`!g~D_Mq1GE{$He=}0i6pVQ{ejpf26IbOdUE1RHbok|{%u~-`CnXba zFDEzmogDGv-FiTxx?NYXE??xJlDUc6tVbt32eHn5za)spzJW2DRq|5>i7}#qEJkw5 zj#o!Tsmy%JT-AgM=wYS{;{w^(a)iDJTahkL{)Hg`tNMRPd7YBmSIRU81Qx&Q?8z3Q zU39Je?DISIsajF^JW}hO9!!o^VgjRL((m!Unq4ka`|Q(t>sR^+4f^?B`?Q+jb|QxT z@eRDL4H#DXvl@;119hZib|4RQh@@|yZ}8r$Mf9D(R?hIb5fQwQq5!$1mO9h^$c?iu z-}(nL7JOY^ciy?U*H0weKDv>E`%9xW(FG{qGWPFReHRfXRe%4$M)F4oNaUuR3914D zk&0khM}A_rG3hK!5`wu!Ym;`FWn0JGD9ZlemnH~Lz#-=G=2a+#H$GSBi{b#Q+4i)ay%V$7cXS6Zvi~lXtM%eX7 zLE-H?eB<-Xw~>;;45q#Yc``_pnC@JfcKYnn0;cOl$R{-<9eCKWi3B^Y7O<|RzHgE( zS6nBXO||zKtX58$)hXyuT@Kja?}sJu48;lS2AMz;s;R2W=?dCUPYg6ZbeDvZPCb|# zV+Y8juoS~i!|vv5T+Uo8wCjECG{s$f6)hY+i%S}sin2})k3)=*U829!p(i!AZJ~e! zV+TdZj$4Xt7upeEB8v_~41;cq+vnj+&cm)O<8{ki+N(p%Wn(ir2G_I4ig}Dx6zM)$ zRF{WFqKyKq25^0A!~JG6^S(_9>ZtT6h84Gt1YyPN2T^ksI>2}fhcv7)MO&c{?>U^1 zy0(w;(@;z{5?&_BLL+JS8p=VDte4x#w2J!8YL4oHHwrqGf1OX@fTZfW2h$E&<-wLN zsvG^IS9VJtB4#5El~;-TONilu)n8G8=Fmian?om2_6S`T15G-0G^+(W)v4fc{%L23lD8 zRb`@oRzMyc0J+i$2M_F*b>LN6`|IiR%1QsZdW(G8y&ZG-)(t|8Zj3!)J{MTymG%B| zahThkxTWhSO{$Z*(W%gnSyK)k0a-Wz_%^yXSc=Y-xDLW6)BIcR0&?%PFO&7o=7)o= zHwW*AFG*X72=*6Cygr-Sjy__kFJIIa;kf9K0233AhN)Q-j_&Pu0qeNGi3GhwHG>vg zywb$Tb!#XV`X^mAQsr1MR!h1%!gpbv9g;NcY)>6GiAKn7>=WZJ1+j>IsXfQQp7+Y*^L1$WL6?ESo7C+NDNG{iV1R{$td<#ZOS~CRzECARaNcWxy&MIesSg*&w&XIF};&0m=VxPh`eEY1nYVM z#L0A>qTN-T1{2u~WY`LxIMf_r5kR=6X(0TU_ot`HUGXU584jZLY&hF$rbsVnH6h;v zC}`<*ZoJ?@a^JShyV~6c57Zds-=-cGlb?u9MEG2wQM@+DyX<#bhVc< z!Le5*?Gm5^Dr(?lxh51_Wf>w-Nnhn>rSBdb{w#AfllqAMdU@IL#;bjJ$HM9vviqZ7 zs#3LD{!Qv$O(B1S3zvtWU`0Jm1iQpMu{B*DsoZyEcg{A`yp@ZCcMiyM zI%OZ&kL{~_8Q%>uz6+D@`^l`XZ_Y*X;wo9{|iI3hrsgZP%E}H!dE? z>4w%3V9jSL&qKAm*SAWW^2t`nYY~S29rb%Ga0}|Rw5(IgV`#|@{o(m)K(9){Tu4@2 zQ(&?1OYx>Z4KpAlAuX$`y0d;0=f@!@k2SvIOfVV&xkY0QnB1saN=mb{w6(S7-ryM>IQT2a~`uM93#|` zZ%4YR?q!^X9qRDn{}dE0bxo=X+=AIc?=m3Y&-zJSx~Z~p*9CnR5fy1sNIh!M_>bv& z?|6tbeclC6sA7T-AN6F!HwD_?a&ReT#Y^eqxk6uEmxhkirPeEED5 zywKy+fLIxIlYBZU`IMX(Rh2#Syuo-b$;i%Ue)$PJ$X4S*qX?Y?GRa#z$dnWb6fv8FPIDKl?ZA zV5Ev#YTUVQlEmNDyI1n)%5ZQrWo^;_P4-6Ig6?<9t6AB8_Zol7;~r%E8TShj;MgpB zX%FEsAymIaU#p+Jlm_=|8~Zs)Uj&fz(qjR~4mB-~Y?mI6)Un+y4$QWFZDIJ_0l>)A z_&>pnW>~q7@3FmheNsEz-oqOL%Et-{i<=0rv{jYeZo1kRJVp5`g|wB~x%p{m8NY9{ zzySx|I+8*>;DfIap;(N%c*^N}sF zPrchY`_we`*c#?IUeRpy@0j+qaTQf;I6s-&)8RYpmwEAHYEI=9Zy!U^E`ZjdzHfu3 z<#C~@ffob4j9L{NpC^hW7Dexi7(=1F{q&{OGm+7y%q=LZYxJF8={})7s^tE6<%sw( zawUM7#reh-rtVv#PEJ@&UBgd0Da%8d&mhl$W8%6O=#qZVW6}eDA7Y#@m8Xl&dsiWG zd1P&4`y5#0xjw%B3Sy+JonFfzb{+eYiFt0lW&Wa2d33$OgD$VG-2_IwrDqc*fBWla z6231r&%Mm=kS3G6YFh}Huv`3MOYHr~>kQg1h8sa`eRH`)0J7ovDM!xsCmVA3)9-qU6Sar-G(6DPf1F^ z-lg2trQEmWlJ(yTd<#I1Qoz#9Q(<7Z!2?D+;zV_ zw!)Q2Oktn7f9ua{q9=d|P2^H*5N8s4Rs=2WWWU2SPqLP%aLa69DNIy)B6Y#(P?XFH9tu{T8m-jAG zQeRvfDN?Kt%e#3+E*_OG?DWKlC<4eOGz!OuxEE+R$g8DA(5$po|9BF z9>jm;^xK<%?yfG!WMf#fSynSrwSQ$!pP<6>xvJsG;jV$;{UB( zm=YcicbUfNTc(|p3T)t4Y)Dva!JylF0uka^i5#UJ=Q;ISJNBxD;9UY6w8;{Kw6Ge? zU@GtQ^(b4BFLLS1f|KWEGvbJ3;C~xjMuzb5d@F8Bz=Vn;hWBeA3p%a-b>5uA`yCa6 z3oN9G_Yi6N?^|AUQ_Pb`6eY~XcczP%%0BsK7<6v*ap9dYW|SP&+6dwQQ^X2A7a0Cs zMp+FnOBeNtk`=1TW29guF0X^0sj$XNktx4RwWEBd{J$anQ@W=u>ChO{?L=L^`v(X3 z&lATx$YWuR@XS#&dW#`}23{ ztUP915&rw^b6UwP)^rte>`%MyUsq2FR6!F&Syd{Yuv_*HF6fPnaLT{^)mmVlpIu*` zUC$cx;=gZbyW(|lRtE}F7(7?cJCWxC)*Wd7j`22KmB0uBI_jNHhlfx3;L5zFPGnD{%?|AeYJ}s zDkcIy;VaP!g#J5oP?wrl00~1WH921vT+aXg5civ)UA*~;LeVPWmj7Rf zfMe&y6A9bMBoTXBzqXT_qG=-jUOeI6ymn%1|EMVI(~^hbZk)i7>*i6-d_fIKq*PXm zENMzy!o$@NRspV@g1V~bk%;@=Uy%I&7BeH4K>Zw#t%F5CP61k&oNWKV-Os}Evk;f6 z$@#lF?zuSXY}1liPs*CKX8>PPVT0?jDGQDOr5QhQ*rl&61m^Va)PYBQ4u^C6tBhEp z$s?CGGH5Q^8a^AFqAz+i2b<>q!kUcyy1kC(A84344g{#4uG&Ei-1M5&GemO5@vxL# zu7yp(eIkZ>HT^d*JvH*kA5R8@-OZgZFU3!99_cV{`5+&t>Vg)70PnY(pjD=^z?Iy- zA(b^I-*hotf%9#*AiuCnw=n7V~wWK1zP0r z$zvo*1Z3d>P?=(pBzf+aBxz-;X_u$3UN}EbRWiFlYiV;bInz?GPYgWJ7hEWyJ5Nhr zmY}Uj7j3eRZJ!9DpSV_>In;nh#PoD|?`R8tKiw&!2rS0QQsbp-a0@ zlVDrR({fo^-F(ws8SvhH=9%Fazf1m{hw}IA>}%3E6lLmNo3`08BxLCi5vhEle-brn zrv<^EeZh3(52=g|UwJMa?JuvarfpVMap1owG~Wld)L@mcu{i~zrfzS~4gIA`JMv>G zi&)#W+q)7}d;J7~kP9;ljMSTloGN<>1)nc41bKP8Aq?Mn9TAwRwUBr))TuO9r9bny zJ+CV=n$KgyojAgoF~;$X$TYWi3=mQDPXZ5!9!^hDf&wH$Q^p!#xwopFL!)-fKON>> z_X|?V%H}&x^lF`xC1K@05oL9Wd_Tr@Hg5j1yRn<=c%<-yqsuSHD~9b2SJr5T-y}B3 zCb8E14Jrop2&~;M<_2Bme1~kmd?9XwxSnG%Z~26V(tdiv6Su=QRX|d@AN9q-5x71# zG}LRiQ_g-W)E;fcSs#GrVvla`fI+~y0#Vqfx9k; zF7IkLwrlJ4<2S z)}h%E7S-6s=>azkEv=eMt#WJjvY<|Bb9wVFI7Z_` zSl7So}#vD8cZNb8@RjXc{LaI=0{sG3Gp>oGgR@Y zZ4{a0%rFw7slRgz_B-Hh6I4DQ3Cek2k{c}^MPW$jM18S_Z~*31Iut2aV(!!^eZxN` zIQvJ3E5>L**{~8h)1nrK8ETn~wYL$4FPqyPo{I%j>jB z?k~*DNZ;UeW#HF>@%r=)i(`38^H87*_!6>RZLaL0SqsCS+vZ!~hhqcc_ow`MM)59ZQY`W@2c4 zp7qjc_Ls*duIYF5)HrUhvVw}ttSo#0m3YjqXSulpzK>1{IKJ8hr;F!VP0yEMzRB@P zN!6x{f^>aSPG<5R6xo_OtdM6gG3lJ7#~sHHT?D<*!-)7dW=3^gtJON-y)H@6_FnHE zZr(F?O+Y5iSmJ&-(EmO@u-?+@w6~{+Du_;HYlzC@$NV18r;OP&aXW%ig>`6B!3f4Gaq$D$w~dT2On-HE!({g4n; zwi1Fzdy2SJA5G0nz1`3Ay15{u-1FhK$jCS0ar-g43r5?4h5!`ml=bwEk^t-K`Ca-y z7}sg_lY2k+#NHokKhIO)vHMGE%M^~X`A}|n5$J*PxV=!v50Q%ZJ3oV|LSn&U0k@Ul zs*7iU`~AA6fuchMiIWx=u7p=&mh`5H$rjUt(O`z4n$1$FNONg)faV%XZDjhRpRa*L z_(z#kJ`x~2Py!WyL0w*btAPJ5j2SQGkg4e2aCf|*prl0IQ>&{|AD2m+b$GE|Ra*HW zxf*AAD-13i0Ayz3v zi3`cKXzB8{3HH$d7actV3q;^Y=dYqW@_7&52-00lr>EJ&OuU%kyP(J2sfz5FyXk6s zV#X>GG8Cv@GybK3;`ZMY4uSE%FP$L0<*D~+B%O%WV zIW*#XQ*?a#my~Q3YACGExLh|jRar#H*+B4`xQoq0>Z_}7`uoHLBW!;T9=e&Uj|ACF zRG7`YP|zdvRg}o|1G}-Xqg8s0U+o_;VM>>u1>d=07}AaGkum`L{H`Y!BDX)6h@m2m z`6ItZ!^QSji}ndn6%tHvLv95szg8YZ98sjgQ=8HYI}Ty|uUb?Td|pT5wRwIM@V(u4 zUKb~CbvPNjI1LU)*+Snlw}SHv3R>BqAH6{ohvZq1NtTwg&RIR_Xw%g2?b+S4Zzxl)9j4Guu>edROj9bb&N*vx3l*&e#Hri_A=9M*S=~uil zT{JZUHjIPYgl^<=sYf_dRV$gbO<@r=5?gY@O7YfL%@j^sGFcqK0#TBGaOgQ8)7aLf zAI2yMC=m7^7rU1xi(>yUxnUO_9Sy7Zu{+!cX$z*T>z!{rTLk!*d_$O{;QcfhTq|qp z+y!(PI!L=(L}m46qOoVu=%Q8VASS&}N@_eOoRFnZFmVvc&mTD=KJJa}gBjWhT+MsV zopJDd(F=pu#r=CC3%Q)z)uAX*T2o;`bOP?FB{asRG57b6qXA0FK0Fe_1U&vQePC|56@n`>_iHz*XAhNwC8$R0{<>dkoW-Jdq}_WwEz4C zV1IazV?x!5et-bkstJw>vpgrWe2wyJyfLLE^Q3-bx(^<3sjMFRWmu73m!wpYLUhq` zw;t!y-j{^>ObNWjUHUQ!2?Ws50g7hj<&A0|MI|+?zLi%qyDBbtYS&-BH!R>ZnE6a!ncz#E^_T*|MY%<7F3aZS{mZOWl+#{K3 zQr4ymfM*8f*GlfUepUzWcDyz??ZACk9#4ecBK(~oQe$8XWv|wo8BbdsM3$zD7Rgc| zvXOynoe}!}CP3vKCW2o@Q)ka(a^gUp-L&hYO%l*Lw~$*~$a;II3?VX`uI*zJZ`Js- zaw{`VUghvLAKO~DZGTB$vULSM+ZGBM^=?A2RfjvNNTm6~&qEo+`sjFJ5h=CZ?_s`Q zn*~4hT0lq3P-1aGK@(_pv?3VG`1$=dlr_o9pay;a2prqHo!GmP=?R9&?~e%ho$gkQ z=eTjMcCO_N1FhX#7w_1b1xUamSl`--_R^Qf2hWewDKq43v%lsZZtVC>is56-_PIL8zsTEnJe}!wU zN1M;cutN}XwQb*<{JA2C#q6v7etc=De#0A`ga;kq_jD%nRk#%+AJ&tSkwNl%0Y!e; zZNGF)mgW_Bm>k2PKR*PksUza!({a165u{@G|FJiD)jf8z2BzTS;?l`mm~04#l^~(f z$wyfw^Si~1q(d(M%2Q=vr$-u+33AQMIvCsTd6c-)LhM!LVU^gTZa zu4u&$5$|^I5RgiXi*IZcj9OU4W03NbuzP>Dy6heiDgj$c!KZl%@<=3%-OPf_2lmtl zYGypry^x)zngF=)Da&%jz^wR{kO}LISSibo#nsuCsl^9NwDUiOhO1M;AuzIo#-!42 zZ*Ex^$)DpPr+KS*QM=keFsk?1ZVem6T}2jx_xn>x)GWls#SkZzRcR`U*tzi$Y0mhR z&?XTiSU6Y@hyyQ^Fs1)6xo#q~e^vdRfF7tBw=H_+@6(7rNU*o)@f(mGK)kz*l!D@i zF)O4`^>wLB-?p$a-fG%+$}>A{N1nupG9?Vn-qUoX~mqPza@49^*86S`5_3Ast*}J$%JUG1a z2*1^>QuqtBPE7nT|74sLCE-jO9mScgs$$&2PRj10%1c=ANNV`5DQm}3H!PREUi;5qspco^zq)$$WT7_ImI% z+2XXV_)m}RNF%I!p5nGI58-?G(V|nR_yOZ}P$$KmOZK?MtcQ4_Yii@0i_Z`lF9u`@OMV^mrilEy>gdrBeZT6+PmBh9 zX2Su}DjT(=MG=8uX?hsJ(a5+OP2gLIp(T%@Wh$clcy4Y_E0$YUH17(AU?j%C!x-Zf@$QUWHEI$zsX?n^y}9Q{0iT-sYH|PqLS%Q3#|301TgMR zLGC+P!&9#Ok!^N%mzSGO3d>myUT+>+xucT{pDQ^lKYxE)8#X}KN58g)^&Ra%AB>Nr zKuY2Bc?1hMIBEn_w{l^sC^)FV?fLFUY;{*xIe(ygKR!w;b@)d*0@69g-m9@K2r%K~ ze%U4QnrL1BX`N#d^=H+6gucWR_(4`zba3EL5Lf>JFGidUB1%YhgBg=9Yl&!%fENal zPfp(%0tBq4?V(zBktbS@6wj6B*16MLPw^H~;1V0`#6;^gG= zXVjeW1MFI=89%X6$9owss;o@-u^{o_Ya8aOSml2#1>vT`HdLnk!>D{elcd}*96-?C0^)=uCVAj`gSD~N{x3Tc>uP)-x}M9j=sVwq&7 z>S6;avCh^9D%6jP7jbR>lq|mW6oJ578^P+kZA23NwCsGboY5Zx@h_dlInESy96!3k zwcr@dL9&xaKJJRbjN64OuVKvbpciTocnd7=Px6}JOr9{a+6sCz>Fa4L7yT*R?LC`7 zQpBJVj{*I|cFHO^$I4Ip>GIu3o8CqBE)W$RCn7ZAu+VoikAnhUx68BR$n%JmO^yd2 zWo>lL%}c|pr)p1HlENG9_r=yL@lkAH9%&^xC_wx7%i*D+L_U`#2+68GnBjC9I?_S^ zE|RXH5$C!;au~4z+B~^EO^~kJSdB8u%YTWHdqiaB7UtG_9&A<<-+c^CDa^_nEl{7vZJu=gpelHw+8}ZDirA)z zasH}DIrydY>S_uW*g>S*9(c)%NmAxGn4QSt7Q>+Jv$?R*b@R>j@Uyism*+y|F_h0G zfps5Fb1aPMT!dOmIZLwERiCs~bSKANq5fl4pHOfLO->C52I<|c1h8Mu_9#4Uon%6} zmVTYRjz>;{us*Wmp-oSYrU<%eJ-BEq zdo*uWJbi*t2Xh6Fw4jw3X1LbBP1--eJ+j2k;2(`M>%SoUtwY~M*2YEk!mg!cq1HiL z$x+MHv^qH0(JGKy9G29DcR4r5PhJOJU%2TnYeM@okKI(x{y(2Qbnz3$$4e$Vo=+4sp+ccY7pFN-E4HB zm(_y|i_`V|J$h^d6t{3~-)P+g%!s7y?8JBcx-jdo+F%qz(XgH>e=52=xWWlyR$5)d z0)(z6(^8$a}>d*+&qSl>&&J~Kd^g8CY-%z5|@zH z{dDrcD+w`tK4(i6A&MBclZ3p=|5aD5m}NwyHVIQl!8ayDVA`(uyU*u-Ona{1N}jG} zAc~Z5;NFvL_isQhGM$t)gtiOm$A-g^oO2>~(L{a10wn?u_`GdzS7pVVvz&a-S6 zk9YDq9_;;vHaa46P@o$Ob>5OA&=D*MqG)p^5qO%uv@g@hD9L15%kkwA?6Py-_WzF8 zlv@b?;qq90!;_2zoNdWA;5%)NZR|lM^g@N#_$o|&FzJlfU(O0|nb&65eHDe`ZL8bE zoZ#bZwbgztem&0|!fk+TJZt##dz;zH+v$M*8f%!UrlN_BO|$0)w7ci~D?+WN)vHhA zkSxjtAGp4Cx7BE9T$!c}xoO!z35@VejR)WAQRal>b1rst^bAf~-2Qf86r|~Ao=QE; zm(3jg7(rAC*-wsqYC}B_d~13p4F)m)&8hai;_rm|-33i$F_F=ewMgyi!?B5xxc9al zn~c2aqi^AnuO80!?4IsyPF|L2tnRMX+D%huuuJ${x=yWihrQKW_5PdbOXFG3GYG1d z*6w#BkXj+!dqX;QMwRrWP@2@kpRr6SUi6!K55J=e zo=ht=hK4R%7~{Afb5?tS(|EdNgesnWU^9)0<->Xco{)_27ZwBwLt8fqC=MLw* z+!tn67;r02&_wrIUL_7hN#0!42yWQv*4f|d+L0x+8`IraSWJEm09|)D6h1}rdu>wQ zn8*HOey=8mg%(i;--i%#@ENIShM9KwWy(Sz7|~g^|T5LmDOVsSPyvtd<-Ls zi;k*TYw^)x8eUic*GIk_h*|Ba+3qzon!T+utwp|$^Y89+CE}sL41Q=#T1Xa9b@K1q z)q;WzmTah&c6XM-I|k~tCa0g0e|hRM z-cU3QkBWx#zI2EaCs&k`!v{1HcYPNIpl}}`Le@r#rZNpq(9zR!_`ZwoHJ)UzI!!Oy zU32uH#0;7pP(T#SE-!aJA1m!3 zD35IYH@2)C9*g9k9(~5c`8HCs+j7vS@%+C%OlLk+G{pIg68n|{9xqmo9G)6{TNMX47Uq={r>-)^-4l}4+B*Kv z#(@8D+aTFB4+4=+^RhyRYMI6uOKba3pIC~mjqNi4QU!7z@$-7`&Mhwy3xJ`b@34cY zFmaXP1k$?E{!cwW|MLG~!~4-$JsGLhAO#@$o{$*lE>~l1$9ZjsbD0J_fIgKi>go3C zQ-@+rY9(tsP9nPPl8+QM=#QlP`4M8JHw3>gS-{9k7Bs63p1u?5y6T-UOF#B9)7|~i z{yzo9EAPKRcgVzk;X;Ox9UhJe2c%q8*%$C!fizu-SF4vK4Js;HZ~!Fo5weR7-T(Th zGD)oy`!obnV5L(3nUeQ@6HAo(J3di=?6khqBsyezAB1#C?tTA9+_wS}^qo}M&?Xs= z;otlBhBmU3qX?qk&kx@sXo@&eN7|a1v>CIeQ2(hC*kV&ZY~9-=w7=|IoGMh+RMpl{ zVv3YH`AzY^3Gp+s7uqwGqb(^c3V%!vywg=z}!u^zzhE zRi+kHwos{T0gQr7bNC+Hj z$Ja=Jg#r{ja*I(%;mHt7G29n00G&lX ze{MKp(Q(RoB-rrqwizt_v(TY1J>0L@tp5MWjB(DKZI%xX(F+iG@YkgMW_|_lS6qDy zfqJT%SuyT1_6o)hgKns|!wd}4Z zU|^w*tciCl_cxScOxg0*U&lrcx#B_sHz=isczF{Rob3+;kOp;n$@7iiAGhwd)l(z0 zOnJQ@_}I7%uYOEf^GanZeEk2h_0~~QMsL6VAPOoHf`EX4gmg$FDbkH}BS?2QJRl;{ z(t>n%cO%{1EzQu~oXz(==dAblp5I!t{6iMZz|8aPz3=<_TsPV#04_pAL@aLh+v5EZ zL9ed=8v1{*07Dp{S%HTmjQEP# zUm#76TA!{jR8>d^Qd0Bix_kJ@5byfu{LoNW>%{sgq}R<|AeJWo`$b%3TzD=s);>v7 z-YjJ-M!M!NaTuTQVYrtN0yB!3{R``Qx8*RgHnr~}1+VuyC?3xBAJoV1e_{snsmHqP z4|%N-obyXc;fj;{wi~Scu#Z4rZdrS_$M3?VtBQ_=NC<;AM=R!u;pgwNHmbQ)36(Ta~)Tl%`f-nSQ!zTU4fnDFIwh>d$V%r7^9G**hCAiFeoQt}BbGHS}Bwi1-r z^OIE7m8CP}#uOvfV{80VLi{35!DqD{Q=CABTacID#fz+{_%Y0pxFPw3CLpCSS5ZxC zQlAg3!AH+DPaW7;Y@Z{%Y6>^>VKGjg?Fbz4< z2=B1Qv))G;@+akNpii|NOsx_(FafU4{{bPt{7DiaPO{6>Iw*3EhFa};UGm6h55DX* z`Q)VJsSqaJ_bQyvv`L=O)L(OtmmUcQr$pBe3!g{)rig&AqQtPGg3I6r$8+BvNWb)V zU%>Wu{$B|NUbcF_8zRf3^tr)uEO`b1b0O@{eG`-vtSGOqJ=8!=C4hmfJm^bY$y|aM zbd&S0C9^-PiN5Nsy_N+k?Dw65j+q@9>{s{4x34e>LA-hC?a}0_E2`9LFxiO%YYmU5 z1!2t7FmTJpxCWKW2h11_p%Ri3iwMbTB&d$a$p%gd*_dSbML66NnlWhPNM+`xo~*i< zstH$wM9;+g`@B+P)QAIxE)nfUJL;?DUBAQK+1gtqC%NEzr9)B_Z4~^tQEUoSKc%9d3J&ETJFeD}VTTwy=(n z1FD}yMzPv+9Y+p*W-1!`$|?JcB5#gWe8RssSxE}puvc?s>@28967F4Cw2X{HL+g`YuGw52=w zQfQ)@gN!tJh0D+mzm3a668Fy*?h3YX*b-RCkSu8Niz`?`|6$H$)%~-HFtEZbe8oL= zU=2cbfHhCHlB~CsZPv-s=9&_Khlt8T6-&owx2|VkzZ~Uf-?J!Dkh)0U(%?y`cn4F@RrA`b(vAS3_ci)tSaTJhJ_^Gr4Iwm?|G)?<1ydgF3=vQ?UgH7 zn~y3eLY}fPja{0#T@=yYfyFcKP=OzGz9;nI`)iM30C#S}!Mbj0Lhn<98tJQ&g&LJR zVd$BUT07^p`7ED)N-6eNsx3x$;UgZbM00sx;g)M z;D=JmBqGA(bL{W_@H<*8W9 zSr?%tTxVt)*28T)j0O@L>YWzDuBa7^=%#9}mC$-iZoy~OHdp5GO#R@Rrry=vW=ri!=)Z9O)*m3w3X0Yj)V9ic zEHV9rW$t@Zi<#(9^lzeTx+k*m7~u?gaFIpSUol*77A|^XI$S?HbUkSvDjx9Ex%pMW zro=)2ha!m!!tmhYY5Xa3ZA|!h)1FJ`?O%D}%~8kCB#*Ca2)P_~mvU$Y8Z9fMMNk){ zrTQCP7(-;zkSc0j{#Hh@{E^y!y+nfUNcDbGLG&EQznv#hPR(Db39Bc$cu7FFrLF0< z_Q@F>hYG3^&8h_Zly};2(;UWlzM$R}1*%9Sl}ljFK)iM^Q&H2(%1jj_4FjbTe|w|^ zb`$;Is&vaJ-vf3g)9@x2B_gJ^gFL@jrt(8a7?{u6^tuE3kss1fL>IP>Q*DvvL^>Fl zoBrdkJdhB7+~`|<<#nI(y7Gq#r@rV~I$AGQ2K4lVka!4kA=T7!IX*?}lJa;AizyPZ znmd7tbY|I)){c)*Ci53gI(unQZ&UA}9w#h}bSROGeL$d1@Wk$OGHsc#RGNlnCyt z%mtJTPUkM6_&^?gv#&J{oeP&JF-cDsp;MX8(}aYf{P?;0`oHHIRoT_)DoJ6W1+skj zB*~RuXct&83|k6({_G^E-o3M>BPi#fgGEq6L>qu)zVFsT*bN1*?G?Wa!EaTy2yM2aeJV`A zSL`UzfZKxWjm@peCjd^H4*seHrySU?xL7C7f9fs<^f8^2Bu5D>9GWXRWTFBd_Pby1A7tYST^Av!ktb z<1fCa(X2<4okR6pk=0WUZ^hV{u29jZn#}*C4m1@>LJ8d@Th1 zy&0VYLj11L`MK$@@ppEY&F8PrqO1fXJff0S_AsKlFj@{H%2Y6f29`+tg$6UhK~McVAq5 zjUUP$yBZEYztsCm!;04mLe1N`66u+StSR!;r)dNQ-O(Z$fcyrG5Ud&Z>E)x8fDt&6 zJ?J3Vma@5p0_{zMU+gF)z+AFhHcC8_7ssf-ZrR5bhEzsGG~6IN!Z_XbdNLtLB53M1 z^v61Uxo(3|mCtbuLsF9E5`7EyvE2I`$LtxS>cz$m9#%!UHhNE);oAP*-T-hP*$yVw zjTKp;!;)EE1F{d)XIb&36%>35KO%cgO;uZ_B$QXMVo&EI+`0j?+hf>2ENvhznweGy zRty9WH=aOQ=cbh_s^@_Llrm7_$|?@0{?uUAKF?dsI!EGi0A3`AG}NBHzL_w5sZqKA zYzM;-KII62Q>Af6zp=*qC7UWDp9Ia>V0`Y1($oO4omVrAwD7f$y>|kBcr zd*uf3LWQhB7gwjFlf9Ew6P^;_dDGqZOmn~a1YibY^*5p>gL~3skm!pm^Kn`6Fv5|P z`IRhG4X>(0TRZDwardyXxq!jMhRxAD+F%idNjdmXik7=ODGb;NZ)@CBa&w;twx5{I zQc!a5r|nx4`nj#&j5jIYA(4-?(+(GP^f8=UP9BeK1@d|G1{c(CFsgr+Q=M~L;>0pb z(!TA)iHUp}2n2x83I0Jum;u545+Bh2A$nC`-~u^Y&wb|LRf4MR3V)ru&tLO+L`rEL zRRs;o#kK-&fDsYsna(!aFbUrR(yl&u}K$+G`ub9~iXGNZKLO$KkkI>zc_otP0ap&Ly6@8I9r^Qrr@e;V}u-Gm9Bm*V}uu*4mkV?8#Kw5N( z1i3v_80Ek`RbICCdkfVf1_WeTNUNZ5`SDeCEtmRL^{gyDc4l4ykags&9K_|RfHXX~ zQo#Y|H=FJk36X_{PXB}T3tZe(A~~wam$#qDF}I={vb1*SqX!AhOiYUn_D%lXSS~^o zU6T&e@g=!EJEJj{lQz!Gzd!-31s~kmxluHYP zTGGNc14kBR_fuT(Pb@?9r!L1%h~N1Vl0V*e`186sG7U{4dgb

fK=- z?k4lH76T&7`xKVl09sR~KOKjo%*a4JU+XYgNJv0D-(+fHLS%Q$0ASC5B`cZe_*2*a zF4F=e0-ETx#OXBU)fqfbN2N_na)d}v&1TnyE(ThBuIzVSJCnL^_#Y%VRx(0g-SJ}% z1~a4X_aN0K$9aAOgSGx$uaL@UpM?I69B28G)rH%sW89(wttN*9uSV1bkHp_MH!k6I zb&|(U&b%$$9MC^t z5>XTLFn@UGv31XWQ=`9kLjASs)-BmWuE?trvZ%Duj#ZIkwcC@|D{1thEdC9C@%vNw zyu;1vWjFN}g~*kp=e0q%Ra0L)I|D7Zil722>~5jdZCpnq^M+?T3AJ}6i4qm>gK(pN z?D5_24<2)+?PY0Jb6Tg9IQ8xbAAc2@xhf0X>Q?^49MvMs2VLAqY&B3@5|ijP!O(;- zo_+^8_OdE=fSQM{D1cgrvObFzA>D4i6v+JLn!$ldDk7mKfSG$}vZ6LxFo$FBc7EzR z;Os@NfR`!vfs*f_=<0k$xh{%wX4l(8{|H8ak_M`lQLofMa%CpYwB|`h|6|TJ0JDOa zJ&#MGsbRk44bF&j(er>F=<%b^i-q1aJ?4xm8sOoAmdL;^&{)W&ZYoXWEMS9|#JDq@ zQ$YG>dSJFjLzI{(2_5F{ZGF6_aO?K?WkhvFqdSoCRA_(}GNXK1Q2`c{x;Sv3T|`4%{yc7pa8V;W0M1pd5fbO$Rm((8-QFtonBI@~3CQxZ@D_~l6^UPMG zu0=_$0^VT)IV6D&6bOE#(xh$CLO|U)dCi(MF~o_jb!f^k&^9)wfV)5Ohqz4tzB}7U zTf>)r_onc(f;)PMH{GuB`Bm1&}C?FLDJ?oTIE7T98G zXnFwF{5eMU#%itO-jVobvGfV7_;#^@YbGuP%~2)I5{=-))`+h)JKP~6k4#iH_|09d zXg9dI)t=)c!9W{NK}qQe%=PreF26O@$5@7AVw~-p^z#j`Ua|W!GWyrfTON2zg5vv9X7M zWI+J#B1!V_fF212g|rW46j=M2>4rnEPjm&Z0e#FwhAbP$j2=fQ`Lms!2~t*2ShIGf zpy)VVe132~F*!OuIqKkGQ*XDSJD8{i`?6b0@9WD*jG|JcDRt?*YnYaQ_hm{|!+fq3zR*fZ=68mIYJv`H?UZtIa8!M7^c=P`P0Z)C-j?FyisaI9{`X6}#;1Z*Ev4Qw{X;`8DBLZ+BKWq}bu~aBt>_Z5QMj?!BBW}|uKA$K+ zynhWhN-eJOt~f7;=B1W82seY6%<-MO3pZ6%59_#+V&toK%%%DSni?Lhtg?g>*<>yZo0RyjK!^ z`Xx3ShXm*UAW-io*vAIp*0Is>DpC;rmJnO74=6A$w_aL{VncE*(&+2na1C?|W55xg zONiUl8?wC=OAjv%*meyrZX9g+3skd~3xRHN2h8brM|@{WUo{Z5`jLEmXsDTGwW?#o z!$i|Q*YF5v$ohd$H>N+im9l0N68nT^!^pUN%p{Zt_DD!(-Lf8@pVe$#_wxBG>rH=< z(HCS7fchN&j|Sa_LUH=} z{lMzxc%=Mg2RZ!dzpL}+{06crX=Zn*K0gGlFMQ*CBf zR2EE9-Z!Ubq%k_E{JV7KjhYhkF9Jsoj4a}`xbKgY z4%d*IF3`lsMbzz)-%tR3mYtlEavNL``r0Fr-$7`)$x0)G8rX>Wuzl#Iy>M#{xbkOU z2mz1o9K4rVgR%)Xqj!j%pST`>_%Jm=+!oWW*TG*SP*22U-W<7gi~xktJY-~U`+NNq zB0n1be&TiKYHxp6e(Eu;N)61>^z>)eicd?h^g!BHh7;pbf0K9yf90xU(2+)6hkKlL%} z)pOr=J)7-n*vGUH9$qbfrwUe`g>=AZ(`j-Z$4ocHL`R?PEVxYci31`-lR-sIJnSM` zN$ImolQ&CLr1k)Ew?55NsGX6Z2Aq!YUvDh^{S1aYDF5Xz;;T~fly-ZNax8bC0u$lS{AK@m_bZ-<#p&?h5;-&xw)&C@dRbB zf7#l^UfsdL!eFg8tBs!fY`%t=!0z;MltjUbH4C#{JfY4VgQ?k9fwbYo_NIf=Ll}&k zpjTxp`t{PUviIX0L!&{B$BK7YpOmB%Zsv32YLSjpdfW!7shQQJI%b5i2kj$P2Eo$T6qX zVu3>Gi8D9bLf-1hT<%QmRfGpCUpxi6CQX!W_05$a45QbrZszdu--E8~mIf}?sfeoR z!REwW=({UhwUb|yQ{sE}A(F(3$DhLF$SL-Q@KtgNoK_%xm>JG3h_8nv)scjWVNXi| zpdhLTGu7uWq93)&$&!&=8vM}_ z#$ll^Ywqq4@)nTorAz-z^$25}z$af!R6*Lmzpsy;nQbidGd1iLKFH(?tQ;b%Pq7Ae zgVYG4{P9jfFus&`q>kpo#QfewTH8^sdN4G|Hp(u%s1xrJXF7b}e}JSC@1RX`!SC`d zeUqsF&}cc0Ux4NjGiqJ-+wXFM$moQjKkKWF&JBSXIt&xr1K!d~d9=~@?XMmTBTxvC zdLXxnSaM3vz_Rt~hw{7Xr4?zlTKD!V zsOlEmgN^jcROt5RNs)RN%J)yHYRm~T1U$tYhm$3O+?U~k$fph1gf6!|-A4gE^KNKO zZzvMZZ58Z zZVq7M0T80q{&s>GYz6O@Wm}+R2gr6-h$Q520cv|$gX-nCNfqGNNP6q#fCB^7BT$2= zalOTX?eNq>d`^D(- zE7vx=SCR?}yp%;tObBSHi1#_+Vf!Es^#4 zk6FBIh8(bLfwroE{Ui0dUE|Lt?LJxJc+Y16$ z%`t#&U^%N2gz%QOii*1^o6RDQs51+H+k~w~r2}cEJtGQ~x6MIJXl8|0RFF;lV?R+8)$xO=tXe$=X_DB*4gBG`T zsxpaE0rUCp;4Gy`El=vE;xrAh*#|i_g3=igiJ6{`YH{wR+Mn$*)u7Hn7W{NjXM`L% z*taar!xd@r)(##&3d`((BQRI6MH(=x2^*jSX;SIGk=(xce`9@*JhV<#hK<&{Jo?7y_E%QgnLJcs_IQ>eCIm)Y4(Ig=r@8B1wK5LfN~Ds4 zzMDbEv5(&TAo;gbhHB`Hy`f1?oehOKxc>wya%v+-oXvnNA{lE2tSr0b z)%n!$eK|ZBDK0kF?W)iB)~!mcJzO%TFchEdHEew#mg_i1yzP->Op&h&B9kN9ZWA(?-ou?%SF79C; zyOM_y-cqa=7B9rW0lhn~nP55JIJkBsB^4CcOTtI8)z;l5jADql30Kq5u;tW*6<3y0 z(H8xz@n|Xt-PrnR7XlS|&hC#_5R{O!i3|g5XRUA1B6$X< zFAlk(T_OOn5j?rBVO(_fYS$Ob7}@%IT~Yk6I%U3UkJkgZl;eOVo`6z|-ho{~fG+G! za8S6ofdizu0M;nDtk+0^&wk%^h0pCTqp4Z;gPGX?<$O9& zd7pGfnR7O_$_hTQs*TV**y^^&W2@~guz~V;!Lri#9crFX1ae_>vMkZKS!YX`dFD4o zn%zlyIlh$_OjvWd5E_u`{U(4{l)8InyN*NjQ`g$&dbg?7w+A&JsZOjbfvc^kNuS$l zBbZw@-C+Ir;t{Uf@m1bju=Fo+12lF+Fcbl_iH$2vCc8iMR`&nlx!~Q#W@V|pm-VT$ z0FK#q#q7cyf{{E#U#UuVj%|#kM)O-fVfF}ttQxMy{O=xuhfsHXhr#kvC(x#rdHKS?P|#z9gsVW@owViwAfQzyr0FE&WTpar_@sAkFya zeAo+#PTHtKDosW3PobuFyE43wTv0r3gr%$WbL@q)X?pdfZkC6=ntx~Jq6b_tCo4zB zqdBRi;lI!II|mT$3}xb2ZKPIXC57AH2@tws^#C;15lR-s7pf{_j0h!H<)u( zP8_gg`J6EoLcvuZPLM*dGn6LcwN$r2?VO&r9R8*zbaiF{&y@O8b-2I#;>X`b_+6wZ z9)phm#KefTjSKHrGvk<$VUE3vD<^|8HEoNztCOv}Bi-bX9&2 zKSC3wNIs8^DLI;7!nL4K_}8fP+8;9)He{|RM41^G(+tg3cUasBGG>c8PP)2>R!w&! zf7?={*E4HAJSimF1$yq1lI3meK>tEif_rs7kB(2?URL_X#UAipT?tWC;*)D)v$+Pq zd~FZ@;Z;f$-}trE#S$~mGb>3x@_Um7oZS!53iMgHoCrP!WkCFFE*5$vJ`-ScE}7XZDU4%mF}zE$yw_-~J6_qxJm5>EW$oZ51ZA^UoZ* zx?rHeZYurrzFtS{76N8bi^T~gzCd?m$caI=*^ru56&yZ2F6&E9>xS;Q9H@ZFcWA5a zORCdXtWPs8XZtT7!$6lG6vV-?bN)@iPdtbTxS$_AriI8y?1SEo45utNW{2b;Yg*}O zSDu@*l1)Y3WAzPg1@N-SX>R2~)6%b2J`Mk=vEBFI=VXTDwHfvxLMw~zn3hM)^wOx& z1NiOBM{E8^gcHMx8t2#PPBcmTe*&1Vi(H?4${Gdu)cq0tyR#c=!D=1^A4tG#Zd3@o z=JukMTr&d5NSf*0~<;?=L2T(cVHH(zN&??v8Cm%FRe4thqM zVt8nx6a6HWX$Z1}d8Lv<;-3#^&Dv6O|5jEpH=dJ=Q+N=H7FRLrHJUEwcFBKX-W1MI ziZksg`k`J#8X<0)8z5{D6+q`(*phgjl=K$Mdpa*BsmBv~hDhR7o>2IlH_xyPWwQM3(e32oS1U#yOsu z8;-|`|K@0qzQq<8a@k1?>X{uju9W13FZ=4d;%RdQU4Dz z%1B8rX&}N!j+wC73g9r?l?0gS3z+eFf22yHjz)U%YfNGO%h>sWjF zTv$G*Jjz2n*US`Bisb(Ui5cMB3O-i=!gunKtF@IitWu|QLt06IfvW$s>^gLIFA*B4 zz7>w}?Or*ImGT|be5Ro$L|pYxfF+`m=KbdW)y;k3_5I6nU~=NoHp9nw_V^P~lC0GG z?|g7yUWQBglh$Fxy5i|RGo}*I@8L(?`qBQa(ZP?b&;&BcW`E6!>v4B2f|5qDH#bpO z2p>~xY4?=~>MU_Wce;2QT|lq&){B7Sv4FtQKn`lg#(F)xV9Cu5u5#J()0iKfTY-%5 z5(VgL*JpfYxU@CUH4NTOv~PCa)>ax!)a6J@b$f*W-rF@y%gaz!{%m(IUYe1U=ohhe z9JzCn{}(F8NCI-FwzX>n?Xye~E)}bG>QZd?IdgetltfAcC-_o(vch>%km<&*ae5Y> zCws@tT=R@3G3wAHr+d#`?<2qx?XUPtpsU$WCVlSL1^4unC8r=1(&i7SQeBGGWMT0Zf zg@JLbCa4W+DbtJLsk6^XinxCqhg79p=cm6$lBC7F#C0n};zN{R;TTlxm(}V8_m+BqwQ7N7qY;zwGb#4C7?+zi)Qh;00Elrx#S#)j8rTs}c0X@?L9 zQJ@?ji*hv51ei}$O+0br(1)YkV><1ZqYedWx zaqU^$isV=fjN#|`^INV{_6ztI_K_-FtA@^aHd-bNiU>BKdR1DLcRH@okM>O0%7Q#f zd?lh36zWTUzaVWJO1@4hXEHCKSh2whSuVm*B(@Se0|>-o1W^oV&2Aj2dTe6#%V zrfV`#MV@(NNh5ki<#-y(Ffqy4DQlNh)Oe5NnJ`$;zesv#P+?Po8!pq@#DeN--c@?22;?05bO%G5Uq*wv=K zA$nM&gmeI^|K!BJDa&uXDC5I);g#BE9X+4(z(fPnO(rYD_# z7*B;?T*bs*tk_vz@v2+19=?@3@`5a0<=rD*J}%iu(g4E(8Yy2fi<7o@t!o5qrr~Dh zdWxEFkjo)8h0wa`4{=+Ebl@ z6ri$7;JefsI{!n;CWRF8z1#9t4FhlW-i^C|IHrGpM>UUYaN8JCCVMpE7qATw>f7np zlY2t?ta8OG({svbh-yq(7V7{JXT1(*cv4w;zv2GBo*!$*_a!!cwR`O1+k}1!RDyxO z-KIdriu@@%LsZ(mx%F>b=>y>2h>0J!>UsMcXze`S)(;E)AI7=y?TAwqN%Mo>4*WVC zV8GQnPNe4?^>(_v8psQttLu%kz0tc9{=Ot?(kJ#(lAM^9qeSRan!NQ-%L}v)V~EnD z@K`MM;Uzy{;|;=~j*&XfJ*d-k{xS)C{5x^;7i=HnOPhA#x})29CUHV5rc!juL? zsE2(2hMp~BKlgq90v~M{b+P63uKvUZ7^DOHPlN%3G%`j72RjBlqN9}R;k8QRY+wS} zvaJhoHTnjlmaL5UeKRCAGE$~z$={51_0nJi8;`(P_Vt91$nEOac&(;e^6j&T{p2AL z^cSe`9lt2#Th8*aX-&TKuWKF4$K~U%_>VuHPK6*Yc+hJ&790M@? zJ@)JW2dse=A0J!-*qGu67t9*itNl7bZ`)xOkvd5;>duu2NNHIh8kp$c?bxRGbNg{Y_`xHgcLm%-2{z%6V3__V2U}*qqnk@Z zd$u`N+44E5#unPRDxf5121nqBlS=SO1wOH@2Y7nzAXni3ow?+6+TWaA{mkm3S@7Xz z9XQ=X68zcOMuJ^1lA<*9zv{9U8@Yj2*vQfLPsu7U;fjo5A&$jnDXm%`@HaZ>$n}-U z#NXpE^D<@R)U*mRQ;)pWloVB1jLF%sr9G}-2oMY=E+n96fD?jym+*Gj`%|YL%)I46 z(dZ#lW+X*5;3@y>(0D$#op$2Jj`!-U%J~&snI24cYO5<`Gj3b$owW4i6}16qB@0;t z*bw=DB3Z1ze*ps#39TU4gVA4mES=|2V!XILL{*TD86ea~^M;`*^9LdfH1`2@110SC z0rCjYOy-MFrULh%a8nS5WV%t&+!HTAKcOd5^k3vGUZn7XlK`a(R%n z=b=8faqr1S&;rWeJhKlVXRNI>gx)SB8~iCOS~=3rrT%<#m;#CxtLD)b7yb}M$~LUf zdL;DpKiBS%pWge;-JALx#auCR3i%1kslEBatOT>`tuoJzL+y}1zYj-Cq+-mM#A7X7NPyItkh#AxFK(Bf%t?H>;4hXZ3xS&-?rTsEYzE~cPz%-8d&actSx$+))oj|WzcdUz4+ry zza1_6Wv~G`bbrRl{_NWt?7jWiSpV!9M(@+de;o<0wL=@h*fVzXg{|%R_PGVCvFcb5 z9b>C-06>kQ!3MorW1;lN(6)3%m~&VpyK$So!fa&SgY{dw2U)WlK%0Qk?|IJVSnCa(O)$s zM6fyNC{?HGqqGAykW7LrAN0F_(t{mYPr%LxEaWZIoZhn3(d^n8e4v5@4_2B}pr?U; z-hsYzBuFiQOPw!B(o&b>(<5HCvB-p7dZ}Q0P}%yK_L}#-qNL#XoNCd7=)3p-wx$~k zaM0Ak`mYQ$`8^1wh1q-ihiQ1Zo4V7C<41a0tqMP`z5}JGhZZy?>qqkNRh(#yaUjsQ zJe#06y*`@ryttVufI8cBdW}$1_Q^U@GCEcdwvQwOz?7DSEykwwpRIYL$_Bdjh$Ih_ z!@%-_91tiw=X4-sp*5c~ii?Qo{s_?>_GP{Ucu+i?TjSp8GhYrWL9+3UUj{=QG7Q#k z{cg;^S{#B(uiCVW9qx_z>RTMiaD|c1JDxg8vFniC+g_-b)(!PFe8;$Izv=Xxm=Evz z_)V0cgut%*KEFG&{mGa~L`Po|ugiT3R$9lPJBFRIfVY6Y?fr7ZVZ?@oX5HApMCsig zHf{{jbAH0tOUL{Cd0;`oWz>+&kOP>eih_n4e4rH!Q03E2d6?izI$&h9f#4NbcDsPs znRUYhJ%<&F%uDokoms9p?yS~;Phh#hN|MNrE0%S-*bn=m7SO%baM38GR3h;N8F}*{ z7=@8lo?pMebf{JLIEnM*I10`LCcWBh^$DmLT@Si2xH=pzdYt_0%h1@N3r0SB0dNXn z2XFnP?HCCpN_~tpX1X$19)zg>ggrmUhCv{1F@&8k(b13gaL?kE7E@5xLx6RC)KS5L zfpw49c^icCnY0VpJ?fsY$6EYXe_g`-(z2W0U*v?NIs6r*&`@;F8& zO=~dXc=R#13>Yon39sj%Z~zF?n3X1m(ipxq1a9UsCTq)8ns1NfpTHn8#NC^}%pf<# zrt~iJQ>)<=nBb+E=;hpRNWJ8MP7y5GCi$0<<702h77I&;LK`=%1#6gJZSE1sfNxjVqf8R-aC@3ed`B>) zkx*iL^UtIn*si37{e?(}O;|5A)4?M1iurOp+lo;Ku(P(?sCP84{I^(hD{6F`EWH69 z1D#eGo0-&`5B&ZwHKk_F<Qlddtko)=H5G}tmVlFj}&hBpd-|S{36$;#DS&mqleJc88rKQK1 zI_Wbrs+eFV)q%ZJVN&SLqR}B^enH>XNsPknhYvG+fe-?0Fp;u`bNZz}7>qmjn?wkV zlS1=L0_lw){E4D&-twvnJ!YLdq`j@>_!u2kB_(P7f2&_czd*WRzA<}Z;mfd?3-^}x z-p@j9LeffW;2k5-aH+erSG%2z?#bQm&~Qoo75_)Yc;$`Q8wYiDWlPHzBR*UxfAP<+ z@Qf}!S1t`K!4FfauZ0&qBv@yD*50;FjJ$@~SBxi78a#r9GCH57`ad%UBP8~DWymSC zrNz2uN-4jIkwYD)Ft4<*&!9j9;-X;OUE#_B7;?5-AQeZz^GzZJ%*JS+14UxJ67u!C zGUYvy+wr1B*GDjBJl5$e!T)MlR2)mcIf55|q8C-r@)aVrak=r6jX+2~{NKB#Dx59= z4hrds$moJhPEHtu_DAqeAXNV6f`S^^@$pUBCvXN6n_e@O7lA=-SL03RI}=;|Q{Kzq zGFiI^Yu5x6Ba_uD_@YxLF(PYYbzS54AB;R)oT#qRBwkr&<{p2m4%DLuVpj{nDhud~#KtZn(~-+T1^E3MSFmMO*ygaIuc?qnjL4v^ zcmsPi-G?MP%$X78x40T`TEnddBy<=)kj%>Ala(KiMrE%|;nmJt;3jvH(*@Fy>$;!V zb*S$8AkD_&+UVo=B-h|S5+8l%%W9Un#knu3OiiU>Y_bLeX=%95mMI57#j=|PrxHE| z5(MR$m3vwKc6Dd?Ac_u_BYUYi9C|GUHKp4VwNxKBWNgCg__=SOX^Kqtg9!}tl)9A``pf-C?W{CU6ec9=-1B>{e^5djlY*fIhmN$NKx1wZ5CZ z&;|$G4=Un@7n;ZVJyiKk>=~RR^Ss$cuY{A9dvG|-C&Zs1Y>#-(XfC}bcDjZ%jEaq3 zVRFo4(EBTC*yh>1s7SO$s^#1zDP>0O4q{Nj5UKw1R`gND304~!0jNAF&<7wBZ>T)IX-mzF;Dabr*VSzUa$ z4-x3U-rSEkAZ;J(;7IS3lXco~$it~}7Xs(Qgl~w6yt3h;n@mm<>D3oPg1zhl3D=>o zuWHHqc62D(<~)~XGVKhN3qeg9N+g8e%@k`*j-?GI+l*!fy;FzWJ$oeRm@k8)saa{F z1gxftg~bo)S1!ZEn)R6R$w#(WpL7tA>4kTv#|TLTq|Ve4H6yB^ADeGykF|ZME)42!T-B<3H^VHmkmsbPe7@`z0s?8 zEhjIJU5t^2VO&ndVlF1#d!*D>8ub*ZK@1F+6c A!3$=7|#bk|2I-fc72yqn3FMT zeAL3ZG(YQ%^9skzG@Ir1NpuVyHT|fZN}3#%DuSE`$YC(CjWKZycLI}s3i0;xQy7#V z%x1!hA1l?t^x#oQv5NZkNRThs%mV<~1z=O7fEZ`2{L$3I9&zDfSbIw_1l(ZpHmgj< z#4PBgc}}xSzVLIcVM#;q_-hVj|t`L_0 zn`{5kix{(dU_uzEfAkDmjQUq90Sc|F8lYr?785G`@beJBNP~wJQ*hb(vi}K6BMtc4 zCEQ^)G{az>qh`wgn4_?xja~c6e}6V7u;VO0$zNZPmK+SIxn1(3kB86``nzfGuFma- z;}VW0X>o(fDp)OTO8_R@%5}~5@cj_RRmZUPFFVR0R{ma(8_Mz<&X1#r1J0 zuq$;MXB>S73?oB;n`7LcZE|xlHWj-W`(-A@->cRcbS^yXu09Ir+88JW2Ly~% zX+P2=f=(yMfInUz^BD{XY?hB6&&1_|((gW>?efBk5ICl5S)5AO$v_lYYZU4F^DZYm zLz7CNLCFJ}8;6pB2_9F9DrZxKZ%{||fb{wYuu)VWO`;Um(zWfq)P&?Y`l1 zpyw`96@?TMK9Mla7B}VA?g4w1rEX4OL;HkB*pDl901yM_zIsXnqpr%blL?Gh1LO`E zb3CpXwOtghAs4QrXla-(NmsM7q=w370Dh&LbnwPs^`VObbmTAa){m8RD7%-MrUT?Zwt_!S<=)#))ebkS={y`%>U}#)c$QDb!Y!=v&fVhJ+ zg#`Hsy_;;^lm=ZA$Hd6km)?a@q1Oh-i3&el)j`vxq>OpmgJ_J`Z;t+0l^f@67+9tHDuo_+%9|Xk8$Y`w0Ts$oakxA8Rn=95Jxp7pGxn(0s**tfWMMe&$|M`x zX(#n+&+)(^|9rHqCN!xHvAGrszGt}ckk%IX{Kt!^sZZ-UtPHxf+gKn2x|T)(T`-xO zLOICe%|6x?*pj+VHl~%~(jj}Lq-7@lAe#@P{g!5+3o_jtfl&@i=I#9I^R-BId7Sr0CvYZsw$9?wDKYnx;oY=#1#= z0ggSe`{{wBvOW_S-M4;pk+G)qq}{;1u^0q10g(y1?UoRs$HgP>kZAm8VxT%;dWt{! z{xvHB%2z$gBtF?w+Y%2CbWw_No%WHjk2Dd68`y}=1t5OzuE}@5Z}@OHj}dMseK?}2 zTOC*O(oWu#8Mc42pbx$;xZId*r**Q>K!Jf1bYIWFY_XxZgY<5^P7KJ|T$WLS8;Zzc zeJ`|ua;IKHwSMLkWp;mP@3j5;&9AUn-miNji|f*aT-oPGQBY_S^Zv{w8SK5@&WkXy za<|S}aGzU@xd(ouU_!RdyH-j;QCScl?E|MYKoT>V-t-|e8FBkP21Z-WdiSq~-|%MC z@nOFr{#Y4jXXWOmX5_r|{1;SI#SMD{@jJ*U2x>`7XO!pjaC4)>I__D^tJ8zp^+Jfb z#|Ap&$uSw#8u!3+ENEN8iXA%nIB=1H8MYuE4c!Q?bpM9v70%77OKw&mJ?wpK&@S>o zq>A!r_E?-cTFiNeIa$=W1DnH~3uNi1LMYEVu5*5rmzx8&FJP_xry~jGcgFaCl>e-U zGYw(AJc@5&4gGxu+RB}So`S3~@ zI#IjB3pAM5(63~mQbY0z=*cxH^Td5F3|P+39D6)9P69fzlk?+DZ1gK#C0!+HNQ6AL zxd}~!R>xTg9|>e98<0b=qawMc)VQan0pi_sm`s3p1)ZrLZPZrKdV*QwFO3*(xr`)k zoe*z5?#4f)r>4^Blz=B6;1#WJnA0ZDn6JUD^E};O9NGdHucE@|zHUZ;NvR|j8w}WY zQIX5)>56kZL@)k(zM(HJ?}RA=yH)Fq^&$!gUi~+|@&qZ23M1ePP~|G zoB9Gysi4!Qc7p=5wl5|bffC+W1WE#rcQ4GVTk$;;``Zx<3pz=O-nAlsTu1h3y^`wE z+$)z)%&^D4FNz&ajdsT@_q|tqh2Oyrc3i^2ob{6T06*j~{Fzgti^4r!=9X2|5*)tf-HT_2cO^3xGh!^8(WF{oaou}gA&kYsFVrF3f#Sf%+5iFU#K^5TRkKi zXp_K@3eXT~2r?^<1t2=?j zo@FYo-92831n?L1OIwco|H5?t6Xsh-frP+r^Am~6Bzyc>lt5N29-NRHYj?|heyIQn zs7OnsgYD51YwuL(xJEogjJ8}|=9U#ogKP}x!Fn8`uh*!92I`U;?`y0G1Y zs3-_1U4o!=NlK%LbV)bT(j8J8ML-&)yFt3UySux)yWuYUzVF_D?))=*7#QH}z0cWe zt#>`|6Wz49vso`A#WI%;&*Cd5X4@J@8)52Yk5*L655U0j7a^{ijCQC}gnMty*IGlK zaj07zLo->fC;+KDhNvi_z-S&-7S!q`lyQ4fvzc?G=_5$Kt_g>4*QmRyE{qx~^RYAL z6OdNE?azn7o}NiF{hnoL{nFbIQoT)4~Gvh1N$py50-Eq<#o0N-V&oiHh2M zamOS_O#B(#EBd`$AAs4JzNkUI)>olG z|I*ddScCvVpXmbKk#}~|Ad)B`rj|9uPH=JVA37JBRdV@woi7PsGZV3WTRH3zL`p}- zhk$H(v?e`o#z9r4>%eR&CF`WMjQ3y{L~KUNu71(h(@dh5tp1;S;hS9sOdMY1-BO@C z#F9y@OfwbAL&0E-Z2bSZUx67wnfnDgBZYQAJP^+wBr{sdgFVJy0rM5?RUMSEvfc9kuT_c1z6 zXInGN4i@_Sf_chPb+yxy@x8H>j@&keWV01%HfCpIGwSUxNscym&NXWuV5~F4@>#~t z&Yaj4vHd)1Z0<{ZwX=SIeAd0=qm#jr0p)!A5ufE^pP;LpoNiiLF>G43s&6-inVV5^ zkjc}X={PZ$GQHoU@*qULRrFT1Ol#sgGc&5zt?g`m(qN%FW9B2L*oE#u;CHBI^3tAw z+ePozj9P0i1_Ac*V@>sSk|QeNl%mp~j2Z^D<9ZkFv|d%QRH<9#lJWzOXUNA%+Ph?= z>G-%C1xhrC?u@p}3B2;g%#6cZ(+vC3oUeg+{$-Z_7*S|b&p>9He{xa^MZj`7yD~6I z>ToQ%{*NGZ_;zS(9||Nfnq6+-ss#br;etP8L&gDl7gX!d9*YweTyC8SAC?FlBN-46 zj1JmQ#4rFiHd0p6T2T-p4Ai`f<`>3cKb%5&65*Wr;D3$P^$}1?o>>+gSQZ4`sqkKZ zhA?5jBs-rS+cfl1{xd@o`F}`e#9a5FkLC*;r}1!uLI;-CaGkzW5VMR8b^N$q%@Y7t zZ!}@RL)3_=<^Y~EGov;pC-z}|!q6|?iyj0&5ltps0S7z|JSw>o0$4ulSYJD3Sf>sw zP(_gpLzqU~W@}C3vz&sgGA7!5QhH8WW;fz~;gL0C-qQX`U0g>QUu#e+SQJYdH+iwk zIi{eiho{V?r@fuMGx>T?0fHJNlz?7RI zu0q}?0lXu@w)v5(OHCDR1gFh%xkj%+sk=<_sl+nm2)-J%Dfwq!*nM(=#RTaHpLd9Hl&-j@5DyT5kG;Zw|itm z6k*S!17G0BYicEYqFGwgOm3I{Rek!4kF07UI#hmm+Bs^lx2tz{Ft81Km*>UE>+vBW z$)(9ydpeEr*W+&O-`A6VM}*mNvVNPcNAa^`JDg13R0dXjh%Y#vp4v1|y3Y0`HxrOk zyY*Fn1{`)YFKNq8SpCo}PTvEFFFsO=V)5X@&k=;*jJ?Ig;4#PgotbIK5!J409YBnXilfXZICld99+vQ79l2UUau9S4hQou!3+Ezqf z^Nz08kjfYaCS(5fL>KJPq{2)e2FY(uiP1HYHL1j~x8TXG#LG}}f6TFoTS2-rInL4^ zFJ?&jqe(UaT_sVvUGc^JvqcE9(uWNEhImC>-^&-g^>)yh%Y#leD!jy2GUXC50Zru^J+8qHqo2T{9AG0WWLl5Rl|h zFMqp+1YKE6r~Vm-$j%?NhbdB1-y;=267j(vo5y;^_K;6Vh;JI2DN-8SYx_yc|LT2$lld$;udTlR z?sSD!5lDaXcI^x5#6Uj%8WgG#rY4m(@D=ph@l(x=+Z8g0F-L5gRZ0ZV!(-IcN#D%k zJ+*J9t5!RJV*{%ns;sSqy5{E%-;AZd9}V$CoO##uSl&>yjB5*lMENXT2HgGa_jBT@ zkPeo5)tO?N6kw;7C^u;`Si8A(Vu&nCrj9aCH_tWk&{qA~?O?<6A5EhwxzsbxtO1g;q%x{m(ku$oSQ-5YA z=HDw}^YQKl0|L&qOYiYFPDnYj#(s1pH&K1ftl5m)9)t_9PeoOYkCkO%c&DhKs(U;h zYUXnjAhBBM?skg58@Kzos5#NU_x2Zmbb z{VYQr!=P_r>awu)2F;4sboPf?!CUY|694>{9P{@|{sXAoZ^w(1KaLTrf9J-6j;sun z+)cm9%bPYQJOvx;Hpw{hFri=W<#q#$Y|4@4z&~LAe+B!$@^`OIn%8|L2>43YAtqR(#swg5e z8?Uw+i+f$k&y3g8#)KUf5<+`pNf^d@e^RNf&jnAw`8(coFaW5~vkoVhQN@ z)k3>4n*}wTPCLMA3OB!7<9SB(23CLju?@8K*fqD`!W2uiyd=%@A{;GDb0ya3_%%3+ zc;D9J!?JT|5RpW!H$XO1H5UW>Nn=J07af8q{@+g&1b>3_m9PgX{*Db^TU+{2T~bmI z!>XITDvsz8Ko@Z!4H0t7xdf4Ia80W z@{|iwG)XcHB7skxvZ=NS987lwGc=TC*HnW4lJoY$q+8I+(RypV#z>IH{O`k9{}1Z< zE)n7nuz^f_dZqzi-=2_DipdYnwsU#hAJyZTP7NS z^kIr<^jGt5Z|}^{=z2sPwjyQ10j9BGF6?%L#rNI;ij)65llO6?PZHm0j(C$=@!W9~ zAHDYz7^+pP2hYLQq!BZVLvwxgb)%-XK5%~g2!B&|cm3(rJpB9R2HN0s`g}ViZ3f&L z2kYC#Azb9LOXFT>xH)C`^OC+gN7Y<2&Q<1L2iOus;j9rY%2&r6yX0%%I8|y_Vhx$` zQl%rq6yRVV2w4Gk>ClCNm?}%Qv~{3-fvO^}ZlGs4{qc$pfJ9_@_rUYh%rkbMpNuW8^e*B^)4A`Ud-#~87ygw5pt;~X zWM~~ZsdivkRCh5N^OJ(;QPG=5?A-18(Jf=cnTGbpkd6j)H(5hJ4nIlLgTi_QT*fnmHHp)}b{X2tyf{sU*;Ug?wcK;+`K9h;P#&oQli_Pw>+E15scCc{(@{|+JW#p#u{`E(AA!FiZqs$bbj zLZC3EjojzdisnWoiCQ}7A#ac{rKoTBx|F@Lw7gx}`I*#AzxV9G0&*e$Y3E8oB+L!|aj)k2`F8;D}` z%M_tAvgI0>mKUo&JR))&23qC7_BTx0ZZI=_h<+`+b8~fu{HyHdwy>MV-Jh{rtMJ8_a_rbb=PZ~X>X@1ci8#>St|FU`lMN~(fo=3@~P%D&l#Ycb2Jgzd2K_6ng;>+ zvd#HPuwH-Gcrk+MZF>SdTB*0S|0WxQHiEwbsZ3U?p{K^vO)i63a*ez73i)>v?7l?U|(oj~mEEa>A4pMG;rL&@mUTH7>`t_c- z%tI8>yDM+bAM#lz%v1r8LzC9vqswX_qVtp2)-yaWbo|f97%*;^E*`6J6i~>bJxv>T zq+-TH3AN2#j(jS=D;J6(v^A-v@P@-L6JPxG>-7EZRL;nXPh=iHPCvwfeD#kvLoNe} z!2^_$-=1;gXy=!iE+LKWu3?9PRxAOh-RpL!P4|7@+aN`U`R35!ZZ1Uk#RaW*mhZ72 z12cQ&oYQ7^6(HOvDH!hRsa5fW;fn@)T>Qz+xiT7i`i?xB_(g2KN6BxIWCJw#5ldu4Vw{2mXWiM0{lDL>5gsfU@*;CHXe2+ z^13%~>Su;pB7DH9imVXXK?o?D*iMv?B4t&J6zVcn$oS~#N5XxY}k1% zrjs^K6F-El9d5>x8aX=hpqI=nSkKlmJw}k!wE_p^b8I&*xhwc4ima*{7a3>x5~aFz z`pNw^^tBCax4TDt6to+E)J)K|p=;qJUV-eX z-?6&M!URaOqgjK87}_%86xTf z*Do4l+to?<3;~rk`;r~)w3Jzw1_y1e9zglE_@(5_gn&IqviJ4XBO;*egL~h&l%4e3 zTO&+@eAaRzI~2k{#li^3$6cSR1i2lubKtRseKFFt-P05?iESPaLGrkWdUCEx5(5XTcti@iTxX+`g8(@~5=murmq)7Pp}ZdmRp~dX(u{{XmQYK? zhnYXJzNW=BDZ?}+0#?V}a;{m;zj@0D}_Fg-F4w2bUhiS9KE*!!FTz(#$M2j@DN(Btl&5yVfGg)VHb z3NkiBF<=!J|2OI1 zPpjcJiEr%kQ-jIp+Fg5{WPt{9+te^wQk&VhL9_D<{mHY>2F!D0vuGJ1^d(4|vE?b% zz_>eI7qhvU8|4&$$>1@nGvTp5n7l!0Q2*wx8*LlAK0x^eOf`1;__c)kM|I=^DBB|G z1CWGzHE9qlk+g+X;lS9E=?tWIoM0-FYPgnYg_Y*PDxZeII5E|8yT6h3fTvF?0VMr& z=ZvSUAf>Of5)4;qf0Ns}r1iw^!_6|H`l0@dk2ph}xy8#XsJ>aK-<%oQPG1GZ6BBP; zPFDHbVWW7ei0-TT0HT4a)Y}gjh#sKQg8mN1^&9@d+V2+F2&w_b=d9D?(#a#Ue<%)z znYN9MZA#y8s?exz&8?`*c|G!RtYD^3&UL5^&XdoYiHYogTW?V~G{3gD9^6uwF%m^? zS9htNd;0pZHL&B-LE|6lph%$(*&Gx8kTW3khB2u{Ty&io zF<9Um`b>9qEbW}77wF|f{}g>}kN+!6W)m6MRE>SV-naQ(P~iz09_zsZ>0exKMaR%~ z5M%XP9?nF(m>Xz+05g@vu%KWLm8XSlvHGwUW;s-w! zpcD9#2dAw688(bmZO|>se_Zx7Rrz&j*6gvm;xmZKkFWI~K?GP_8yvCc6KZ2;@+pVW zBA1PYQQ`&O>0AB^Vgt)9gd|A&bx$GGd!+MSfri#s-?Z|W(Z^&_u_hQWus0NVH(5yX zTUZB8_=s%Hf;3o2meKa}e`_d#Tk?qUghK^d;;xBzzGYIZC%S@0iZqAi1*B4hwsj^> zB1e&;oD(KO<|Z)1`~uW$C}>{IT2jr7BhkjSABcng*|FS@eK0si5gC|`aOVHWP`=Y? zo+>mgs`+#k7IZsbWUt z4({~tG;*5<4-wqZ5}>T6vnWSUzsMD<80)RymjCqG#YcGMp&fvBngB)q)daIRK@zL}CNPCC*kG>Xx6=Ha) zevi9Aai~g$oQ(hP(gSb>dlqfu>2VAQuiDT_CnA(7E*iB=`nNCvnO|2@!MZG-`*q=x zUZBwX62}SdRV>gycd`%R1BP8qG${2|Gvtkm z6*2mCrm-IT@udb9yq(JbHJefB5PN;^d~cGfOhK84CA=b%y1BCYJmoVb&Ep>a`k^uH z1(sz;n~M}VSAhr0EcMY8>S%!!@Acrl{O`#o)%pX-UaIaZ{a}u#4$2yTW=L)3%3I$E zIZco_jCF2?9^G4>mxRVF8m3BjX&yav;t1vY)-fkj!k0*q7c}afQi}E19{D0pmB#=x z0jsuy=Ie*72PMxb9QN#d;pz9DU(UCO8q)kMrAk6AeXFrhKbKM1c=rHY@Lgz35|v++ z@te0_n3U-8XJ9ZY_eQ+}--nN>kV(^_ay*E8F1U-_Z<$tiF=yw={gd{i41=$g?`syx zpEaPfDS!npevBB`Y!6s;P4XA6hISEWA$A!U|((hL!E z0e_PGUATrjqPz5)Fy;zjDdE%})fb~)&3E)|?vtP_a*j?fEG(={DXs=bQqrbwSxyEf zA)AvlNl>jGVQ)-bOjOv!V0t6RXJLbHLn~k}&B8)&L1cM!dgEAdKlr`G4h;{}s@{&_PmbN351U-|ftv%OM|?Ye*2=or+VwFrd6O%Lkx^3W zJ9dZDO8Kcwm0uyg)o$c@)s_-k=z|i1Gp+Q2daqH2uyQ-PX$NU1EcT~Qs-E_zH84i1 zeyHZLTs0g%8Na*!(?xA0e_gARD^p`+jAFgf(~qlFulJ%sw<^2-|f0a5cMg zuc%18^A{t#+uXt|^@rolQ$0K8t4^|P1~h?}Bu?;^*~&-c1^Xc3>9qGlbG)D1ofrBV zURn`wLM3h@2Q%toj-Ojytjw!|!*Gq8e)FCcYM0on3ACB1Ter3;j>pf9COIB=$J9KB z0VrlM6{5a=P*uE#!(iLkt*rU7V1H{*{u05)2z%6VaJZuKS1SluyZKRNv%y;KxTgsm zk?0*&_abG|>9(g!>K1-i#M4fI2xRJa^fXk2Jci!jazfYf&FF$FzFn}Q+)9}4IJs52 z)XqmwS37BaGyh7D5dMX{%vQ}2h246&`DpPG#8RT&1`Q^PLUr@I$dVRCB?URp@R??q z5~|Fq)N^aq2)H<|54T!J%~YfmxwLy1J2Rukx|_!4@@nlb97N-DFKqxnAlxTBPKkKK zBC1H?eEMRp)P+9!cD7_`?qlE6(e8*Mws&>=ym>p3?4Qn-Wab+EIUYLF#;|XSr*tnt z`C;@?hf7Hr8W0CDF*_40F)|c-t0GIKtFcUKqXIdutJdP$t>_UPI2``@^`VCIdd<^V zE9I{35Nv3W`);GjLMbmzr`lI z-NdOua&ii1>nzy{0dy`d>N8a~of1$TDhxX*Y3%Mm(lg%{*=!bAN88)a$^YYQ{fgn1 zBfQD9xGJSB!!sb(o8zjxX6Tf*&Teb+1q_S+Vqka}2S(UT%Kz!pT!l?si;fes?(RTx zI+-M%)qMX!6~h_58ds-YQJv!XPG4R2ox#QLsLjbwJ`kI;R$g@0P+A?3qN`sn1-VVB zZ$Bx7z|&;+9Y;3ZJrpEvX$0GVd+`iJ{R5G zAC=`lELY%z6dX|7EP0#)r8hF6{Fp#o-NJ?z_P5>E#>nJ{m(|We;Y4JqU^9Wbjk&s^ zg#g=_cyvWVFDE}HoWjV2?xyM76#4AZP0&Ew^BCruWw%H_2iYe`WlkbEploA4hMf_n z4L|t=%pXt*Q zx}-bI+*R|?a?4Z^4_*p&(r8HEm0ypJefjt&wSb)&cAPi^^;~vq#!DBzOr8Mz0ophH zZK(qu17$>URcOfrUz$C5^{K61a}%b=#$OedaE8-H@V_a%YHzWHd6{DBu-DT ze;BgBq@t$P4NE3TMHQS5Cd9P0U(Ym-P}dS^!_;Tv*{OjU+nf#5tszl!I0xBV^DcmgG_}tJC z%Y}uAC_dR6E<%oSdOrcCw-_Kl`*!`arD(~4IEW%&c**xiHd9)OH|09YCi-I|Lgkgs zjdg=vC7rBrz>t7=gznm8tv*y&0CLPLXGw?`;P+ZuQ3-f-PxUq6-|NZmjt8txR=A&R z^6s8zAXV0=R$JHH^$VjAzT}CkSpP7cEbxuZ;!>;4^dnKa4zu#^+EP%og8AyT?xM+c za@$&RuI(;Prpm%~OV$fFvhfOcKLTE+jf0`n2U#vt7}EuHRT^V^3fYj!_~*st$Ui*r zLo(2+{my&Nxs3D7qK(P&3=mxyt8`vsmrV>igaWQ zPVpjuS1PC(hyr$aA?Wf~Gf3TrzVlP@V%kg%j4n>~@oF*PdP-_Ma{Xge0QN$2^byQ@ z=4XH;R*Jzan>l>Y5s4bi2(+CfXrj*3FX0jla)Yx8=js>uVl6-yDJ6$gjzGSjgpWkhUQoMrcx+IQRR+{{TbO|X8XuCe*>!91Y38Rn6 z%xhzJxlI$I8TnCKUi=`=b{nlz2hmSJMOuCYxZ6u}^RKf|hGe3ekL5`^*ydC1Js2gr z=T^rJq*}G5At9h_Ya3{yz*t5~4i3Da+gqOfV)yGlc@Vmb%m;skDj*-C&>h1-$;nAi zU-uk#5A9x8+9un*505Ou*5j_AoP^#M7G{!BbDpKgk8PUvf*#??g#-V3bKBI=Wak5z zQ}wi3?900AO;46OlkSe5t+8|j7!Dq8O4{gLZ)!@41sefOib{@#>?2iZ3pDMc{Wj8@ zyyln2Y58QchxpV>f^AbZUZ$^7&4)ygv*kyX(6Auq?RkHOWKWkmrxPnydRpqaVuPvD zy0N)B{FUWp^P5Q%m{f+WOu93N!*HOLK8pFb>AdiqH}Z7Ud9vK!tYy^IbLEXVewJ`r znr}r6d~`fscUqnweT`67Sp|*oYCGY?7cT^a-d)$&_L$*QQ7IFM^#TIl(9Fq>ESH~% z^P1^)q*eH6_6)P$a=t)38Cg0RS=z&g=cP`cl62nU2nWbeQ&E8)Imr6T0ITe|U`N#{ z!9@PIHPGARv_ssPro@1`sND4dc|w>oH*^!Fi;DhR&!zI`6CGa&=gNyOak|i8; z7OfJTq(GFIcvsA22R3M^xm})R0+%Z;ODeC2Ri)WG6E#D_l2`&7Rmd>Ay%xV{u6M<1 z^|`cL6c~po8%MgxyMcSNKG8f^U7+PxRmEb8UB8g8FCKq>l!?qAxVSa~`QtLQ4-WdC zA4_z*J(b}_MuLzp?Y21R!kMgxnYFt8=SJ^}^k!BA$o(#?b`C-32uYHoV!GVM>~fpl z6Lq5s8jF8M<~+W>A@1375m47Kd8NCGv4R!C!!6hm=@Qp_tKRFNdOA)#14N8?kFb|5 zTZS2KxKxb|WH-UGpNwF)WU1&9C$ZaG+F`(6Vnad&xi9YQ){iY&o9-#7kf$+6jPKbR z4+j2{7{zJ@5N0xhP1Q>kqR%C7SvH?<>n8MVjW+O-*FA)(zRV#H@SeAr0C*^wz>n*s zL#zh`nd3i;!2v=99r2lxqTdgxVus4LuXJiUa~_?rHMp39qY~qXlN#XlGO=JWJI;TC zQZX4LwE!+f=ZQ(UIFu*&N0tm87O8r$cB&0PoPr`&qmb0K@BrDga_gni4=yn2< z;N~~U&6g@NNVXpmIH0flWxEqndxblTjvE`SAyQp#`|e;vZn48CvZ7^04l21LtVz16 zvdp?|XiW~8Zb!01iK%uu-rgA(#N~g;%0L^gXmaOe^!Xj(sMj0VbDP&Lk~+oZ4HU)! z(w2AJ4y0xK8)aKwK6YpE;lRX@-&(=dHIfRG(&N(eI`sPk{wFl%%NVH;? zLFu*@=dT!|B6YeqK>d`G9jYWnMt6Em?AzWuDDwiAfT<^XTFGnmQVuIQG)!iPWV2~V zsqM|(BxNuw{5_tNxTbhKQrO^jHKC}o8MZxrc-3^?9FW$_?d+6S68gzPctf%-d#c6? zJyc|-Qadm4`}~olJ^-_LH2OLRuRGme^X915>0ZUfgY0J4p1W;`nT6r-&^n;f(&SpO zs5hRwU6XgGsqn78Ab^Z(=QE>KYYN!6!PoB@DXecD!F}1U|Mem{&8c=C|KrDohS%g| zk_5>r?5pbA#gbUf(;Ro5Z6jnZs-+S343_8hsdL#Bl(bAtEO4%HHx5sq9k=-sUJiBI zR9rkN9hC6{tSpkrhzcgvu2Z6{CZ}eiuU}){V7xd~d`yGq#^W;m1XM*U z$qYrSP7{N(?8dBZqXMt`v3*iYOIeY5H-{OT8>hR$(Kog=n&SwMa0=%NW?mY)+&Ws- zl0y}dsgh`SdE`2J;4igWc!*dagf_pIqrw9mxDeeTRW+HTnK7ha=)=ZJFT!Zl28smr zzxMw~GcYlpGS=5!`=nM&7bY~sR7ft4)9|Gq?n~RQn=yY-Vucei^cECz_ma|3h>J7?Rx zShEb!@m9+bEI}=Bu6M>$q_cC!I2-l~lpx_O_}CDG14<8C|ZyS3URHne*Dz%oz0I|M_{x>z;woEIOTu`Hjf?oZ=njEb{uoPcl{nMnp%hec za(A9uCUlt_^;>109sV!S+oOCm)%xQ{(%jh1w0UA)UU*)ff}w-_@&S{TK6Jge`?03d z?%>qgXgn>pM~~aPN~AiD&1E@85*z;gr%$@_^1Hn|(4?{oG9ktboJl4g9?EQIXY#e< z<7{8wY@V7bbTcLW(?u~VztK7~NxOGz9}!B`DxLg*v-M*6i%M== zls)sSNnFIx%lnB1BbuQ0{Y;=ca3^QEhJB2{eOxRUhyuUK&cyJQ_6LLf6)~Ai@Cq1}z56%*$4k zxH!|WuvN)jv^m=%9=d=csBaEtzSvw5X@xaY`*|+l%L)CQux{aAcn%)7Aw@yTL}4as znaN#nm*(Adm&2k7z>Z9iamUxP+>7863JWKx|9B?5%>;gMK0NeUr9D55*3Gi%v$V2A z`c0HxRl%{rXa4~X>SM+ptP!_A9&efWeyd~8YeruN?IyRjlY1#iO2X0fmB9vd54yCn&y=pPHkdI;V*TyY^+h@TTqd{T1@a ziLk(Ai0~VNr0UZXyS>Q55&vl!W)C`h<&Q9u0&(fES zKXFID_iBCA4PD)o`*wAD+?{<_WQqY$4hGaAF~1Wp2=^t2-=I0$R7m#^7(Id`z6@-> zFcL3k>m(xOy%{;|Rj_N1PJZMwYOAJ{;Y-#!RaWZPRqazFVI2wjI@m)L80-}IzR(AG zEyFkS7K#%Wq(HmHO!df>FF8>7%~uYOT`SujJ+LJjSvr1zifv?Xi_e`RtB8(bJc zkR(xpd;D3Z=pl zUVkQFWT=hL$P8hWSF(}4;aRm{_we|krZTpYHZySZt+Hx-LV0BsldERGv&W42lKY^s zca)=Uej_FX_-^{6l)}E~8_B6kr>VpRMkGat*&O^((oFo0p5~Ia6)`lNy@76Zh?uKd zQ!+oafgBD3h*s8kXVgqxf|A{6EuOGf^em6|jyl}0>&U1kn<)c(^JgRZwF~d|#>#%# z+7#Df$CCtg!d}ra07`J_Fk8GxqGBZeoS&nZ^-JZWvG2bRGb21Hl`2|%)_iYF8w8uK zY)p&2vXX6%cRcxFJDojjfSnRnD62xw$~uVP8gu=7`p56lVgrYLikZ&o@(I-m#VF8d z2boh4oU0;9l?`u(0b&nfxnHUQ2xHY0egqr#dNY?ZksEEhko=-XhVjU3R`h3>=Ud~b zVAM6i{$Zi#%Uh@OpYc9ppp>pQI~7ocUS7`p6iBZvl`z(+Cl3-r%h;Z6lGQ?YG&4w6jlt15ec{m&Twf1yeN*EUkkvwt* zq2<}rS|t8@hQ@&rQOGdRLkBM3^fsp|GN=R8ziLTPpQh%iCktM?+a$oh7xO(_f3ea2 znMP2s^KRxv#kf-bgfD`Zl3&=IWPAC`XiHAkPsszLUa6K9gYEkput+i>NzEzERDJ@% z3`|0PpFUaT%4UNCjROBWsHz1Wjt_Thstw9lS^xRQ6j`; zM|S>Dj2yX3n!c3!XLdJx-^nGCw%i zPe^OMcTQLZjfF&G&*}NKg!g{ExZ557s;}>SIP6Zy%>fTQ1Hj650LZE75`@4&s3xRX z?2eo%f&!zn34q^|m!75?dT9bzsDwEg8M+0EAo$4yn;_w8U2!>b5>j4B@k+Mtc@CV8 z&{~a5lDAinKrJj+{i>HSxLm3&x!uX6_wL7wNCbq|@7fE05!L z>}Z>kdAFJc3=X}Z;I&PDEyD1l-7(ODE3}y+#5d{^sEFnIw!I43`V+F3r?&e9l(h|L zr#EqyVk5d^)2m%+-$>Gqw3f!nE6J;=Q3r|iX;fdn zf5sjUG1(5!=l9oxrI_yaa&27Y#834P^Co~ADo=4QE|PSi+?#^b^R7YqwJ-(Q3N~IQ zWbrzl89nIq#Qo3h%cdW96Sa9Dol|g3qWMs+&gAguz}!6l#<{8VnjHP$cw^+AGwX-P zS`W2NnQZyP*Ikz$G~^WRefhL#F#+#r!)65xBFfnm?Y5rpFI~aN@8zw_=T9 z&Am&DZKI#Df0d1HXS`;jXI!tzAZK_2B5H~OF_YvaOTJOlQ>jZEv%01E2{Q$=WT|$K z2Q`59R~%wFXPU@~5(naT5nvjq>1(R`5L9G{KTz5TP(q^!sHozBt0dX8>B_rj!5_jq zR)}v+TXg-jk$VW)fPL7kyj)zu#UhujAYg`{AqL{N`^|%=3WOnLztN$Q z*@4jquP&zH}lw_j}oF5SNPeW#~s z-u#oFAK&Rqrhx@^Z_oC!lN)k0Lbuneq<9SE)P6=1#|Q(?nFEFk!okuRs)Sb*$%SdX z@8id2?>fHHzuC7g@bi+??l++Fn;hsRA>)ZXPbp3kAPJsO#2Lb6#`B9(QQXxsJBT43 zi7zsO;hXcq*@0i9 zW(2IjD4s8;d!hCI+mmGCsM&a_OA{+F z)&g+?H)BVF&vsB@MlQE{tuZaNI}VhgRG?_jiI#_VO?KNkt%GhX0SIF@o!hoVr~LM4 zYcCpCYqVijukUnjjs9|>Ewm2l;q}E)nm7(81`P5*-B6HKJsl|SGcx>1Xxa;9tC2Crf?E&{0OEB#{bGsHypWNP?{1H2J zz#ar0h{d&y<-HZL?q9-W!D+s`qSoB~CEs?ZXUjBy)VY8RO)&Psuy!Y5h;JKFd-!ge z1-5^}2IU#9QvWf?1wotx&}DiH5z;3#LeEsBYjNmQqI?40uCPe8^viEWk|Ek*-SJ_e z{VBU5^-QN(GbireJY>Y566rUE#kI&7@oh?6`q}(c`ftCAJ4QuB;#^;k6e}l2bZKrN ziUf4sTAt!$i1q69+oX3l3qco2lqYu@Zj~DzzYUc0@ZzSQLub$LApKTsW5q34eNTtp zMI$9&(9br_txc7@{e-yK2VR#6_)H^hO%^w(R;h*hR2@XTy+$h&W~GElrI_f+zFhJ| zfX+e}-n?>q$FkVJX2lg_vfG^cl|^#t39vTJCf`x1FedZ)Ku?*+fVR$!YgpqUM)vf$ zf)sN^m9@yMETIY&8uAv&YDc~_oKTA966^JM4p~@RcyF?w8WN_KGSawERQ9X=lZe2r z)dPaQIhKMq?QIwQ!)hzRo^ogz)hX4LDb*abS%JV6Ty8i5Z>ui#%GUFH=Cw~{neylF zX~!t9ty4|CDvwLkNF)mT;D-@&sy$Y@&zi31h-)h7I`1Pr|5pJ7{g}5L#pn0w~VnGDPr#U}D4$|j$5<&xpV ze{qn7c1G<=BoBmyDnv!%H6hHqIBj06I|d7$ESM{X=eEg@3_Ej`65Y-w-r0d>JTCs` zJ3MCWnwu>F!7aU9XnHgo?PR;>_#_o=$zpq&IPz`K&Z{J!>SGRQC?p$#2+eEPXT#!Za& zZ6O!#6?gi2ubV7gG<%BV6}SQfVO%!{ceJ`e?7X(<=qCVix<8SkudNH6Bw=o##>(MG zxq}!bSqNtbB0hRaO78Goq?Par2Nv?QE=$yu(UE({o0@ytpRn?`)`+-FC=KVkpWIY% z6tt>bGJdnxqzEu<{MVrMf7)i(1QK8p6%M37Dlpd&Be=>7yn`uYqPRYWr>;d>8A?F@ z;C3b4U%P)RpPuUasmT4}G#P&n19S)^Zj6|(pt*t0^7ljL@UTFk6xIOK=N+t7oUG9! z#w=i_CK3Y1e4t&if~dQE5sm0RINR#9_-ppOBw!Zac68NY4;YK@`CKCOm6i@~FtL@E zV!)&*O0enMn;O@xFYk1Ino&;VDySTehG`&jzA4AvOMa-_d~msu6hj9=k(dGmez_{ zjrk#sjUY;xeoHfK`pctdTLerLF_&a`fsB5X9>BuK@#G*d`!#bO zyJVJxNt(Q}1jEw@u)=y|if7_25PYG5-xwJ@t}D2u)*U2X28JL8qR3TeVklZ7aWLZ?FjRKITd>uHW@E6Pa0!<@Ntaj>P|7 zh%=EYy#0cq@~M^v%DpnFMv_A3x3XJM4>rcC)Nt)^an4ib7#989T$<}Q}x z0&}aW>#XB;@79xA5n%zwr_e zy4VQ@&z~B{WIs;4W2;XbFtl4EBkGhiyCG9T)0DRzJl#%tG1|Li!rgujT_*w)O-R~( zGt}&Rv9eSK3zf}H>@yz;Qf-yvRa2IO$EZl?U5J3A=^%)M7vzbmugU)EIBIs-eRZ|_ zXSla1vo!^;vy~nfV2%b$r@rV2F*$Kn$Qkg~5lIzsd*t&E$<;w2XtwHQ!xj2G#c%Ik z4E;KZe|1sWtABM-kX*4dw)20&sKj@YR5Huhp=CQ5Hh6xe3FX&nY?WX|1Ke2Rhk3IR zK}phCi9MIrSq8F*z{GqHn3$)O*$@h2JTtE@7ES%uLx;-39KW@Fmm%uyUV6E~ayl;Z|gq-Q@o6BN(7tW%^wu zcBFVPUQER~T(n1KeFof8;e7Z$HoiR9o)l^flheK|DGGpS|9c5Kr&GX39S)v=e#=x> zIGOa6pr%jlfkV{9Z4hA@&(8O}+5+sk{ea_g-od5mlV>~@$C@&K=*5=re(@zjAwmZ) z5URWDaVJO1W&%4f4gJz4*7W+!+6GDkh5<1%t+UfGNbxXU|MhF8waXqHu9tfu(?8IF z5(n&P`u~_Yg;jRFTgsjGb?ia_0*>Z{*_Xe@=CWtK^$8Lcz8KdBwNGvf^3w!IJt;T) zmf&FA2A4N%3shb_W`7OXA&2)#wFUn=up|6+V5h%bS(|2+4LPZuo-O`g}29H9hLW5&h+P|w^RI^5ZPfaLyYWr?g8|M%2 z;K6NWph7!cd{iD>v$FnSMtSnIxkUv~rFbD0(cUW8c;a zhckuK2kQ8ji1t5uXewv18v~U6qn#Kq(`GI-QQaC&1R@UH9UZf8+^a$0?0}>JsBJ-O zrT|1jxGV=^pjO=?*sDzkV*o$_Ux+0>-`zY9^>?gaJ&3aV<>m}B&R@4v3w@JO6A z90Y;n2}fqe8>`kxHYUBImDDr=#%iC7Y@}nz=dw3(0z1Cz56!-VTQplP_8#lFvs0=) z<9}GtAmBk0<#D4BOX@jtbvrd_63CI++gjfO_PHkkC%I3*oIDSb>S%{ou)OF)1VvUm zc$nBMo)IQ8x`Jm9@>1=i3d9JWhotx1ty3iQbhYVb5A<1ca>un$gUNf17To7{?gPxf zGd-$1CmOyD2yrQyv%wyczhVcWfl+Qb9|(ovMNEYH{R-f+PKfqc;N zD6@#yl=rto>f5S0bgAPvdVu_)b$&)J$h4AxCI=t1glE))&X3w6U}KivfxGJ_%Icah?(hdK1=|fmTewcmQ@Lg5I)vv9v3v3ubB7G-5ni%tME%VlpM#@Vue* z=7>$S(0~~s4m8m-mzsv zOoo0zQH4b_#q8V^_1Y^~WtsB#c27`!^Ed0x^sgUYy!$3#4w5g}#MK>lk{rx=zC$&hI2@D?sP*U4S_ZY%hUI?QKjJ#H*6&VwB-B z!FS1DKJsFs&jGhYQKKKb50k(}1+GV#;5&}hhU?Kj^ppa@qS}MI$h8!%4P^d zm2_12urC?&_;Lax?dbEl+PrdHfui%Jnts2Rv>3igJY3x>J&U?)%o6z7ibxPT@OhUj zN?TUOLCBjPkP`-ji9TLK1TcXS`4c1GxR__30!|Mxu)(^Co%ltrs}qQ2w`s6*w-f>V z5U$>drSXJMpKVD*SE5*>c8a4h=pZK}U5?U&FW3n+pskZ~_COeA^1>C{2FGBk@+Mz6 zC0?LVFhQ>44-KEwnw+U^SYS%B_ct>*)-}w2Zv5)9u@u}hj8<&#oK>;e1fG*9R216y zrT8*Mwz+KzCWIyIY??1@&E0{4FvdHgl^rNF%XE?8-l>uQp>uJCdqVw7=#zp~#E&1u z{64OWyGYs`1>>dOGlTLC62YNZnD;dr9Ixa%8rWFb3-j{@fI_?{qD@DahZY*YzOd9_ z)iGXsGN0*F`VA2^LQ!`$<>jzI*^|I&)jrQ;dQ*Gy2YAwq3X=?3@S9pX?cH2>TdW`J>hl}@4 z2T?Z8Zlz!(N*L8dOU+0;nAfoKIU`2VK=QW}>f6#+?BselKU6fdqaPOGJ8SVmZZP-g zh`m=dBB8CQu-*@TF^^y}L{CdrGzR-vM?PNZ1RQNlT9>j5Ke`V|)Yz8&Fck~dQe`td zUmW`y6KIg2p`@!VP6DpybwYuMDQNDtS>u@jldnz{S0U?Cmj| zIx6s^_KeknaOQSFMvTL2hw7X#q2!(>kkaZQ=`}(uO;Z4v;DXEAz%!q7%8Pv^QQ8d7 zncnwl2u@BvNIc`I#1#?EN<=_kRlX%x_WvR*9Rw(doiG%+{5d5K5iF>eO>B|3IpvZYNU~nfQ{%I zmo5ETxpM5oO`LhMNSa}5fwzX_(MNr=>#;RPD}^JQ5I?)q{L5^+*AF9NV<3U^=|4!i zxmFvtE#z2R6EqBYLIpt96Q$LzUlU3W?Erf?5LPOQQ&mD}w)rc@<=hH(~*y`{veGRG*`EGz6yno;R#JS`nw)3~X;i4Rh zdF2O?pAw@wC_BrI9baGPkypP6`&ctm7guaE(`L6KPja4(*w=d~oUIy_g?wE^hd_ey zYHvKrVxlC^bYAc69&f*F&Osl@3gPwOXrJs%7r96VBOi3X)Gg>nENh^V*B^}iuWNVA zqjrzIj)~EMSLkTo1J=v<$8Kd?gu-OW6rybDXo#7i$$t^vX7A#lgK(Hg@NysyCM23> zz5}aqTQj#gk`eLkP`BfVb1xesd+d?)Y;}VnnpufFEV2H1*~aeKT~@INr*#A=(f7na zdI7`|{^}E$y38D^aB2Se1eWYYGVApFF%6&1vs5s=XT(yw9aj$SH{MEaP$LZh2Hp@= zyMwIkHUBtg*VCw`?{pEOq@o-chaRxqM(c;}I+Z#pD!D4nZ!?(Ui_*tL{LN6|UaCrm_SOn}LQrQqsnnp_z&8B^STC z8*zijN#Nv%ekK8YirE9$tgH3+lJ`DEyDyQF@HRIHR=3`fEr;2nR`q0I@63Qb$aoPc za@_BDev{ECC(0kHD*Dw&Fj%xRYE)C~D;84npH7>_(@HtOi-d#zfaDMtjJqE*S?4p1 zTB~_@P=Ndefk3(bV%q`ip~vOqZpxJexl&_VD`PiS&Cfh|ls5Pt_U&8r{Kl3XefogK zK<3wqvJ$YO0Yc%68cc_St$E_{tjfy5nwn#74|AG5)3TH6gb&2S+cHuebETTE1sF+7 zaBkhIX?B9-q~q$gE!Es(FyENK*M?FYdmrPV-KvWZD-AcHIz#{36kOmZRbAAuSD*WsGG@Ne%)Kbr*k&9B7QL}qByX1Q@owj7|H=WE z$b~<4;5~#Zr_V`Pkeure;IAbJUf!9?vfOCq!;;QXLV`Uiws)%xZaDhZYM?%J&k0=$ z?PTp9?CgyRY!}SDd!bne1&^VDytYCEAH|VvVm=274icNqZ`(D~bg-Ys{lt_emt`wB z;lGjn%>`hiu=}YDZy#aN}@BeW8(Q z+3iK}qx2*Z+^i--KCaw(XR9hZwd<3Bl&pVp3}%m4u16dX{H&>aM z4WS2yI>vY0tJ${7=jY!J6^Q)ofi~wHHH=w2CchB@&b|0*rMKCSt4iezwYa!vSla_( zud|MJ`h3o6Ak4d-E{1`H^=8TgEk`ru2d7h!(M(}lH{wy%(EBzZXlZ;N;G&o-K^Z? z?J{H`R~oA#;Sa_9#y<9;`e37lmqziuAknh?$E@i{o-e&C%15pV3ouZ*-%!5v=^`{WtZl*6Bj z68%u?5DMQcK|M3+Br==PA3y1QGmtqGj ztjsW9u)w^@hmuut%H=7=Y}_%=4M>sdiZAX3Nvh|ntQ1Zz9aJr;vfq7^(Lf{zd$_tn z5ckb-X&J?hY9eUFaMd|BI73tVmeS&W(8U8X52jt(^K0Al+sk)gy1W72_0~rq_5;lK z?k9SaDQQ{i1sV@vS7bFkXP0pR@*CiX3bM0~d(enr>okwDt};68IhJ->U%pUbQ%z=tkWw8_0Tor=gAA9Kr zK_w(ND@B<@f#iJK14KImN%i47!@m$#(Fhevv$AJ3i7&wAp-vq^Q1GKIn^-PYJnN_J z3kX@%FlRf=U(OfqrY2M!wA3Qv&A0Xr@U(t7)?2H_NEx5~RP zKP8&Twn!-xMajF&1B9@2Gdv<*uc@Aa9QBpi_xw$lb@8826Hmv3>Jla)6G$S|%i8iZs( zZAlLUS?%t8#l_l^Qr=`>ud z*UAEChSzl#Pg=0<`U1xzgC^TanneT{J`cnyi>3Yj*?@`aezf^S@uS>W`Hm zH}HnjdEhf!u&vO+6fM4NK&ra|2f=YWx&NGbuqk%+k)D$itoIEkkakmU9!OrGw&*^$ z=P#X`us4zpR`W_r%|`g~2MF_iOTx8&3*wx)QZ>)CDF)S4Xp8|yLgvAer-wlkro1b` z<>iap62CDo9w;jr(8KnRxITKhk&jC?3rI~k%*M+Uf`n-rs_T@;>Se#jf=xl^kNnH5 z)ZF2wF%CqP4sE3T^S)Z|WHcB~qzVv@{8#hlmyKCnWc0oHZB1?a+67O15O0;5N`Bo3 za$D}ux`%Q=+u|3n{zyo5Ai=QBv_(*SWNoJEa+)Blqz3T8K0Z(%fX(jalT7wu^g4mB~_Tvw*X9^D3U`c7=->jQ zkCc-A8m!0aa7#%@fv@>E62YoQpY@ru?Q0X;pWEEwa-PGG=Wil6peRW%3sjAfnQwnW zexL4SIdgT`0~lHP@Ylhs0zxjqMR->0hwj!>X`um<_;GGYms?;#p%lsU^KNCLAU7-2 zVbO&LYLEg`OmJeqP#)Cc|E=Sx)ReO=lL{G*12_FT+6+Sm$$tPk{trIKOGG5TP(?SN zH%#KOnj3CE-9e?T?C_Mu5$odQb11-v%vww;m3i-)V)@t#o=NZxkHwQ z->`zk$nu|TP-auvk9Mkmwgvn((1`*XLtsEXcs6DJNs2OTW>;C9B~X-N;iK$d)QC?H z8()iQcSX0+M)4-5%6h&+eyk_u!~E5G%nA$30?Xwt8xXX zu+O?jj>V|-4Q+-*#vK?@WJ^lFl<{}dC-~NDhm`v*hW(&BWv>|#_y5KKL6UoN;i%(* z$}bZ~d{it-NdiDf3Ry~(I8&>phBi%oO#>*zhF?E+n)FlKuxX(B$;`7@JiD!z`Rmt# zZn=3e8=H1AW)0(&EzZkXj7aXb0+Ujbln&8sj6p4_$`%n(L|zf1$OL|!smjObv{ z3qMlhtNhsZ z-z3v*NW3fWoWxu2to^iA)y6=BDyNOTdKiB3!~G6P7T$i-V3#B(i0m{}@Sv|Dx}dmr zr{@WJouSyK0p>}oBCd;_L)jZ8yX2!O+6~7$BBWvE83jHQ@2J5lytSxM(D%9dh?@pz zrh6B*)xu{F)_^!_JNf7=HpU|X;}%1>OBDJm#i)G|qr#EMa_Q^cUb*ISmV z=dKf!UJJwgtjb1I;lO!8xPdmtH8bW z@8(V~$aFM%t=`M^%yMqCQr7j@43rOkn_O8*()0Hop8nVxen#-a(yCgo2ixe*=wVQaRGA^H9f%IL-JkM>KpdXLYx|_6e!fKXsBqZH55dy zeZJPs?+ivtR->LK#E<-;I=gH<0N2j0@M8w^VVrG#Tvbiol{HIF3*)5n{7VSJ)_*8z zJX1J5O~zN8kTg*ghs~J4NdyC0A8F4NfS4RQRuFTRqlLd_D$2KsO)~9BU#lbtcJ1j4 z0+fItawXWVedX1=^Uvcvdtis`_&^Gf4fR6@NJe>6t$0aM{!69+($B~^hn1q~ynF~3 z*|$1y?h>C2tUsrIw^(6;Pk$9?KD4aQ!^0}jzPj2-FFveQjk`WOInj?=%9`ntt7f;j z-0i{jA-B#%x!$b0C#HFKQ0QT0-#+8aAP-DwL$v-CW{eP*u zTd|D`x;-yr;nZue|597Fb&O(G0YK9RG*p%0)^m${B3}J# zV6%*c>L-079Ydt$WV8CzW#}VE-JawSx)vuNG0x!&-J6AHm+MJACTqZ>mMJ0 zPr;0jz#~{@=uXedZAs~;hktc7r9dYkqNG=wK|52Rf_{VT?T}rZbH~V4^-z(n9eTh^ zZ`PjKkSqB1C^k$nswm*(nJF-?+AXgwPy7{=|B0txFk0gz2)is_?*TSbt>Xb6yq#{4 zrI$~r7bT|%Z!`0*8T^&@u^}d_A;wJN^k=}HWX+2<W4NmKU4A;H>qiYc=Zg=NX z_vKVHhhP!%nVZvzZ;At=hHbS9`?hi%_+xh~gqc6SK5?$->89&uq6KeGCTNs>pC@~( zZO7mf-aF+pG=N0m4~;|`vhotrg5UTUXqM5?MYKP<;yv()*Gu?lW%WKbg#Dy{um~M*m8%D$}a6Qet2nI;8Yv zZ++xrbqb2csPXLqYBW&xpC1o6j4gz-UhySd)kE<|RhuOuHCe`sk|z762Lo(9UAA%h zIz+1rsjVgf0q4GI(rHStmx%0qkz&q(uFYwhVmbPur+B{_2eUpO^3>lS~6YoShA*gfb; z{<+Nn6Wx!^sWU3r;l_YXbMZA;)=I*cu?YKjRvWrn#QaT7DQ6h2Fkt)p=pF5JpfRcZ zGBkL?4*nryfU1_d|(xW-1Jp_KRS%Stdbzle*6M?hz5GN;$|V zb%e{gz}?I^cVvS*d{x5UJ9Ci)VIs0s*VoGM9-&joUC~p)-(Jihx)PZ!uKWu`FPFCK zs~o~t{43E%D@r^5C~0!^k6!Rhl6Hh z&_`8pmdO|!D3JqzKlCph=+dhpqs4B7;iCnq}V?8i&xVumO4tFu-NhJ;jOA z=9df?ri>#%e;`d8+a*s22XK?>q;Fc*c-rF|1#Z7WB;Zw!AmXFy*B2y0(;)@tHYpvHOc6NF-X z7_`b^buJ2f_+TTm>spC2TwO&?x7w3#yIT|8sSGAqboe#@DnL#qfz7k$+6X)%LXQs{ zHh%YPYtlPAJwN_+7Rt{(Wjvpm;;rU68^Cnlk(jIH9*YO)7L{CZO6`)tD4Yo%S%4gC z+#bBURs+SaYlHJlI$7@lP7`b~RA_&XG=+(h-anlrNRc?P2v#sQu_d2%BIGCn%PI~F zH$3?e1l7T6SrYwKoMx=GThGn{Av?gmLH5aDFsh}I z4R9?2L>SUb>fV*zl7ZLn8$y-)^Q


-h<6=NFbTA+vHZA~4Evdha05@gxL3$M%73ocvO+S4 zd%^z@jNg=EQp;040rduRBt=IM6dv@9AhYMlv&g!Dt7y;$&zojT4-x>0 zPrkyil=nep9|0H4dhP_QM@|AUZ0{rlVQT z!5QyL?E9zS-EtDR7@zDk9vQBP5s0c468a#O$-g*0;57p*82MDOT|0oP|#c5!Y>mckzNBC zdmR&AOobvWD#kqy5HHvbe%My~dH2qxWr0B_CWAL{6*(-8Z-H_dQ&v}yK!5LdvO@@8 zS$>+CZc49H+Sn+Non57pH*_9wd}cJ@YFN>{sM3%lZlD+l@X6?FtZvtwq$O3!#a!g? zeumOPBbF5)5zkU_gz#Y%D^S~k_#av~?PBjWYr}JFPlrX0G5O-z)AlnDB6&cEbGH{S*HcVgh@p1?b| z)mQK&Mn+0T3Is0hz`O-+){l5C)-*FSTTTq0M9cV>l+2+k4=*@mtE`^|^^pZ&XJ==F z+s@_;T)cx0F^Pe9-qlqvOd9s8X3ytU?@BP?cvU6Wm?qCyJtS(LD3^w{itq0i2!7~` zfWIq)ISrf6pMtH&7SA#EHkXiw`bkfVD(n?B&Bi1@g49G=d*;gRd^i~94LJeY-5U%; zuxs0%^d9Ykcg%(n!?7`ScGsNg4Z!pGt6=UP(*I_`rkrF4J@~t-;Px-?0vI{o(;W$5bpeow!u6h*tJEXM_n3|*NLO&-HiB4aq4U8_PY zZ`fRqtB5)94(Ra$Z3KVFY43`-|3g^0MXb6I6u7$C?x$QH4%>aFcw}lqWz!=^V6eqE zJ^WFIbZ+f60fWSnRE5~Yx$NHtTy_`)^OG@THaE_f`sd?-HiF21Z6kOs6)8rpTBqWi z_6Xoiztcw0V&YPQXLI{}Z+ivQ!c?3yxoXEk#|dM39gg&)8)N3eGBw_d^r}@5DN~oY^9yZ&_06zYALa*{ z6whG)m;dp!hjmWNcmLbs$ z1>0tbujbJ~HmKq19?zE_aV6@mgzcVehszzS0Z@4L^gdw61BKo|Kj<{-YDFCz)H&SI>E9Q6;XLSKISp)a( z4N(J^_q!V~WLNmJ*prD_^p|G~`cI}UB^nJfB%vWk-k>k*T9Hy^$3<5v58mV`y>Ygi zA>)hwZCo7vHM(js&h1HiUT!Pq#=!%cTSoEii`57d4+0kO%n?=Pw#Cy}N8*Ms{s08; z3G-gq{g3>=rk$jh$*>|he*dy^liRO3M8mdf*LTH(LpxNO(F9uB(VtM=!F;4fjJkhh z0a-}ybz9|?85PFP(p#g3gW0qA58uxQ#1&{FtlXY}7#fSKy&Ij=0vMix1nFUirqO18 zS9_i%afY!Q)=>htLvMWmjd+h9oQ?C?wT!qA(E-dIfM=oGco}@h6ZS1Ze-ao1)2x9{ z20gF)f zYjokT)2B+;2v%LPu4`Gryh^WYme# z%tXcYk2L;@Z+k@hG$wU?IIBo0XXkg;;aWcy?2_;Kn)CWpRV%RKq6pdgf2^Lz6@M@qJXe*-fTw*{gJ%{V0AoUpgQzMHkAs5?3R&9SmM4de{2FeA5cv_$ZE5@a|399ye#9 zc=3`-uir@o3ym+in;3T?4^)-V3@a$153>=yX?i zTZSHZi0SHKE5~K`^N}9ECK(BZrS@5tYrRA=*W17Eb-5rDsG`S!lMvc~26L=tIUg1w z{W-V!mIAi}2&?wR%!1HSVp_pnF!eJpKYOzTzCx8sA?Lu)%}Vorz%sY@0jLTw&mL^V zTHF)LPy(Xv!I$>fu28YGE+$$l;?*2&V1s!4Br4Tw!`$k1-5(}e6kmOg%>i%Yz=wy+w=?jmNl~092Fl81~Hhe2K86`s_DY5Yb@byg||<+xOoX8u<$VH^%ML z1Uzu0%31R#<5X$UEvivo2f<3~xytLg00fYUBl+ed!wY#F)9>%uhP%DJ)C_ZUkeOx# z@4^5#(Ls{}cJFi&9P}UuRQ63fUMOPl)$Y8t9e&)mVT3s3g@kB$Ed|8$aRm0sJ!}l@J!V!8YMQ+M0v#na zlQVK)36G#c$&ZbBrbH6~tj`oJQ^1@r75Swt*(jL&gFeIE8d1`=zJWdv?4BOppIqWa zZb%F)NiNUdca|F7x(JQm%(t7Ceanmwc4R-4Znc)b-eAzV;95fN27%IrsD?0-1pFK0 zcfq!l!^k|!g^HjVh3`*em=vX5mnX;sH(1Yu44t9War0a~kKgIfa8w+0XwrGZr$75W zB?vDd`KCOY6GP^wLpNfKdz1f!VAet4Jh48w`eX1}{pldUTrtLTkN^I)&dtlh+%MnN zDc$ymm6Lf90Cu61wTMLBDp0QSxo`_eya(tVjC!?2N_l|>T*4^)V4|^RZZ@}U>?A0_ zKIgCu;_2+N15<7OU8b9S&ORCl`xu!Lmm7T4gyY{-X~km5Fh60XidR#T=E>@c7E5jD zoRPGV?|~UZ)Q;9~eq-sox{BxJrb~ttuzCp)3`L1Tq!ke?xJ>_C4ty6>MR83(5o+T~ ztb@J*k5znU))H>rc$aE==tnq^VrB=P;jpYd1v9UQ2e14@NkOm8`j2mI>8?K8;BFDR zI+J0R^|N)YIxE!{{d5vs8fe-<9?Jfunw>sVA{i`af?jffz=a#mY~WtBBF+hefK8_t zw7B0KpQM0)fp)b0)39GKj^h&KG{~}w9u2hejB0g8zw#9W0*UB|D=;J9>~(-7fPN^i zt3;^l^|tK5qN4_SX6R(;PG{p1;ETkCcMURom+%O1hZ-y7X@6GuCXTVnQ?73oDB7}6 z>ayakkhFVU&m%>_!WeZ0efVn|aC=SEhf0idzA9<<-3Y^+K_!ev5^4}#EwXd0BoENw z>S%K_602iX*UuO#XJg-Nll!R8jSaM>r6o(wayu@V%E&OonMcQ`x%$Qrd`X>|DFu(d z93Hu+k9ei(t17n|Fvo?MNqDH@G@hEqKKvXS79SpR~8l#8MUJ%f#By9ezq@=VQiwBlbA3C2kpIg>kb z*`deiOu7xWJI_Tg$GA?DxEu-%c)X5@0O|X?SQ^RnIM?X}_ua>I(Af|+=7*}ETffjJ=Xn)_;(Q2e(<(r7O93PXOf-fV1<#sIn)pnoZ20G%R1QW={;b?H9)+QZ8rIauq+8sg6X zchdCwK!k(2|HkNy4>iHx>_#@cJ;GTlF4$KnYrw>j;s>oT*B@%(ReZ8mpUt^-7K6(_ z{^;tLb=`fxe0mBIxw&~>hXliU;&_6BMcY$6CRsCRz7U|ZZ`_<_iD=aNbK2#N*z(oc z(SdeZ(nqjw&!B`31I}^X{)Iu{@_&=SKWIPqf3=JObTL5xqcVmwZNsy+ggUcyGC<)HAzu%PZOonpxzP=Is1?(k%?OXlDjP`Y&KowI{ z!&mus0A>X3QUjMY5zPKb?sAC`8%IhN^b>&p0fNm=H$@PnWLM>{|4L)CLcfg}1GZqK zmiO#wBuFv>1_?MDg4uB*L=W24ey%(^8KSMIu_y#LNFa;Ibw&UqEv_$wd+IjI}65!kqA%ij=f-F`ZW_&k7h zysKFPA)X}!QjPzTkQHR6kWT8cAzmG`t|yh-UW#)79`yIqj6fVA50j{wdQ?$Zsulem z3Ol*_APHmz@Lan8&^VV@JY%h@y=`3sz!y24Doq8Q?Ugla6I;LmDL-)1uXJ50y&L{n z)Rnk;w0owjrT=iG3oWXfa0Zart@%ZJ*GYu+4JLzEzP9d_h8HKF1lJKr7$+Z;ki)bA z)yNspxQv#1W{RKnOcFV7O&V-N@j1>sU7dr?6B8mQzAs>M2@R*M{spygyH{+UJnv5C zDFo#b*oNEM8m@&E3Q$3L>129Zk!xH3Q~h@w1EZr7aQmb79c1KpFd_P|cph(`(_$o; zklCxlQ$Bv8D6uqreEj|xXV~Z9;2pfaf#%WA9R{J#nNP2;xM1!Phob|~K-W}Pj3{aF zbB>pDiv4*n)Z?fbX%e`-QsB@^$%0_D2c5shDEwyi1@DQ=8gtc*FEf)hZi&M|NcR+4 zwTE9^AzoBf?AD>(L5M|XvHkB?FK_YEkiGfG{>{}Xl{9-*N9 zX~bBPHzo|!Hya7YTCLy?=iO8-WHGKD1LX04GJu2{%3P7CgDfx~{?@{FZ>^Jk8CqeV`OTz5XZxf( z00jYpJ4lufxqQgU&b>10Sxb48K!ED2ry)QrT)+Nr^d~_7-2#RG%l!$^f44y4`oGto zV6wD6oS&cD*4}-!wo*|O=L9-Wyc>uf@$Bs#msgeo{hyf0P2H@O32|-!$_Shs56+L) zkZvKOIXOpgCmI@y=U8a42q}Q`{3c}rs(+rzWX?-6%}4PUa+DYhxT2xeYLE0_5a5(t zw(2KM_Nrx=7!&hW8Fj9v%rNO+#dk?}v~${wS8nYbo$QElb93t;TnRyn2=sL%g%GhX zLX$BlIz%TMCUk+3z-yx_Pc#(~6$J)XSO!}m&nJ0I4|@S~k(j&c=+Cc$ZQG-sXT&X3 zHm62Qf>4p}!G!;pFSuyotnAFk&TihkPvz5;W~vFjmM1gVtvG}6x%2z70^4!|18I`bAr@n8b)qaMD zQ7R9xWclp-fxe~W>w4P1;;TTsE@ZIsa@}D&3iksx3Y4FJhgUHn8@ytx4xR^od=}^L zG(Yk#-X>got{u1Y+klCL_?%P23(*;$3i4@LE7aTrJp*Gi9h#vXM7-%l_%%CxYr z$kVuQxZo=)+SblU%=w9VY+ma32h}><`F3UvL{y_a45K}=QNrJftU&z=s7EoyuFEbL zrc}mQ#cx?EZWMWUesnLg-5BI7=&mPytbreh(RJ7~xb*OHKdc=m%9gM9ieIkB`-b*u zf*fIg)&S6rG4X(gAIp^rstlYe;hTLltJ7uPX;sgUR|fpGqX`_it-;N=b5a;q{z2LH&bcC%0l|c;zdseHV&#RS_{%=n|OU zKv*0nQmt6?D;QAfaOBC4JPZUbSj~f1G)*%T)d>h*{ZQ6&yQ=pMdR8GRrb%x5{qw#uxDm0*!$;6)bGeRT#T8ZIn<;kUr=a;*DG<7`fG(|i zA}GIBlDd1%+1@oIMrNEvqKo@zRr_=t^9wTQBg5iu#w;ui7njzET$aX9LroI|y}mX1 zj0c$9yf-42bstZIjF-Pk0?IL(@61SH@5lbPfM8&pkV)hcgFANC zk6I+rf39}9jttF{y{xik-ZNa>eJ_pBR8-P3HMK;Bp`0H*ezqEl&wrQ|x#4(#Ze38& z{J0H1b0wT_ZD+@7Hmm{zJ?@qjHMuq8-QAvZAI6%qEY=`RHdOD+sz>0i-!5)s+I3c% zQ4dDEAqBxg$xOJ?Ha0c{K7%<%p8@j~d?gi)6lkBIVgYs8%4b4DM+efbvRr~k!26Gp z5(RuB3NE~zG(G$@$nWo-3^OFXa^Ub2E-cJB+upd_eBZJ%|DN=Z!qu^~vTcSK8AfVa zy#{Nj9y9REh0ab|S}p*~^COUKK!zVA{Z8k-o#Z_#)Uz~ErKuEaW}=C%N;DteO- z{DFZK-vR6)NOXQ`V&qAr4tx?7}mDUj# zA+GoB5N0NIF9%^&;c4)y=91qDqX zVhPYc`yK3dt)JFQVRX`Y?G;+;htXC)CGff)V=NS57JN|b^a&<{r z$^$yU;6(=j255J!&==BG_QFTM%sFAzm1>z=T$lgWNp|z@WxaODl*+-{wapCrbKq9~Wm&5H7TWP)JYu=b`8 ze1OOf3cy?Qn3DY2i*tUg1M0{7LcQNqoJ6`BZtK7#slzLWRquV9Xe8jYNGF0~>=u^Ru6cBr>SMr}e0i z@280P^uam>NZp9c$0c~xRp*OT!TmiaBp74BP;D6k6u~5Yb2#vkN@7G3<(HA`!9I3C zg+*#z{oko5fc}e)f`6$fxJ?cW*4;LIP*b0KPxWBpou7N2oqJ|vn!OMMC|tGr(yNs&doT3V_6DvEX% z;}a91$gr@XEH}4#8&lKnPVS)8G*aN>X_bwa%;-Bm*;?CPez*FwQaY;Wk)w_`KT!21 z!vhs@($Y@4=CceVjQ@jv0{5)q(~BdK^AqA;s`K#z4s3gj|D&w{`v0yg`0utAaQTQo zdcH+Z-xZu{$DfZ7S#Sc^@>CYPa2VLo&z;vyJMl3Fbs6TLnVP2MX*fOk2nklc7#dmd zzf*;FAuy0B`EzCH-fvt}G0}Da78tFx2nF4zg`duA-L_`2VRSw-SB+^e!+wIz1w1)j z`Lo-APKN37$Y3CW+;QKbeJsCyu-Je-sZyktY(DY)3S%T4R$>(kXgU$&_Aog6N-%mP zlC5s!?|cJ>qlD7R^Lo-yp#pG|@C1)rXViG|>Y*2($H@aL*xZ2nkR@hRlhR*dQyI!f zBJOP3@_H&o5ZT=ak*V z10=DyRxIs)c79!|kNE_NNVLI=ReBB;HH$*MNVuJRPvm`;4~s%uaq=`^Y@ zWq=wppiH)n{@$)*F`W4>j4>{!uSPFa^1-1iGK}T^s0?acTQLi#j8uW$L5E2hOKDJ@ zu1ySvr7i2@=M^Z{f5^oPKx*&f7*e#kUh6)+nCXz3IMemSOH z`x1XMARN%r7hs^$#@9O%)wzVA&Dv9|J-`0qiIb z>gM^0(15c!1_86&d*K{_6`&LoYc6Q;%aLq?0(DP_`8eJR5l=OwGV1RPmehazSkNE< zZLX%QFzNIinSrXH^&>*J<*r0A4CKbQy}wDBZ`;*A|2EWpP$0-?UP~hlU3!3Ky(@wj zPw`(o9ed?{7LL2`==Z_=2RMDUd?gURJX$3x)OMO&HQ-E@*J*GsFU|G52=P8@N|%N< zIHUd;WANy53dXB2Qk@rP4_V?aWMEUJx^e0f#R_D)Th%ykX=teA=V6#GQ(j#hv#~vV z9?VxzTW_bO27-q4VXFs6*($jj<$asw!&RhS5zZDiQ*Mv>@Hm4IG}%KtKcpL`pzf zy1PM28l=0syX#Dz_kF%|zVrWM?BP(+wb$NjtvT=ey02((IKdC|k%Jma$}0yL-MA@@ zb$!x6S^x|L5xkCz-ioCp%TiXG5MbA9_@t_Cwiu9`@`}(A9rkhu-{-`~JJbviVLgwi zF>+tRmN7=QSS_T&PI9qAK-?do0|-x~u|b3&H#)@q=Z_ez2DgF918gtW2E7f@#2Ri* zu>~LT0LS9lZ;p;onK`vorL%$IJ8xK5H)A(FmAOn}7VsV_>7wg7T1*>O-yd& z+pdW{fU2ca5m@yHUm2+U$Gjm-*4sL1vddSFG?GjanraNnZKpUNU!O3<_`3NQSh`?% zOS=&Ofze^ij!L-|oy>7)Z%8ix*EE-2oZ*)UZZHlCGw6SlJCzqYeVmbBQw;)!=oSS-#L_) ze=3J?(J;#K=$pYF$HTtnVih8qQHUwE=8ze=Gy=yg^YW}h(^{qSF&5C;++D^+*WAM; zGBCa+YO~z8Q=e~u>TQC98>axKZx=OHbtP+6B`X6>p~rniCou1g5dvXl1P`3~vbWNM zsUTAMX_AepwS`p|CHG20CM-yWQDr|D0@mtz#{-c+;mgdaj#O!TCL|?u&OiG0j4S^| zc%<#6i8AQc)!j!xsDzUS!=G6H?e5;LP!8VLJ7$Q2!u$UCw}c_=(@<;ei9m`-LCJ0> zTRU>3`Y?|{dovIF^pr*luXCDM!~pD*zKw~6L4)VPQf^e|e4QgBIsM2(_e+T4Md0ya zsZxE_ecDW1eD2V_znGJ0I}|Q-F+lf z(d%osrd|8W*YV0((X?+^xnbJPK3YSIoow5~Y>>bKKF0x&rfF&I#3}+oio@z=ux%_| zNd=Ruy*)-KIc#xxS6xBF8M<4aEBTkY5}DoDuzkaOu{(7&x`nJuRAf4+dwg_08g^x2 zVd1sBTFV{zvvaNChE0Yp(rT`%^Y3(-f(@k{QTF$R{=S3|MreBT@-4{~x2{6fAkfYO`O7O9sfY8G z^W6IPPY`<|8#II_(m|dbv9~+TwY&3B>KeDCpsfS*9jr55+21E3MgJve=bBwpA()0G zNj*(UA6+Fsy}aK-`1vXFs~_mDjw%Rin_to~>DS?QP=EOTwz;iy zfbM!}W7D%TNxKW{IQan(jNd!$gL%7+c3_IywjYLf+jMfX3o(qqnx4D*Oy}%|pTa*& znWi~;bk>;3UHPD}UQVa}BtY$**~H(rNx`^|)ZW)2ZP}1*PBcxEJZph%b{%Hw={82g zPFEoD#KGIhuO8f*N@5&bk~yXusXAf|c-!U(zH#~9EDPmvMKfvpT7Zo>L*1S|qzU(@ z;=Ok@F}GZ{LI;LKYJ}s^$#v-$QM6yO83P0h4=H!18ZYY9oYe)Ru_zWp9=-zX27Ru}j;?@oaE(iFHJem%K>8gt=`4!H( zSEkwFHsA32PY>UoT;=K4rA#u8Ai^WwaHiBBb^UEc*NtZg0o-9$_x`b!53I#BDl~3G znaX65!U8gk#d$+x>xefEUFSkD4zc_odob=6DN>%)NaX(}rPQpbs7j6%N-u+w!wT}~ zga)XooGad2Q)GIu0K;LHcYKbRcQ@~IO+*<5PRmY`wGwdApM5em`57I%vt#q1?}JZT z*8hyv+gM{ae?=)g(i#a4UDs*hE9tg7T)YIcMFv$kDc&U%Z%ZyT7ZrkT5!fkFON44d z?3N950~Ar2>#=aY%{z&AU2T|>_zb6zveV_#x-eeDefRMs3l!vEI8g*_> zNl9!lGP2CRgcBVNbFMH^z55mT{zJd=jiTH8jVfB4aPyEKlEw?(&CAP~J9H2>OKR94 zV}6`NB_~Y24aaGF_+hZW8SzOI!5iqded@KP5BV!`?z&m1>Nam)tv4cH*Wc`YZlO(| zOky=5mq*VZ!Der>!=gDP#$P;EHYOP8SnL+7sb5EM9#J;>pDg;fU$c6!g4@g2={zns zpNEN-SFq|`oJ4E~n-3&6-a;$K&KSXyt+Q4$<7eBqc=7REy{ZLr;vOdYHrI32wV5Atd9^WnUPHYUtBi5*}KjH394=xdK@dbTy^efWo8=JW@U3tHxI$MO3K zzQqXcM76!J{JvElC^IUpwYIt*=&~!7srXemJtN~TAtscMPaE#-TZqbPVnAS4`&YYx zguL11G@F3S!FcHqbAFyXiwT3Yq=ZV>>N_#id!HqOvtu>^TVCh&ACj5d|M=b3jt}tn zvQM(kCN|%&ld?z*j@c~ zl^O@>(H8cT$QyDGOHlTi9I+mGlmx?k5-B6`*?B?ZhdLs6*ZJ1hQ?*yz+_Sh!e;I!A z$TWJL#3nUAR5s>?Y;5nAe44LlYOI6vwY9r!w{J6%!6#1nKHE5$6X=-TpTvSI5QeXq zs|?KbJAQxcWp4eKqwLH))XPDva)S8r+6mEj^>nr^+m< z)1{5%&~K4XwC?29qG>gKZ!;L5i&^*Jd}H4)D5sUA1WYM{+Y8-YD{i@kWxQ=G%FR|2 zXTCV!+RT~j>OxpDPVbg~o3)E)1$A2bd>`oQ^&TnyT-aQPcQcJpOo3~?vteMZ|Jxls z>Sw&xr8ZS`#gWVCG83aHKkh6`fWpSZajBzg5+U6zp(Pp#OExDBg}d9r`QY#gD9o<| zpYVN^p{L8;B*qqhi(WJzY*@bOHy{2gj_5Fu)K*Ok%@oRSq_n9(bE;-$skx(~<|!7& ztX*{Y>0SQ>UQklhN62D7^$^`H5;M9#9qEd*(Pe_P^z?KLiGboGX$;EdD>^KRaJ`!B zd-&9*U{vI@_ssvsu_k}8TOIENH59~?WmGIy_T(9f93hB&Aah)0fyp18h`idvy(4}8 zYx-Jhe?SE?N_vWcf~A~qNiWXr8Eq>61EtLJ`# zsY5yR1eGmD%-d=iUy3{QtBo9iuoueUt-IFGqYs(Iv*94B=lQXHod;!j zM{4C!QUAiM*V~#gI8@RJSvT&Ns|L=#AF%=E=oLqF?(nH*Qyt&pA0yexKu-wSQ3qU~ z{*hq1w;voT0l-l$!Z;*#h7P|Fz%<{?!ORpm1y_=UIp$kTY2#;^#&TaM7dJMKnL#w4 zhRh6oE;s**1@>DQJw?I@KJ_yV7;0d{^LBlMUukyy+2cxSNrXf5n~m3}dtF)J{Ifi) zldEiEXwK{+?rMd3iVFnLL)X&T4OiNu_lH)-BFW4##>OJ>uv}^9wK6iY0Le_BA4$gI zWCp3#D`Pw|SpmQlNIoxGF3K@I9g2#7nZVr+D@GNlU>%ba?=G!k8m4oqcwfkI`@7_~ zP?3BMw>r=d!%C{NIw_3TS7XL|F|I|yPKjhWQZS3*oV>n!iy@}Pf|`Gx__I98-OIrR zpHU1ZK1eM&NUg|7JXFkgi$Oz`^r5a zm`>fBj2`wGE-2@10L;@awR*p0NZ!SzC^*<2`KG~3R_1g_*XPR~Covszr{ zy%rdwy9sVH!Q{UuBCrKdWMltgft>L~;bzNFSJRI_>V*u6kokrCjAjePPs^4 zJ%2$i%C0vee9-W|u#mnP>Z7>kWNc6!C4S_^9t=Lv)*U^}Iq#rzj(x8vxhx zy6+y67Z(a9m`S^$X#MM@CUa_Er9!(M@kpB#_?z{6)zpDK|9)`p$&(kTL4OSNwTT*q zKfQr(L!W_rur&yeSL&_4@1w#OoM*B)T|X_IceTIQ?b?bGs$GKc5S7bGc`v$-k1Cum-@uJx_xt94u13 z%%+#bj43xwo%9Zt7KBzZc60)96wikjRa!%6F9qP>Vrf;21@MzR ztt%*#B#An*8Mc1bPWq9MJ!|Az8a+oa-GHTGkNldG8b|BV>d+z$*m;J@sQg^^MQOqSW4NMn(z`BjlxLeoZC|Gu^W$5L^zY3$^vusNLIPD) z1@Fz#v(sI89@>#tclDb)4sfZu8E}G)g`>`2LEdaaJV%Wh5^VBx;XP0rhPTXvJ2_4O z%}c;?bS*KWqSguxXQpoEOXY=H^>94xg_-j9CiFpv(3<}61j+lU6Q?who}z|MVcS}h zvBK-IG1eC!#6p7$L;m%`f|~QmtKfxf5i$avc`Mul50JjD56BxbY63thAIe$AcfZBr zC*Nhj%<~21N`L5AQPM}aMQ}qR#}za|C#*2-S{Kib1eqx=cTfxNjMLe>I@8e89`M;g zttt3wMYmV3$c`h;?1hpbUcsP03kl7TVAr}Sfk~*mv*lfO7}5L1<1wv>ly-pzZweM# z*Lhdk^ptijjRc6rb9fQ15wFW9h-us^FqLZ;&|Nua-R_10CNOloOk0i)P}gjjt~4CrJojB=IEJ=#3)lJ*^;7% zxU<0ntCk`z2Z}NfR)yo4e=Ip))o3b;whgu)hwJ0Ua<%j?7dy9{3~TyU#~gYn*v~rZ z!?i~z)_{KJfXB!9)1W*^j_99>@T>)aOZfSrY;42C|1xw&qkiMA+-z-`L4-V>ApMLudCw^9Ki8o|J6c;2hj@NsmdRC(X)P#whoq*RMPcrjI?`!H@+^8(?on51aVpnx@jjQjGBfk}=Agu`$ z{8`hbWoRrR$;4#M>*kIoO`g?xmHA<|JP?Mc1?;fDhR7126Itk6d`ivc z1F&b#X1fXd#f8K6n_X+8RLsPm`#?6gXEL}3m3%qhGP5*?hoKoHqwJ4;(2KJ)wi#s` zW#r~pX%uS`{M}(f|C4`qQcz6^D@KT&eUyd$9~=8W5YVA86l@seG_mABVAWUm zivps*P-IO-L!N%d*o>qSoQ^fBA8d^6bM)yfYKtz&6LF{|1&Xez`Rz5e;ioe_t0DS# z+>Vv%Iv?*4h3rxEz7l`fbPTb7vk5UFlKQlqEPrd5<+!GG)1^Z{LaB^@p> z7#m}QPx}X?=Xa;0@x2T58VE2pua;?*&}<*JyrIHph?CWhj)VJ2h(bes)GM;W+Fd;Z zhD@6U|z{T3E_O5dumPcTQB#?k_Djys5gzg99!p1+r6xLK?|DTr}EtEr=7-a&m~ zzzX|ab54bx`d-&77Q?&G%Vj1QEeUvAxx`plaX?s@2LzPS?EDNc^u(V;i9d@v^udDi zXH=aSM)4AP0Xp7>f={Xu8j_x#ZT~YXRpI4_d!~&lrGz4b(JzYI_$>Mj{`T0jfS55h zGExbxd>8G;z}ycfVgEKsEXy=uz(~t)Jw7mA-$T`>u?@1$0OmBAMyvgLr6PCAY4WkE z${f>XGWJ!~l7kH516?NeeNk%c*aeSK>~J)sr8sI)V8Kil-?8^b^p6 z@aMLCn;^bq3bMiEYGt}ur-SjOxR`}Zf)7u za;d1I%14*n+NhuzRHRA>7N^a(6c=6&tvIhlbE>iWki=#Ao0%&{$fbgf7~p+jncevu z+p)Ab(scC2)1J3IFeYem|V=gzCqzHWSI;%<lcwMGKZspZ*VPPL2rLpyb1a)1Fy$(8Gu%LxP z+BX}2W4LlJq6}@BHczv*snJ84l6dG@w)U^0>M=2t#_y`m%6SQC+4p6o`%PGI?~}v5 z{GNe)F*?!=gE7k0zjJR)J*8kw?9ix;_y9bpO)(zmGW5BCr}RY%SuUlnjC8-Mocy+t zsr$}{29H31mI#Yb9zRL9jlJu}`TFv-LWi(m)H6WT1o!QfX8f!VIvUVCE}#2fVykBC zuTLDbgJk$8VdwXYB|q0<8gOE4SHJJ{0AH>y24%|onhVa-{XgGLBvZdbmY7B`-^_S@ z-Jz58jWw9OqH67VvHy$AvLVs@dKDdp^H?;)6!X$}qOW zukGX7JKf}>brTAM(pB&+w_Ur;JFljr#({k}Bl&lRTHGSQt8Z(3fINS6WJpnNdYXRp zp&AOmEwSP8mpyTIwc<4E7#eSI)LMX29wrA(-hUNd&Vkbzqo#2o;BCIGo^uFnZI>^G zB3xK$GF>MYV-nB7)(%#JkEI8GxL5DU%>jY$D$TudC-0(^sh`qnU|n% z(chFiy4xtX))?mNNJ4Vz*U?T5%~ z8J)hoA^PR|q&d0Ft~()bxg9XBNZw`hNl9cYQX@CTU-uSk4W!H(T3DG_@>YcA_M*S@XiW){b+_n+4prNy9|< zhD)tw!crln&hNG+GB0-cXviiXvdJBrlbZ{ESM2^vZq9ROV_Bzbayr9~k$lg=GS%!@ z?%&wI;UVhACIswvaN&T$wN^V_>gP+%xj@BSaK8a54GUC%~4>zr* zCiMgu68jUdL=E!)@%x{}Y8)6#QT+W9)-=jg2M447#{32!x50%FHL*j#TvHLx|AU$- zi-;cGM{jH9_<+4f6UYDAtpm`nooYGN_1}S=1O8W>F9AGxTtovrN?dUnJQj2vpsYFp zuq%3v^4|rDzy{zyUAGm-W1;tm5TFMOa4Di=`~KOt;N9N+C!69y&Lk!}SkZIP+zbopQ^z3*KM*Z*nhtBqatJIPH!t+>IZ{!k1}$ zIatS_Wjtp$sV3$h8#jm`B#4cUbzDDgT!w~U2*`=SqmL#Q&p6o052D`4>23`V6kGdx z8Y%B~;G@L=QOMiDc^!YaPdmvY2(2^b<8icDAcrhiLL6{5@n-Wg0(0S#|KoU2g4Bs0 z*|SO$^FodiT)KlGq6SE;{gL(STi>teO6&az{Q8@z^OL(W-Ly1kCr+aVEHg;% zL|l&kLKF~NU4k@43U^jQ0Rk>kTNoJ(f|VK60;-Nq?W#I3A0H#{ z){n}f=hkA`iWtMk`=Z&C8hBT=QxsWinIhiF;7_O_h6YEciTJG$$c(6g~utlNIUKyI)U)y52!2_%P|8 z+yb;bwkvhUW4!aO0=EVE8GQP?@@|ofhX20i5>7ucaLRDU&iVo%7hY|vD8+JT=ZY>F zM9xiCO;MMYqBfjh;m<;8t0nQ0bIq1`~>zIRLFY}ej8TalWouJcu$jEL1Bq&#ZQcE_ik-8MNYslzWyP0eby zusEO3SeY1>s@Mge_RL~M1|wG*6~=Yd0UE*HX2QYLkz@+fqy~8&w}8`SS1dw?>^#v_ z>Z*j!30{g<5{zGu&{(hs4ujJVtiht zk>V2t>cXv_D-&0Sox!Ldbmw@UZdzDIiVK6Hb`%(96fPfCR!)LqcI+vg1tI}9klQAgG@+5KOi4DH{2a+RJ$Z61U{|Pe0NhN)lK(RYCxi&0dM%7 zdQflc$>TD`cXZ|w!RcrY{HGH(+otuZe`lFmFVqojpFV@Z&LBS2#LVpMa{IY5Fa;gE z$t8w`NJ-MuOT#U?n`^kc$Ap&i!JM|ymzQ^$?6+?%aZuwE<3B-(9Pj>huFY27ydDEF z8^+_!>4;cV*@*MDlJS5RPO&j3|8d;(rz~}H^WE!X7kuVrr7zm4gC%1hElnv67C&0 zHDy2K`d2=Ofv4v$<%W79epLejniw*L|F~UkqQ8iPi9T46Oe7RNnj(oN`deDN$DKAx zyZRb11Q^y&A8UlBf=hd!3Eg)aeR}L?`9oixdf+h3so(63-_^5oluNj&cj|FiBfmV< zXU09jE~28N;dgbY&hUo{LHQOz%YIvH9s?dSb`z6q)Ru(bzol^cC8Q;B`Ayb4SZ*fi zc7IKRZQXfAw{JbB9M>s9@(KPue{^&L&}A{Diq-2TA*jGuX#lc!z8%w?#Qu#DOF`TS zEShh5v0%X5@oyoC*Y6bnXoKu2&sW1hWL~-GmEF5AP4>4 zQzKkC>s|>hsW4yZyOz63*t)rcXiK5kV7nr21fwEVbivtDkbZ<|Wx*;QG z0O=I=TQ6N3lnPT}ZEagjXzBLn>;KzQrg@TB@fw()F=#{b+L~!?#zB|$JTogBB>y?% zCg9d5CguGiP|;OU`LY6@;6YC@{+BeVz8S)Qr%NOOO?|LV(_!GR`uV?OC?Q`i&c`a} zanS?CYn+TBJZ9VjDLh7;EGaxiTyYm1%A*G!1(dVaWm{f)>>kZ)U0uc9PFr=QFAl!u@0U994_V66RM8M7ytWHL_L6KXgH|F9^$~zo#&{DSW2I~@-n&O z6!hzVYy%#TaX5vh5Se{|AP)zda_40y{yfP1_k$6nsp9i1I&=f&f8OTNuCKhlxd-tK zffSlRO+@qlqMV|Oh6<@k@!J0PRLUSP?-LRlm90uG3!cU9k0~TE1T(Pz{XQ2@uTPsss}jEw{4zrP-*bXF z+BKAt>dLSTg`u8@TY8|Wk9Z0qd3I)vgQM!U=eLZU82`v7#7Nm2s@oLh>lvn8F6Ud_ z5-U;p?@54GA+at#a?CD`KXGoZqcF-JGe}g8F<$?ly>wzKzBx4%mrNdebcKS9yT1}_ zx+(QeZjRFXu#JaafhtV%nI!d;JuCZv9fE+{q2|85&xg5eI8{|00v)eDJycA$A1TPN zruA3?yvE{sH9gm2vD&E##pI6FjWK#e1cJkkFzN0{e%(8M$yk0}8P@0I4h1EV|2;jX zKhThndko`-bm4E=;1=;^PH%YQ5Spupagam{IK*K=}~n^nN1cEIaEmUxhX z(N?`n42Hq5eX^BQ@Lx_Q%nu|6UA@f@sovvpWOFHK(w) zbD*1k`wjn9cFMyQ6VkBb;jeuJlg2GofxBC|&cp7h+CXOSUiMj;hP1rbry{K z-gop3iG1@LLbNtLl&wMhKiYgE_Gei}zT(5lX z7QY!#91E9I)n72LIp7zaWT6r^vl@t_ zl?r>DFDG3n99;%fEdPj`qx$l4lilf4H3!YoZU+xWuGi(_eo(lcg^x_2kp0Sd2K5RO z>gG%?lp;$TE8W}GCnq)NU2M8uU%PVWrH#ioi6)^i?sobCgG)BqNAOOad`05G8_MY7 z%U;f;O z+JYjRxh|~AprPmS8c*u07#NFlxZQRY=l->|WZ*p9ZixGQkYJ0DqlmJ$?%UU%md#W= zC*Z6;IJ}Ckup*YrwlxWdcHeBH!7xp3u?Q9;qqMwkPucLoxP6QcYRg5X$cFzB=>b@o zoZNJ-mYB!t)8y?`#s=ejj$*FQjXM!6I!=vV=kB7PXGofYufeiw*SziJsWZOn@nWge z9QPC1B&NfErBY}anA4ZF9L}7=qzY~$=HKnHu4A2v<^3;$J9 z=D3h+N78T*+SSY_v9B$G=jelY&%GIHp^w-zUfdczu$hAO5N>bF25kY6lE zLroQ!s@TvF_{DX4&Q}ng6!V$#pGUe3Ra7qVW|=xn9_sQWM>3KX;eu^4#aGfw{kGM- zZ^?-Jl~lktNB9NhS-m@DT~3X3BQFJm`}J%JWdyO^{iO*pqiLaX3nW@a=9c&D`~QQ`d#?;4&1_|tO4eD_Pgr{hTou&>Ip@HyP0=GQQdf~@`% zpP*Z>CjQ*tsf&J+_ddX(EEPV60E<^%0uF(|Hbaw4S%7KD4(`v$C;`lZY#A^34eWD) zHQb+X`GvaKl5_zazy7VR#^bj=bwcnxEJ3I6cVS(&u=ah&-|@J9OKGO9;Ve9>P#uf&4bjt}Im^}C=uLY!SS2miiJL9LdWk=iGNFyg3 zEt!JaDwtUI=h-GZrn2_u4`xH9ykbjDXF_E65L)Xi`D(nKa%z{ zp}_g-BecmThk*#AeuB}jBzy+@y9Z-@P76!O^VVW?+Sm1pxmH=w`ix8R8?K6*S&a+? zuen$s4)>cBsVDSZB4uX#mns4Sn=|Df=LX)Lp~ecn?ThEW9i2+t?&=!f6O;LNhIG1h z`p|4~=AG-evpQHsEw$ft`$uM)G~`({xlP(rTSR7L0ntRyl`gEwX9sz~O_P7EI{YAI z>%aqeP@z0jZ;I-JOyCcr6GO(sxT`qL##IFI!UoK5uDRM>ABGcyS8>_8>AhW&gkcdwF;|ls@8bWd--P@U-?6g~v>% z!J{~@E~}*G_M#B!VUDl`=c~&uSEdj3?=UqHa@(=G2L|0*sM@^OkKJb<1jD4s^U6ps zG*PB29pr8c1PUqK8}Mu5n9fYgp)gOi3>>>pS@JW2?P_z=OylRoIZjFCdt#P!O8*bV z)zc|6;fEH8;Hw1Iqb;rJ!+A9G9r+gtj8k3m2iXVN?Xy!4I|;Q9yS%ULDavva^5Z<~ zxXh~d7P29w)Mg}B=I1-Kax<5;Rlfs+PIMEe&J{SjX3q6)iYfDC2-T@%=|3mJdDUIJk;^k zJn2vd15dXZuH7{UktLoUXL2kF$zClzVlWy|P=Wlj&mM{rDAAvFJX~1hD9exL#ox>y zbKk7=k`g2N!DjCVT(2<*NL%So0G;c^k5NlTrTj+qIe1lm!s$A z5G*yLEwXnFvK2T#vE?DyEkNDVMgUXc?x7Zop@!#23PEF#!i0;BZndBeUa+v4!Q?Y4 z{Ceypf`Ys}i@ZFy?QCP?7!Di0yb1qz`{tVF8iAFWxpiNdYo(R;MESxc94uML_RSMK zYI*{OyyK<+mX8)>S;&$`6715KmFW#Y{5P8t28s?8Ff&K4salbQwXJw}XIJ4gc}<5B zWg6pawU1!zR)2Nij|l$_f9i%$m&(b1La(?k`P(5fjYJ^bIZk>wt-=JRxKn1TuhCTK zE^B0}v7Af%i(#7AjOAnXf+)`egaVfzt`w+ZdM@Gh{Sy)0+fbDr`Tkxsoq^E&>ooaO z5;*w*>?VB0Aa=srviynQ+dj>1Hm|T;2AoO(KkXI@Hw6<_y zt{1VQ=t59;7#kR^qHH_$TH)Z{rKeR7C{&Kx>h?mRtBdx)8G0b?=s=WKZPKN~)M6dmY=7}Wr2sNwD{(Y$$y^sRyR`O(QEE%3gX*xB5DY`g!4tpA+Z zhj?NMC#T{Ez}^>B%%!=cP= zPT{b>-yN!}t5g_HL#VU9JJ=k_>Twgo4aJ zQ-cBl!};lkTQHMJFE%N>_3mx);NwIktT!{Uc;k5CoAm=<6>_|~z6+u7fj@R~{4Q>c z9Cx35NtclhrC$$1sK|k&fTW*g!Eay}p@TG#Tx*w~7vg$+8g}UCn3s12TijVwmcR7c zIX4vPFa|kWzrK&A7q_CIxwLLJA;K?J3!Fy~4khMy_&^iSB_`G?cfKc4!0V*^asGW# zCwkx-F@Hd$(5oBitet#`!)8ZsC{L#_sN`jBq;vqy#O^MKl4DCXJ?K})BpnPkTjiZF z&=NCyDay~-F)oDfu-|Ijgg5!j{B6;@Gd16Fygu!yTiX?|v--1mv~8~f`((ajXnl~a zdsTm+Hmc*ewykFhm8+jrxIPT2x-@OG74CXv4{F0;l9>)eKgQ;L2>oXQBM4X;0cTzJ zvJEQJ^Sb4!e!j);Gi)UzyfPWgG7p!;}VS`Z)NC2K%PU<6IB8lwG@bZLw_^ z+*1P+aj>vah}egQ$2UY*lP=V{f6ekrX%TyFuU_w!9Vpc+9SZSUN-rrDQ^yWmn#;!$5W`>Y6Td4%_FVfM#*bI)sZ(OshcRuxu-B(Fn=oM*y zr^bQ_zKd!;z_uyqc;Z{=`YzD+4GX`|HFu===EROM_H&G2)*8Jy!|b9$ZEo+st7(z0 z=@WNN6Me!0{3MNGDK|?xmVhVQlmxM4Wr-e+?T)Fa@D^cvj!fImJauPl&TuammAmp# zd3bfQF-X*C)I!$pU~OH<62u{MQSPJQM zzrt)PrBhBXk=N&wA+cgK?JGz&xv|bWqWeW)>!kQW#Mwfw<)m_db27gW6&3`QZ%!N^ z(}*GEt4Ns!AbP<6Dfys3VZ*0cc3a#ba5u$Lu(xV|m(ot&T&03fRDd1CX1QJBoOmvs z$a;DAbjC^hbzn7~w?uNCRB|0M?6<;#ct(?X&F9l4(ya_~!4Wunjg$I67hXzV!f$)V zy6u5Ckuy%wy?azrVgEfJqy{Ogx}e}=jaOz=S9`_{q-mH(zyZEx7l>G^wiZvU?o+NZ#Sjx1Ru*|$!so==V4~HR*46uUf~8D4d7tB!NJWQ zY{&PFQZKo!XWOSJWq&0x`Lu(W7b0FSuf3k<6j4`upNS#eo0|kECN!TWABREHe*YBC zl=7zVVOO`pXzb`6&-`W$e>rACQes?+-e{e5s8sR=F{jP=w_wuJRqqKUtss12LX9?@ zf|2`a_|86?) zX;4+6OhALd+LuVE4T+m;sxiU>y6GQ1!07`yHK3k;BjB#@DmLt@1No98=uN$Vc%n8Af{zaFf5iQ15`f3(Q>{dQE%v&)p^yo2xfQUGkeA(2eQdZQnVII z&|z*^iP{}2IDEx!$E;(mqjuYy`~W^Kk|*GIUa{AHp%yyUEXD(vzUvWz-KjfvT-!Gm zwL(KBs(^9xF}o<+WL-<^%~j0=syyHSA3GY4@6aN7QLue%w9m`b6Y5P)@~4y5b1|3h z?GbP!xA?O@1_SuEwEJOyzpPOuLx5ta*F2wO}le$sV~M8FoMv(2IOr1?#}R_Br~;e zoC4YPVY+JDQJ!~@jkNBPqX1gxkbm9Sooa5=b`Pz4_g1YyKe68b3+4GO*h){=>aRpH z=WS5eDXujMRPk-&*6>{!Qv`H%x|&whrY|{xZ1Jvcuj>a_hL*!Qek1Cu3Rb!7^w;hj z3EiDXS-=@^Fzh$RGvQQ+QgVJs8x0lqRa&Yx76d}=Q)KO2qcATy$kfc9-96=b^9JtE zQ4M8;gTs79UoIvR-(W*t|JtZd&3d**?t4lJvf;e52OkzkWe=FWD>Jw9mmml57ILB4<2pIn**dX0_;XbKb==0S zsUDrihSol3edD*QC*4DoKQiRL;SMRCC}yxB`5tV@iARKqyE`l|h4GD0pbQ6iRy|x9 z$`02S1hCvx7wevk6hNVr4~V`tN&b1qwh4)izbwcE)|P*nx8d`tSAKPj^!BW*u3++6 zfJ1fbT{7wysjuO!?UV zmTxei5RD?ia#$0v<1#w*m8h`1z4>U8UciQi>>FF_aq%|GHTu#%UJLjTAi(4>Q)+9u z>N$DPp9Q4(U$+a$Sk2itVgdp6h$+M2;TDs_X$7!{&BHn0<@1`@_b04BKNvG@x2zYj znySkG80P~G?2{;E4;JSY5h7hIE=B2ji@Ld06APHTtc5bb=30?VO*it0t9K@=b81$P z$HX80*l1PlbGmQ;f7X-#zuL=%b#O?De$ltXp-$XU3n5=Zx{rX^hUIq z1Uj2PkX8Ah9kRpm+t|oT3?{rB_}eLfKiNzfC5SY_D;U9)M49?J>T3 zp=k|vm?rDD@zSx~tJ~!G?AFLu3lkmnBNHca=3nH=`K1WiO}>EPO||Yj%qR;eo{^pw z&1&I7!AX0e1=G~$1Oa9Q?4<}eW~RBw3NCV#O!dNz8XWdq4*XWEb!L3nyqBVWW}j_C zcGt5pE=frIQnC*}1ez))3&Kg}U*YI&4J+z)1GckM^|?=Pa}vlT0LqJp9_u`z$nU?- zR?W8o-KC;-w=LTS9Tq#7fxXO-ZTw{abH#_m-?^F{DN% zXaVIOFzzqMy5>)^UP_2}D@HJ)Lm_0Q#iCOh@%Nmr1pcz1@S%WdH@?=<);t=yJ$iTT zI^}*Tr1arqy!NZO=vRq9eJ)Q?ngmz343JOiw_5xhsh$sgph#ZWa z`y*K*lNqYOvc>AL2n4HxI+Xn~FI5?SZZ3bSJUM*Q|Mq8D$ToD5g8zmH(&T`hPM=?4 z6y?wBd=bkvc0i07^LvQ z>~3fK!J#@FMK2Cs)jh0^StO@^{9avM@BO`a=iAZUHl}~2(n-L`wrdmM zaE-Y;9K`%m0||V_lb+4k^mP~&N%MMFh(!oP>G(|>iNmEI>%So1obTyBx|ONKjM>{i z=jTs8EDM5e2iMmrrksTkg2IKPV`61excO;mIXH@8KvzQ!yREYi4YKXrV!<&oSvMP} zE6(ZZ>(Mwl5$*4<1rdSlYEu6n;@$!%tNvg6U4(!jAqXg4f)dgoAR&Tux0E2=Asq`u zL|Q;VK)R*7LsF!>Q@Xq3{qa1{fA9U@`@Co7%zI|unR^&O@8FKLzHwcjibI;-jGckO}= zf}S?RGc(7>c~77(ol6n4Fu(hlSKtbE3C|{Z)J=-cnTu)FWvd)_dU`s#Z!xH%{)m-_ zJ`^Z4AH`}9wGi|)s0p;+vJNV;^@p$Ez0QUki>cj7T|>hqnH3%`8++Sx7QzI@{K^}O z^UGFqVlFFE)>6+#Zpx>RDJjQCM|0M!Y1oK@qfQyqb8oXZI}F&MFC7L_(RrA6u})1} ztEt;%K|RyXFEdecbE-S(hz-0EuT13q`Y52&trPfW(#7Ts`v9bMzTgtDg@HV0*gFV_ zEG5#5Z_4wDxhi{`T65+_GdjKw1xXCnJ2)2ajPm8y))wFNNgyKv57)bjXUP#6OrLA< z?|=;ERv>5L%L?8BScow3mOZ6q|BWe1LFWhThRaSR#?m&nGoSJS|!`CM5+A^`qaLZ$uAQO|f@IdFZRTQq0WKX1N-*)#3)L^5h(K zSRs&nCjF40M~@xkPu@Fn*hiO&L$mpn`bP;|-r){dz>LAe&B#O}KME_QslqV-Wr)Dq zbsYIRx3e_FIyU)BD6=1lnei!JU^=jO0aD_zH>l@P{9E)P9H}&T`vp&$oY)3RgC57M z0B}f8#M8w#7@P7W&WehrE212t@t^AF^LJ;H^QF}Q75UqDBb-Aw{WFV(uZqCD zbbsG$?}q4z^XeZ`y3u@TPNo;1ZNA5IdgatM68LGW{;?2^AmlpOXw5fd?5iOeFOa{aQq zuelJT`G`j}9e>zOZmREcx>D_;xovRq`{&LR?8GXM1!3jG!S@cxT$G$*brZ>h6~Jen zH;;iZw;o@4bwBI_uf|vc?aC&edA)4p5*fVsZOr-4`f1}A8#Sl%K)Hj| zqW*UMlsNiD%k{zqzcr->9oTSfLMpB^J8MxUk)u-S0=oQa(VaKZ(Eef4`P8-HWD_5m zEn;NbY41!R$sL>euK$BK7Y%3zC<%Qd8mCwL*H>;DZ))Auwy&-2Ewq{{B}#hZc>(U` zjj~p;(N=~>O+|ReB1kV@U0d(Ea{Zy0y=Yg~)h%tMB~ZT{J$o}*1;gFHTcN_O*=eAA z-nM$CW<5p3Z`GELA*S9H{Z1W=RDj2-tMmTj!OW1IX_y1Dm;uJ`I1K3O;uH2GF5B(P zbXQkiv5>?B7RQf9OMam#baHVwyEEykHDrWH z_-&)w;XgZLO@%V$|5e366P%njI4D>o!m7cTw?qH zOdZ?%2ctn#`@#X>vDY^2sz}PUl0U<6l&PNC!|1R5oI?fM+xvl%7rw(-l5FfF%uk*v zW!~Xr>r-F`iLrV2(Ga|TCRt88Wz-hO3ez5#Aq$782X=pKLlKcCAQ9rzptjkUXpm@dfE=HS*z&9=^i-% zUJc>g8Uz6gtVSEdl?}s>vlsPWglSg@BQ=5K4ATZEgiOapJJ!xT;A#{ID(jKP=-zyj zt|%%>ce1%Sy6d!*TZ>B+86K&&ux4@flSoM=BIk!Bg8tPe(|%B@L5>Z@=(2?J*C}cf zzNdjZ-jmArY-**Z<4I)&WXulJwXwHFSC;M_A4fcWfSN*X5EaR(^lNg6lBN%=kdmh^ z7uLpM?wPob^b7Z>Y@p7RD{&F&iv9dYPwc z*H)@A>T0LJMQMPIS~fnB{~)LCBIJ|9+UoqW7WbK8M29nxz0#F4fY+7O>mWm*o&Z1@ zK*2CI)SGG0t<;sTsH|-HGBGcJC%-CQM~Q#V+yZ0+&25_Er;?B(xPOHrdC0VB^H`EQ?^nlL;*nn!?C89 z+`5$I7s?tVji8GLJz#5{oz=Yh;qAEW2NUwPCxA74f~ zk znQrMr>Ydh+nPl5>l^6BP!}MgjY8R2$L9zYzBwRinNtWuobu$&}c(0}f9l!UD=)a{=GDSaY-KVPmAE;k3W_61uPJm5?=In277*VK6X?59M^2Pa3O($e1Pv zPJN+h;711Yk?fr^8pRl8+DusSSFnyUcj|&Nv=J>!jf2+SGp+pOD;PD=Ml(dxQ-vkT z&iAi6>{kQ84OzQ`EPwlS$MQyj&Ki1jf{MHfb(VeiE`pahKn{r{i#Hkc4Jib1^Imjo z`K?-}W&Ea={VdgKrZkE5Pzc*p%8(_wR@mhrgXa0S*swEy%v6@4QP}fgoS8vVo@eLK znu*+xxE?MZ>eMfxq^kUN^d&75b-5zK5>!^_ z4MZ~)21^2-(1ar!IM{u`CtlmIQ4h+k)i<|)g&u<}lmes!h#XzXlU?~hx2#MLM@8+d zn;;a(dMnE-k}Yh&b}P1uKu4LtwbIN%+ff?-V&lQM)vug+%;XmrFX|59*gF9W7Y|NM z2ikL9K1HIs1BwfF-g|9OC~XAk3noT&$Lqr%QY*3kRzbUaLwYPT=O-j7U;`HIhxD3z z=2QN&=#EPpQu1HVBC=lQcwcUNVx*WUyz+cpBi*Dl&U=9klLS8Zumu<<&Ye`^Fefm& z?4L3wAc%y#v}pP4Hor#37l5rqLY*IR)T?BLAs6&CwnxCkGBm0-yBt44uS zd#pXX3s=rf%V<=uuLR#*UzslsfBuzo-=QI=Pvp|Pj-OcFg8< z7~XFVWsO;d1-OD)3dWp(B&Hvt{dDbsbih-<+)_C~=Q!J<5 z_@%ASMjHF*1F}c>Ian(*mBc_(KCT=II(?M$36Suq_B}#(DqKKDE+Hc(?jgq;1}XMt z;OGz96b2^b))O*1F2>}3qzVr9-^}zd)01aNUPSdaB@ zJhIqXl@)a8a9Q^~@r8^Ew{KpgziYjEm6q+rOZPe@U2W>V(Is3o+07=&@m>`3-NDJbnBY)3z8Lyyr^= z0WW_Su=BU~2i<#*r&tV8RLr?3NSqPJUqxy8W#Lm0O{C z`7BAvoMJnvfns!-U+l?p!OPNi69D)vduB5k@)jnS$a^>ZNB++*!PUYJylF_3lkcpB)XHG_~X=t zUXOL$2>KH9d;d8Q{OpXpWj+afnoVVDju<>~&sEpyd(T0qsN+LXm}8Bi?j)~x@p=-a zD(FMjmM0xsaG{Fk%I~tchMT>e{^pxUBONHQk&#a8UA}cS6;GA|q@wdf$psN1f@k0O zt+($Tp?9iT$_vh6e4K9f+ng?IotRkY8t>GuafBdH4O74J@jwL>f0q53E3uC3M*_@7 zEMby{V0$uMa)k|d*9Qe3Vw3VHsHk+mWdXU`eYA~g2Lm0S4~Bs301dhRq9Rakv`-1qkJ=1WVW0!q}6=_dG&F1#{`}rnL zIc#p39yMxeA22~3*}X%;wehE609kncnDl~)scU`MvFT&j|bvKAmiW z`RucA?SHhZ95+HOFm-StXnj&b3t>*)pQWos#oIrxpe)Im3VE!1(&c;)o zsyl)OH#z-?!#S2?rIu}9i@*Q^)bUo+>yM#6zS_>*Dk(9n4RYK?r_(VY%eo}-C@7D> zh!LJSn9Y#o|J0*hdD$DBvwI-PFP~zqK6x+-ZzJ92%C3~x=XlPx8}xmZTpI0`Mdte7 zQ!D@fg;v75tEfWu(;vyP@?qCVT|@QdqT*V>?e0nbUa{A?ugNukC)qR53U z9k=^f=-5{$ja5=%*bbE>a%wf)u1=+kydrsxIjW``wfnuYq|*;MW7pL)}o(gSJtl|xbcYkw$bb7)J7;=&S#gNOS+h_o$b3wr}C zn2~MlOI;sEOQtF=O8Ul^tu`b?QR$adZJfI#p z1sK}cw0nReuU>6XFG3Yx^L8yS?gUD5Q(w^?xfDvS9k{dYXV{QsZvzRnWFHWN^tSoC zFZi{io+Vft8)HIuC7zZnyQ_hai`4$;o601o9TsO+_RbyHs>W{qTgH=Y<>ToS1_1Z% zf%RFDCQdJlU7xB2-oiCrWDAYnS`3U9_x*>z$U`d1c&Lu6Z;p4ug3om6!ag%~b(dRe7xWZ_#l)0Yw4Q%VGbUKh znDyY(WH)Cn_#|k5oRW2cjgP*x^@|Ok?v9zSt}ir_IhP{UvU~<-iZQ@s+y553< z6u_-;0@X^>A}Qf@bG-{r`OGj^z>%psaFBRKQq~jpH+B zyB;-Jy!k8%q-N^Ut{Ck9dkQAZjrD((f(h&B{2x*qFKe~mFf!_9YYPrqO>t=7+TB3Razv=Mq zbj28;C7o9fH`58`Mca>>p>5pLZ~R!_kT(-k$?sW;z{&N**szWSG2N=xxaW{x&9 z(U`ocMpb=+RUI)3aIGsS05_r!c`x}k7R|FI#l_US&8{HS#JnOEECcI_#xdgVc&x9Z zJns{GG?(P&5{5v*sZ#G2ZPTTmQNpf41$)PFKPKffL&@~iN5JwGc3GZiCaQnZ(p%LJ zi7A@tNGrZh3XLf8meshk^HMsXuFOBt&qLTOg!eZP@V(aZ#37n91BleSkJF6sX=zpf zL|P~{955>}@UEzht@$Qmc_v~Jh4dtre7=44p8v^+QkM<2n>%4brsKXRiD`v!%pn5* zhX}=k1e%N!3=GAa=z2T8o)&q!U+rt_@y`i-M%rq)W_1s|=KvP;vlid{8q1eJaQhmU zMxuM#u4A3v^C|BvvtBlQ>EdHx2yY=oW$|l8@;|tC&D9?KGq zAROvUL}#w<*MI*9>EOgJT-@+}^tNO=8-R-yy{di}m(=T3=IcLV%)8XRl5*^4%)qe! zHJg!v0T&WC{J{_nwnobIM-iKhuc+=L)sYs=n6f?o2xtO|>F%-L@nHP;F3`18qBuL8 zCZ}h63QLBRwRS43gm7gXeM)=~rThyYT@4k3Hy9l{9yuIK>-t_h;Hn`!YcdMWy|s*u z)J*9a{2s5nU}D~;H|&XLU(OyX*JJf(2@P7~5e1j^CF=7sx`t4mwN(@ver(Z>)Cp(t zW!r#@+~{aohfk8QvLqWwr%wrC|6=mHm`)`1Z6hUp!Q&SuNDGS4+k2jXBssT&bACDV zKxhPM^XFcxTPGO_rlIjl?6-#%g}t3CLn7o`z9$K;e*ufE1w}*w9QMtgQg?CUa|^Ed zKRZA7xM&o|C-3!~D?3gHkdXvWp}l~g)N>{9EG8R$P=}opr-udefG40PuyYRAR4^tlEIAjpQe_ccI_EX~IoWEnWh<+v(yz3{5$Q1DTJ(XZf+Ke=Krt!J9B} z*TX?F5*@vZ7OGc?i5Tb)NU*$Hn<`)Yuy1H$LHfIcBPfhwLI!s=BMpnjKCjxpM5Mab z{U@ILr(eSAoc-i|cQynpiZ82m){0Zc2;NWX`*fo!F$=^F*BbC23bnx+55eQB!w*xB zRZ~CDP#XGap3$wiL>SrRmyna=n2DR6o0~%PhL81S>f|zEB>h*(+BZ1v$^TC3%vk-@ zOCiQL|0-S#@h%ccZ~_VM<2gdtUMYii)_@Ni;pTr9voF3rK6$C=Px$PE+!J}pB*+^J znE*#)38rXTPp>#u%8n%1VAnT$~eU0ND(DIYn+zhnEAKTH%Ujm8?RP@ zQpU1oFEQ1<9*z0op`rdjw&EI}+W|nF^9Fx-T0PJHt6$c@GYf+7SWv|xg5N!q=DgR& za0?0`1eIP&@sEk0Gp|c%=qf1AB`)E{>v?O9{pqZBW%}09$-2_qlxyyHw66jW&Q0eB z*oy-L68*|85AuI}d_zUoFgDP2D+D8dt2?^W<|Tii2d&8to`kV)Bk9LgIONAKOhVcHsb&bQy^ofg# zsT+K&bsO{Cbsv=%WU!}(Di3zEg=n^CDCbsV#NCKXCb1LE%!}Hwut1h#Xr*&zTIoRV zV3C|UT3iQ6>8nVkP6f#xDw#Nm`N^Kpm+-KPofdq5kr6=A)IBMWjWt*yyeVTq1U{w) z`}J=EZJ($C0%20db5BL@Aw#$a2+BuonM01pgBks2HLuqtwI%7tJ;sMxA zLGl{f_KVU6Cm{&Wj&CK2mTtX4WJ4gbcM)i4j0;3CcSg@_wSG5`!Hd@QM2t8APNY>? z1)WEZC9_VKzZ(;hxuR&}D#%alN=mr6RSC__(gcD3K8sF*z3pUhu%FlQ*a)cOfx@qo z-WlHEPtWNtD&jCLC3>758BImro$$OcDeG{j&Uos3?vX>4SkKfGrh+#d_6EU1r5n4g zu42=aziLu`e0rG)mtpS%PM6u?7fuG_C4%^RcWZ!~yT|L$JS%3wBon{M1jIHvGt?@3 zE&5L(j%uYabwxnjOdHG$S}$=um;ofu{w(H;X7i#L@Mr!utH+AIS~R8Cr3hzufQ(3a zt3WlblJb^#c6tfL* z*JKW?#M2e)#lW^YH!ueTu_ z{P^b-FNT_i8inNCoEv%oiKN?N`(Kg?Ixg1f$?loS?u1S~%&o!xkpX0gtmOqU;PTZ! z8~r_%1z4-^-G8{kq3(c{(EWzRqq68{=Yeecmtf4JAk6o{nD3t&*eSnX7^9p9;|5gX zlKkZB&;`ZV?APk3Fn|}zsqvX(q)vTUSx^1O!Z;-)H#stp=2UUs>|OR;njoS_kCo%X zZ21e=2~BnUSB=F>rC}4JOcAP|zl8iC9?!xgW|lU+q-LDYr+0b-+4t>cR}1D`iiBFY zhm7>!BT<5hBY3&wbDlm3sLYg5q6_{})7LxN+&h}O9lpQ+`}!4~OLYxU(){regIR%; zW{zy`y#=|Jy!t(6<81kiG$S-o{lBz2+!hn%`|Wp*9aS}NrkxIsuabRSxmEnSa=%+Q z=ng-7E~FjYDtL{1G}m$5FgiMfmeHeSV5rCI+0_Ra$lt$TGS3Gc?(|!&%m*GsS=$y> zkc?EY$F=@qrr#n|<+E$)Qg48hDsyAJ!m`5>&R>FswQqLvIT+@f{`rFl0p$p|ydj~5 zywJg33gK;2;Vys_Cp?Gw8YfNV3$TI-G+Y1Rc{MH-ats54QFTlzi|hR-tXxAm_tE}B zGlrL|ZdJNsDETZCC-=Xi#WAx#vL6eIAhZI(X@Gc4(OD{^EDJj*W^;rgk^-ERSPp-@%+L^Dt?uzwCi;D%Gd5cBgBG7JK_H`})uy=G0 za*?N6S%?7-(I6%%}y0@KEFiEj-} zpM^>Cm19>E^gVVSCY^xww80u+ zMw^%?4{X_Bs>o~%1+`adaY#@>UR&T7WI*TZShPcrxySUaCawR~NUbY7z3iPr&ovH2 zZ=202;B}Uu0W7x^c^W-7ll2$0d1I#2C{@mXlBH>}4{gD-Uw1_z8`!DPwKOrd}t2$wz8@UtYB==+BWToLfEE7F@%+o{tPpxOY1=ZVRe~L_-e7_Ku$Y>j;{omK<;;O-IozLU_g%r$A>O zkaocF!`*u|&JYF?M*yu=LuK&9)5iWq6P_2@v4y$^QA9IX34XTL<6O7$1m|HWOS#Wv z2OBF;L#M+{;p{b*1`rY@6?8tvK?7te1&aXQG{CQo`x1T!ssbNU$={mAO6W1tRQGet z*HHyZ$D|`ABfo`P!q%189gn zj7(jz*+`M9#JmdG$`P3`x9g%;dSE>*4w}zv>8kK)m`&X^k;nqOgS~HiJZ(-6>1z=^2vhi02#7jw~cKjC-TSQ zX|ST8TqcF?Xq57wrDbZjn=-zI?NsD!=@H6b3`{xKUey0SFb1c||2AM&VJ3M%b`JR2 z;JmwT!;_Hj$Ta@c8;YMiyFT2=7b1_Izv68mA}fCK^!d z4Ez{hcy;TAWY>MECGu0bCsC@SXk?FG2z%YDz%Uxz(DU=|L#PO z6z}99IzLDG2X%YzxAAlEO;8ufJM-Bi;u`|AkE7H(M4A`dJFyVr@7w8P~)PA3~FF6($he?s&4 zhC{*TDlD@1lguQ@?LPWdQ=LHuUOAO)<<3!yO!()Q~n{Yv;Iph*FlOcmSfWxbt4ecZ({<Cum0|ZP zErp#Yr-=QU+Yi9|&&=8W@Cj>X^=pa;Qi7M-xL69eP1TH7aM@DP6-Q&B9^eh{ zp=j4#R}V`eUe;Ehz@(N-4-aX$lHu8HrrdkJ!e_R7+~9q#Z?@53vc~+U{oWayTmXTe z1P$(buzwa`+|$}$mi_KL$cR~kibFu)xXM9a%bPB4x!gYrjz>rP=A~&w4qTZz?E0mv z`X-xSIDziawT}L?2x6cF+!=q%$05fTKCthn{HU{Gs|e@&`HZ8^03^YG49Csuf*GWsQ{nD8 zVceb)t`e<7Ai$RZv`qI?Yubm&x2S+OKElZy((@zsSFD#kORtEGSEB!3gTiKC|Mr3^mfxn32lSn2(96)YT%>HFCP{T`*EDq4} zn1_{lW96}Q6cG}Pv{yF+3E*x71fR<=-rk=8tl}1`9U>!XJg}x1qa_x{@A{S-q?JZl zR9f!DNKm^1v~;Oe1Mv;d`JX9UEv6B_7h|_{#kiBJ^FLr$Q+(X(BTZ|0*jPA;{Rf< zt!ZJI&wQoqwsyO`l;J0}x^?R@12p@;V4WTvzdIRB-xI~Px>vM<&(yE6UyU<8=Uah5 zo^4q44QLr-AA@ePqNKNJ&e^D zzwK7(xP3aGfOEgYuPAUt^dZw2X7HX8k2d|;mU**DTGckw0 zBpC2F=&~G46Yw3xJ*Iqlt;t>B5+^)jed#tjliDio4IBFv#<|E!S8_wC*NybBBQcLx2|)=fzH@y?zLh{iQz?U1altf2ve=sIu- z_wT{k;CTSBboVLJxutLShhfy-8a@rwiz?3CaINGqr%Op`;p#Hq{y7~|CTYz7kt%T; zDj`|7{PXihk-zDA^@K;WFz}@zB*oG_$Fb$)WSTgquVbO=v64M!7q?DRF}7#Ka!Cm4fSI}g(Y0^oSt4H zR7k+c#!?K74?|rq80=Fi>-b{h9vUn@_@AuQrv;0oybk=}{wJEUtbB&-52e%Ug2%V~ zEx8!vA2@D z4axr_rJ?!UK>$353>9FJo>-%ys!-?LvwF=he3DrErW?=1(PMK{##ih9;^gU-3xJ;f z8}k(U_*X8&!+R5;4y-9Xx^lW1AJ{j8p1ZH3AiO=hybGT6Oja{Th!710AF7-qzk)jn>~P(N6}6Z@7LcB8UMzi zovVXL9P9e4j@BBbxIO{UZ~oAzU+dkPv8;}pI5#J*xl_7P=P^nNRk~g|UgZ1a#=j~J zp8j6P+jF^$3Y{Kb48xO7BM(Hq+F044k>9uV&kb1ju!QSYtRmyvyvxqZ67V zl-PzaK!vMe58E8CKO9Ql*@3tEzB(>VY|S9GPga*-nZf5xbgW0OXaw`lEgK6v+`V_- z-L-k}A~ZxU*d>-WtOJN-Ac|*Csas~dXC|c8G|d4HuzxT6uZB2F%}rAZ4~c)v_LUoG z0gjgci?M-+p4WEs%Qi@S^a<7&mA?@KNyRoNwoPL{L5FJrI$YCt=jg5aNAM>na(*y?)=Pdqn=*BTnH~_3C5H>- zIsel?0ek^P>JyooXmPD3l4{VU?Wa=IHyEf|=SnKhdMrG^1tiY9l?{7!j&L5>c-Td-m3I zHy($3$6RcEVI7M~?T3JWnss zaBq;zR%SYPY>PCn7`-ZYSSilZ0xb6q*huv*U8Ee+$QMZXws`Ir;kg( zbmh{$?+b#FW6=R-B&u@>Kx`e%hk<6KQ@)dYGMX`#-`!?**qmDqj;Y!m8U6#YI1X^L z#aOHeHl!OHFl!z$#I=6s@I3VqV@;*)N??DtkYa7T&2Qs=`PBv6I&t{x!6>ktosd*H zyUz0U3J;i3UT>3rsDmh|Gi^HaKVu5^fD*XoVAmA%N3M6Ov?wDxFam&I+$2+{X{qoz zvz^?ki9JAt^1{eMKy)!b8vfCq*U1b<29J53PWJMBRGV zjft~Y>!-pFoYo*~Hn2YaK5^n$TW=0XY=Kykbg{$Kb6fSq_??9*aExS0VJX@OaDKMG z$bSWZnjJV6@>g$wnEAroU=8Q1*q$7~}{hPsRs+Q3H=0moBQ9*^<8`tIJ)J(cy^7@;; zj^nKlp6VQ^(8Q_R&J65Sdg}5NEKI$WjG3*k&D+=B@o9bE5^TcLGdHCV>!8mue_#3i zCI95f>dXO|LGvti6^Yt%&Lh5{M!t9(+<5~gX0@QA#C0Pr54rM(5siuV>^mN6# zyJ14#*lp*w-$jEqZaDd)z_jo>+)fn+)PDkYLU8oh$3qaAYx#y%Dt-k~XSsIH+`Nd# z0wv<*WZ`?)>GyHjF)o12YsDKnDx3VHdC7zeG?(CZ<6T6$r-oP_Q}<48E&21gasKY; z8Ti?@*}A+*Pe#6ec*?@vpQ-pO_7iRZ&AJsc$kb551amvI*zCxRiT`8?!~ej9ZHNVV zZ%@2`Hy;A@dvb{gUNvzM=h=QW_8kYsE9r&^o;oMwt>0fb>|LgBgjJ+~mI7)VZuJ(Y zu^Kz<-KxPpAs5KjQ4ggh&Pw+MI*2DsOsEhn*!zyIS9GSn;b^ulQe_wfE<14Vy?0Ut zi{?i>GAgj*;B<3Ghita8sSkCVrRxFH|vxKYN4ZXbE(Wy%TRn8 zK^Ib5&Y>naecnrk5>J4;cyd4CP9!>6`{RhuG{8sIKXUo9i``!t1;T!puq9}V4}ITa zDwqyY&4!@-*+5X=VE(yZu1Z@$-jYL20lxCVlbYcYG{hJYpne|i51uV2?dW01=jSte z?c-X0W4|H+_6sJFSc&zv`%RYUF`FCn;xxFexKAO26?|g@LPRg2C-o=K`^RSjq^W@Z z^TlVEjG3KJ4cLUys_Lb>Q-7b%i7|(_1lzJ1O)}Ckk54lI^|EfYr!YO zV9E~!pKj-jN>?1LoEOJFnE==ui_a(>Ecu&$SWNAWPW<Kl?{X5#DOQWi{0;!4-nrcZam*DrTvy(V;z ze2_fgtE)tf*~_>37L~>quca^s)i&NHr#ADG*?M+3l_Wc+`PglySx+FJcEzwFK%fH( z9Dj`#D+5t1UyEvMZ@K!VhP)s8WQ`ln)MeKG)Z)gid35#}tXX%A?Qjzk+Oo#r1W-6p z9ZPRWM!x$a0ohGSo#B_njUO^@rW^r^*|EIU*wAfm^q;=79r)T$m{K#A=uI3kH>25p z)(l`;SA#qZsz|^pxN}x*M(`S7>%Y=-(-HIKL^F|Zu0+Ks9nSu=XKy>Qem-fcj(P)< zn;)ky!Jk_P`nbp}Xptb0r4*9b@H7m7gB03v$d4H5*R?@m|96u0EB-GA%cs{jn}VJC zeUXw&pdNqt-t6F&va2K3gva5+ZyC2$4s^fn?=Om-rq!xQMsn|7VS{(g?hq%HH&}MW zv*e=sUhcb5_{hey=FfsMpLLZZS^NcTCdBQ~`*pYHrC{zPXed|ot+Vr5Q6Q9fE=%dz zEx(>YQ{^HN+|@r?hqVi3nH}RZ`@i$rJK;%82)Lddz#sB2=I@+cJTzZv$q)T!b<; zf#{Us_ymjB7w!VLseO%Z>kSwm^iW*sLU*y(u2#M(NOs+;QKdJBqlJ_j`0!_B@TkKNq0KU)^Lj9tVXK{m%tWneOM zwdUt?x|-T{j!c|7&jfilJQ<7?%9%1k6xd;Ew0MsdfiZ#pGu(Ai+#H z?AsL;YG$l5ZFDC-$bgH%gne&gezUo0L};Qw`loO+OWOw8M}2hPT#$RpPXDYT$)IbF z#akZeCe|ZqANYf1DM&x7sNzi(!vK@pNJSN=(}B4BM#9hQ+_B0Th)JAdAKP!^gt^V| z>g7c!!%R8QJ;NzJ_8Gg|BSRrk=MT_VRcdt~ZYQfdJ-Cx;JSl*~uVo+nBcOAmqhBX{}eWWkd zp5!u{XVO9D;85oFe#7SIeCw#e5_5~Kk3C6qYS8#-WQ}xYsX!)2Hlco%bgb^(Niry? zCU11C^)2ABMQ(^{Z!rx1gBP9`FZ|-NrmFh6C%-u^bdRjhe6MNz4{a}J;qDAbQy?c+ zTihg2BkkewdN@$Y%Cut!IL+g83V_<m;h+qB-fzutPcKQ>VUc=A2)KD_If&NEApA$$0f^T) zi%u%?wi?5Gf!IT#JdB?*OVTR>j{u3hct0U@Z8kxiX4iM2j?UTv-Oj$;Ehc2|@Spe& z?xW=`B&`?U84;37KR7MA4~-#g@i4ZHAVo(?;)jX%jn01~T1Ro=1JiHlxhv)GCUrsh zS33eEg1Z)y%8l}=jFoi=IHjIV1?6QeM@WcRt8EA|`vF#X^UC&cUS3_K?TLKB;3(M& zek2kUAzQ{Vyo0k!ANK1+WXghkZhiSJ7Q{_X3u1FZHzz~HDdx&<#|pQ9F4|9H@;Q0p z@e0y-NeS`J8sd0;W7EYIqquKyRCKKNqJ=rp38P=L(esH|t`e932+pXe_3#P=$|()Q z?yIq(05i`WSIb}`+A^4?gdq1IX5~@B^fR? zG2#du-OK>`>m@$h+|w=!a#U{AKsx`J{9_}1|4j|om+chXLGWKJ{l6aMt|+ELvcj)> zyu(xCgb;+rNZZ~0b3sBlL!C-Wy7SEun+6mB~9cLv=M$OD+(mrtp-5-WPDjV?_MZ{_9X+5@znV*Bs-suEVB@6zf_9@S~MvJ=V~oSCEwG^H@cONYBogDQp@~9 zb1*CXQ-+X*CG;c=P46%_q@{RxVZcz~Lk@1#gA3MdeSb!dMqjUKZt!{~hmQTXAr*p9 zvNGAf&()l-&ylzS`vv;&AdtyBiJfraI8g|g9k-AqW5O|wn2^<3QILT5Mu*gPEhH}0 zp{11%BLh2C{uki#0apwMH|s-KkYh?-mly&|RqWSV06h=74Y1h)<)D*OInP5|elAuS zU9}o(_0MssoCyzZpBVukG7^F|SFUB0w)2UON4|=T zu;F|$&t4=l(n1f;&cp89I7r%gVIGrZM-KGvIxeS|b-&FJIO1U5#f7agzW$B`S=IdG z<#k`r?Q-|zZ!a_TPcXrqt-d1wU=-H<`9*~~W0{Ayaf1eJen@DrKBU^$YbgpW@u)!&D2%|?T& zNV()oN7AD;bIq7XZ~u8R9CvIN0Doqg7UeYxuWs;WYtkS@@jquTAnp!$p*Y4-%eXRrf$3X z6O&9&i=<4;q)hF9HuXao-9bm7sHVle3kX_!y=)%*BmoI(;Fu=(*(EAGj2mtxI5Gp+ zlG2nn(VhMM%Pgxy6R@x364)ws7@*_&KZ#~YQ{;(mj$(KKt_=pzf5O>70;!7Xfs6aR zQ%*%TH)yFqlFAEaaJ=eU!I^vReEbY5jCl`Z^Vz?f9>GuPG`y%D7x0Wt)&SniV%J!8 zK8Dn{)?!D(*mOCP33Cg1>Q%zoIo;dS<2$16Ems5amGG8WKAt}^Dg&Mvv69Kl_6Tqw zV3p8V=eU(w0CDuH4eIo7EZP%{al@G)(xl~Qu zM?)rk_P2!kD)Abi4NC0}SIJ7H(G1xtBy;VnN7=-yW`C7ybEIPQV9) z0ZU`2M7})Bqf$(%%y$KHe|^N`AitveOY1 zT0)HjT`UEwF8v2~VEG$f{9D_P*^|#heL5WI!=*F&2ImnQyR+1fn*547Vt7OYje5^z{HfR$a5z!;AaWakg}(1_2cim_+qS@q`?CG^ z9Ts$tcPr<99XQmq8uaD3T!vlMn4DW>v96ZNT6(C0l%rOo*oSK%85zL~h(NTGpSz!b zlFVMffJH&f;=W^v+RiqhtJD&`tl=WNjftiFc&&>DV$d`Zk}LN9@!9Ms1IwyG@z4|- zwChyXQsRYk4iFrmDhIpD^=A(PXgG+{b;eRC$#j3|vBnYUQbqm-l}%i$ykMRCfdZ!- z3xK&m;Cd?rHb^zqR=fsKP$;{~hr$1NlzrJ&YZ9gM9p7!94ml;s(|~AQDn$I-2oa)a z6Dq`ex8KpieS`s*T*R5_PpxJn2nZRnl|SS#jQ4#uu#h$=LL19njQ~!4fAtHoRDHMG z8v-|t<8F(96>~2n@qup5GnMQlHEY-Q5ND^)0{ry&zwjy4An1uoW0GFPfBg5C2qBwV zOXaX{dT%7evSJ?Pd*?1l5?OCi{L%q?w?epBlmApwl&5TVHd8Q#iWs-+$3d2AZvkTT z$Kr-#_ipd@_E@MZ;zj*f#da(90o2v)uU-8%(GxjQLlDasH|{ny{`O|(4zO*e0)YV; zf-EON0qpUKM$rQ4pNIaTSFkZmElFOGg{4L74w^tG?EN3HA9E$xHZNcu;yD(srcL61 zr3>C(QJ_^rxg})+m4hVt!`#7lzT=1kkW(*5^3S8bomrlzoz=Y2zs)fG>oIg*?*S0t z^N*1~K8UznE15d)nVL9RHswXRp<#o7lI#mKC6IpMU>{uny37 z`Ge*N%I~upLWJ#L`pCgg1uyT@a^%RFM96T@lky^|wJ7A?CxTSnL5T|Id+i z^LD&oTOh8@H2ww`C+MNM`Z9m+UhS>g_L%)(sOt6z!Q{r`R}C~nAfwj^_@#F;djwXG zr>D+pYa4qoI1>@ee~uYdBc<;v_}Z6c6}AxRy-a0I^^K74CqC6Hbp1RuwP12~!PC^F z_FeoxoHZ15ynnZLS$@ghu|HKH8OV#=Dl#^E!uxFhL=-Onp560@#QEUE3#{607px1q zAA33O0(o`lw@|X>CN!dCP`{x0mQFs+{dPw~O)W<2box^BrG@p`>XmfZzebawdzW2h zZoa)z4gC=toJqf>1eGuXmOEy)nUtlzY$8Fy*KglE-^u;mEry6wtMaJ5`kzYyII^H^ z#@mxr1DxgYabDUcx2#qbe=3fBotL&&V6on&Sf|Up())*7_Qc*7yHbpC-_phSFRWzT zu765Pug8itw|2HmpUw2$cusexhgPdNzm&~{Td4{D_~}n} zhtx9OsII!Wu+!sveDH)9H`lzmM~Pqg3~fsj+2m@|c5xxZ@Ow{)`I%a~=?6!UkoHBPp-G?9Rst*c-W4A<4i%i3cWT@rgfR)$+=Q^-b3W3N zB}l<+G$y;S~7OGkS01(#J(#EvmPFy|rjH_2WUGjR|X%q6m1Oa;Az(g9ngWJQ6 zO|vS~oQ|hgAVFrP@`Z+AKU#eK%w9ol`E2@r9enYcW^m^q-f^_|JSJZ%A{7Y&(yGSC zqqWKne0G;_Vc)xgq6pJde!o4YpxYLEZlP#;`P!awrsF~o2gGV!rI11tQ$>ZW4&=cX zJyxJEUAaAqZgApIc#naqDEN<5kDoB^w*JLRL>DyUJM%w4&elFq-0U8dx5+f8y(SqY zIRu`}l#dG5D)wl|e81?!Wd2o5+3>}c-*t&KV3bFY2^k+1{oa)uVbrd+o zM3P2zv+isGTddkOJz@=GKL)s-pM3Ilm+gg{lARn*zI%YD4T`n2Se(KsP`o_aNDupG ze#?v=5`C_zDtbUupNYeF!)LwEU=fhyHRcag1nRK=kHPzfO5ECIf!Ql? zbRJDl%3&In&`&}4rR%R~0R5Pj^9LhfqIXEE0*JCcgk;p#*5=fpLev>GoIdYgjA`DS zu6i8qMEv}TaLS@Tv$XUI(r&lV^0Kzhrsdb>aEo3m%VTo$l=d$@Sg7^sAKOFkr_-fp zF#>}8Tr%IMj11*wR*0v^`C}|z>|&km!*>6vL(cMp_jS|Bf~|>(h)ds8`Ai9r%AQ^>B`y6X-|gbqbi0+SVj1crQ5$C5_Vy-dhhkDQo6CmV}K(X=Cv zh7{$uK!LY4|1%l?yYsIrXi->dacgeK!4>4S)J{ltlVx|mDqx7|gNKCm67sljz#bbp zI8*`uZ0An4t$B-$V>L zp=|C&_ia3XGe6gR)XGnsrsEx9@vOJwM-G~RfYVb03=#eLZpdNv8@ zhy-vS%0n|qBZZvp(~(8I6Ipln_BKryg^afY!%?gCL<+PD#9|KXK45W}cSe(LQ&C7j z@HN7nO+3H}oYcVeuf?ag^>3bkgL`(bIfM9wYgvZ8Ce{ZaY`+8TAsWUIoub7e| zV$%eguK6D%C5?}-r7phEfh-$J5~MS_gZ*{2vO$Qyd?yGu{VvS&f6Tx4{40z*BWVIY zGgqY84GsK8WMA}C;QSY-UV};NML-mw>DU;7KnyLEM}P>EVsJUSDwL};US6Vr;$Wo= zE_W3asn!&jNT8=fy5D)OE}A@Tc5FZBeIru8v^cccf4y3!51WoREQf*XGa3szI5-IR zwRe{Z4Gpb=8z0}?t@e7(0uU2ZSlKH;;!=xI%iknuZ$6Xv?dp2tB7~Qg48)(VpA-os z^HTF;E<`Cqm6f%*y`OUW3B}1@iJN}9^H?oe@mL%G8IcUmx)sBRmAMJ3)tX9k4kzDl z=tFPxFvOsQctHVKL7|n|g$fD>3xXORG#LU>naV{u&bg|A%pX!I)|_y$zsYn^8MS@F zYE`N7j=ll)dS1Ueud=kl0i5(+8y9{lQx;W|!j2Zt{w2@P3>6{t{`sUOB3fvcf&EPv z`HZnA44xS7%(Wvr`r9Up7VY=Q<+tg+Hb}L36myg2FjqcpjuH9k& zW+0#GQA*mVQeuS|7-m6!k|0r$P%9rQDLKRGR~s;0bJhUt2^eCRBIJ~5`Ura`6o z@+}WfEqD!e2buAv<1k-nI4T;|;}7WN@k3Wu&^6jptYKNmfshP2<^i+m#$6>?#r$v2 z5O046P<`xHT#Y2;D5)s${I^re!cv+zFTiC!rqu320FgosYfX-BgwB#0FrAt&99R7H z15W4OKt6wF2r!mjl5bYX|HrO`FMJZ=;$BfPURowgb0kEr(^PVtt#oJT%RtYfA!>vC z!jt1ngWWZRJppJYj7^;L$!c2S|F^YnkW~Zr!q%D$=TgM*g0VLxGiV^>8_AV$B-kWF z8Eeo+Z@hfBee3))jkiLCryU*zeE*^8$bm-vr7w@!T3aGV@O-xU^KkQ(FeymvTZjoBfDz z-&JhiqB-Snz)MiB=+x8z?Fo`7yKv&#mS;cHXHMsvSJ@iIQtrc~B8YERvH~IOAY5l4 zh885l{q5~Oy&ch;Exivd9rODKNR3Qp<&!~T-`@FNhy8)P(BN?Xe}`)9Z4_I{CNGtM zFdm4sEoeg?fSVv0v7>Cn?l)@xL1zcgtH-LvSC2da4%hnmXIN9X^a0Qq`!-)dq$ZwO zd+Ma|?2^rUIalDCr~MyZdZ#ItlD@BABy67)P(biUEUa=r6sHdv?c4tH+ij3%hiInw zuu(SG`>J5{@84gt$H#E2*0o8CbEd|&Q~Iw8)n~>#YAe{Ou14_}7rMG}&b+--n;D{I z?q9W4Mo)x!R96-bfcCAgH^-H=R=;+vTRQl3q8FBy?9?_*a+tRjcvKhinxgnjMrM%(R=mkGaxx?Qe~qllO9i4FXC&QE~)I_-W!n zXKrjPt*xV(K>r77%<%BE5x$1lS@-h`U^==RVRE0X#_3_Hms;9KPm4f$Ico<6{2=64 z@TZR-N89x@qOPv)2==i~G-!Fc2@Z_XwsW=lART|lmGd~dm#Y8fEtV5#l+kC^i zuLR}P`qdujUC;CUcj*EyADUC(5u>6~*%8BzUqN`$pWPL|X>W|R-AM^;H=X)HU%F$H z#H7O$jSk=W=hnEPdO8fe9ge)bFFJjC_4re|PciwPv^*k8|H=6p-EpPg=oU# zhv6Ay1QTd~<|9G`80lE6szuo zmzv8VO5OSpkC>ri)68+6dRyKsk0gd%vSEYA*kHj2 ztV7Y%+vEI8=rT$DvB0J5;ltzF{NTYu*(}*K&oUdmPs!r+^&6U4ht1OLtR}z54glhY?B3l<}X*oye^KG1k|F4g`h&Plh`4;eb)y% zfT_*kWi#(|w$#>c9r|$3hirk~)F^28Xfw83+$Q4Wy32KaXvmwf4aTn1wPW%1Wo<^o z4fApYV?JnfQim>c0`D0>q$fCeZI|l~`>zd6W;c~iZ(ThU+G7OV`X~(@*a!#^Q|I~Y zpZ|^jC5O(w@k=Im-b%ELNhI`6d7yk3*kX3r_Deo(dgQd!VN1JjuEb(`o8-;*=uBvp_w@PWHyKn2$o?j4 z<*KYq^tf|Xb@GY;>()~o@Zbq39iv024TfYs52+SU!yfK1!rxBK|6J;-g7&i^fBIbx ztnjc4vI|Zj+5i_LB|SFp6PDVZ9L;ADT#rriv$mYyM2mMc>8Q;D?|}QAW-jUF0Y*zZ z9PZj0JY20Z9Z_kE$`|G(+Lgkv*$94b2CI46pATW?k@9WPUYGW1g~%2Y;nAS5V1Alq z{4Yawr=3YOd$r>9{C`uG@WHRUD(`Sz)Vjg-6fx2=_nc`^=H47-uvUwV*!vnS1Q`Jm zsOq(+uBy56kqRDwsRTTFHqALDds?tAJ63RrrTZo;W{(n!%}tC_K3|OF947J$v$9YD z>sMGa_B3Am*gLhT4z4@r%$w*qY{`%p1z-0y`DT7b7#}| z)CuL&B*G#kMv0WxH_gKQv|sR!KP%1pabTUYrGk{4VR?m?RuRUUQEb6vN3TmVp_|i( zZsj4#7XVzWqv>2D0|RYT&&AjfBz@oSQ`Xmm8mrKYb)P<6Ru!?A3PJJ?L=Xo*G5;eB zl!bZ?;S9{`H{Y*J0Nv)m_(YxtUR+A*=4|c*ZJ(4p0(7#6!{gNaRR^pEF)hvh#D0{Y z*naXZTHy9Ft=y0;aG~kpHm>CCCMuD4bD0R>`zKUltLAT}na`;gG*dB$px_C6xCvGR8k7>fBbojv}3oOl7BIro1UXe$0?|s9kR69ZTbRW3Wmw9^MI`b!rA| zyEc(xAD!;+C%t53G=~caVDv@2m!gbDMHPTY__W%djsfAaP)rkW;fz~5n^41{3->m& zH{03^R;G-mkFO8<^J2D{o;i`d1bbl7YtvmipW#0JFtL>wcKoFq5iLC~-f*hT(c1QH z1gRSxmCw`2EZQ{IT*>S!r2wubdjDZMqPaQh}vP7@l>bl7g+}*xYNk7#X5kYFs-+*U2$W%1z+e|@iZR*$A4a~Ni%e1E2 zS=b>!u9xCAk+p&_P;cEm{thy={Yq*3x)2<-nwX%c{gY)%(%9-LH#zh9q*ydTWpTXa zAzuI4VD!Hyt8>4dxlkawo=+fCLlVKKRF7k9Y07bN z)m%+6=3+Sig`aszf@MIu#be>6S!^x1`h0%D)3PREG&z-uCv z#c!fyFRLURw0`j)xw3Q-J0^C zO)#AEsH$FS+I4kka^Y)c7b#xreuJ};D0`Q%JrspXW-&R<4 zcZjqwEEW?SR|C1E_H4yxMco;T6v#JF7P}V)wnO`9NoS5O2lijTGMf3(DHsOpS7D3= z*EFu|bkcTp1ll}kr}69WR&o3oFCT}nD`TOM$V63C&54kcRabC=#*le1%_I(Tp>~`a zLHSs^;L)-UkUdJ92Xk0WOx#3l7qXeU&sm(V{Q}{47JQFb;eNj~=SKl{^DXVS!9G(- z%Z9G~WswlOARrP_mfsIs#nho057m@K9e7oj~a^p^w^Xu>vv$D&l!4I~~et9VQhx--h#8DJyZSbrFHS_C4bYWjkef352trLLn+=G0tU)}n0Hmhwtg6}t27}fJ z16#9tI*IW%i3sRqBGZ5Ed>tlIs;UMDiwGedX_tO5yJ8RVRq%R2&r&*`V{2{C!cu(a z2Xjd3ZEQ}i7S+SxO1<;+(bdy|_(#Pz7guju82Vlg{VW9&?Cv1+*N~4?0bN};+h0C> zzzXQ>NK3F%57lP=+#d5evyQCni5TV$Fg#V-#Rmi|kJ#)=MMdi09+#7#EbL@$R5fHb z=PSOiH(wqTF)epkvtO)p*)>c)Sy6O#c5aAE`q@jI*zP$0XTXFlMX1Y^qy5Vxd|bn~ z#hg7)x9)9cP+{v+`Y#-55BXG1`?Zb)@KFkXQ}=QytdWaJ=rn3X>rf{K~elE-?`i z;HTYNiq(TSitgWZ{1qSZQ=$!cp6Eix&ja_o<<+6aoGhuBm0#Jro9mVqcDg$MK;Aq4 z2r=H?rUWHccYv@QBPpD?1`FSKKX`Ic=$CM{NuQ{NivWk5fAlJuqVj@vmhH;X+Ff?m zP-_o+3(*92;l98Ab~a{$?2PPG`7#zn1-P6+BU!&boA)80K5QaM%L|SS_jC-;bxZ|k zSHtN)&grY9vU7e_BF5VMYBQnV{(O&UMr?0uOC2g>vgvxl1xo<6DO*2iL{`X$x9;#q$Z${#KqF=#Eo+7*WaplVuyZ;}_@9IdY=Ehk5&R!eXtFTGGKc}3UDyXx=vtMLsN%`eKyq@H zXUm*c2TVx~|9FZ#YML93X`DvMS?wST+6HPk5lpU~kCyy|(#5#E9purfLGh)b4OipX zsIG)$*fZgfxB?pjMHKohJJ`nyz~i4>z$pvre$gTZXQ$$|-*8P8pErd2dl$Jz&S+hq za{ST#lhV6)Yb(&G&h4T>+1Ol~&`C~7xv-}0O_JTOO0JIN3qqLk^5b=X;=A(=OGvoP z8zQbZwTnQ%xU|?*A)n_*Nqts4ZLjj!F=klLV8G=F$f7AMRn^yLVYDL@2wfP zGZ3%n`_i2U8lL#J+k@^+_qU{KI8?`^@2d$6g#lb4$pRSNnat8rVwA_9mU_$4 zU=A+G+U;uFzgY|Tjs%rT9J;apGV-54Q?ltshf{epV)$W-eO(^$`Kv8=OE7N+-{u>a zqwXB!Y)$C3zCJV{u@D&&4iJkbm}H2#4K|ztbJ{8zb~bi2xFKx@Fsit@l@;^-jeCfA z$0i7raghs4O}!4?mdl{3feVpHGT&i``}Pyu^Gebo zmjw$2<{3+AX>t3PNVH#yIz}a5u9q{uapPX*7n~=NHzEGd6fH(-u;}@CXd*MDR%<;%NBhQi6-)#oKXZ2>f#ihew-g z6R0tx#-K*g%Xzw3q$tXw!dK%Sqe&~kmGI3Y^B$&_mWWeL?YQfK_XF%t4ReGJj*pzJ zanA%H^GL@&%8w2Fv+64Koz3156Zye3t$J8&%d< zu2+I-o&tBB0flegg#N)Tl)s5f{i>?cUFtn$X=gM=;|R(TNOVb1z7kjb;ALQBme5{Y ziPfB|@heUzL%B!-_66b(suzcx6Udo*xP&?^vAkR0gCrB&V-$afrf{sbBGM?`t@B>K zwtIyYB2!XkS5?g!f^-A=*2qTt+&C-^sga_@@3~0 z<0jP*e{u5heb-EIkD#Vxp#NL0pB}N0E*cSzs#W@Mm#w7f(zv8T^^^I`^&#zpoYq)1W8TySZ0KKLh=wx>&kkORJvz1Au ze`V?2WiL;g)|HU+&fco%2#@89sw%s4q|I&CIuQhR0nf=qR z(iqu2D^zP-TpF>tGCN39Q{>_6{j6arOy_c?ttCtFrSl`77F`4~8~qxx2gOLbz%5w= zzmTP|n2%2*Kq5ej0RiJKc)={6UjsRTmw8qfq=MeMl+mM!93L!DM3z$g?$?>HqxW_W za-ehLYBsMS7Wp@HyaaSUBQLLCb#`{veOsJUX{*kg%Med@JLIdaySRGEyzITcPQW)$ zCCfm*b5|n?8nL#+F-F#1d`--Yk}SQ@ynFV#r7W8pc)gGgzVWO^W(z+1JD8EUJFb2` zW?#|zS2Yb01Fl)ogM`u?HL3$M|J}5P9yHa2x74N&XR0vVq6}_~8p1=gqz?m}LRO#Z z`u~c*r0!Eyo_IDcu<4!sX#O|dHj+XrL1L+{oxL57b|TUK0dw2oI_DTS73P?%O7zCmXXN@y=tDS(+%e9Fyot<0 z9k=TuZsC+Kst<8?+3XyXN@I+iJTr7L!AdItCK7IGvgwD1wU5`0(Uj5*)YVp}=sI8z%TIZlZJDBnJj*~B zGbNr`en=!vI=4eG?)Gj0tX|CTuCQ71!duJzR!DgOPDuhGG9Du}z$KDeKsxK1?$vpn z^V-_Engwf$aGjdVma_Ap8$tjU_EA(R7uoa-yuSpinD^7w#O85xo|x{9eZI2{E;fF? zIBk5)05uL3mF0?AMP-D(rIt=t z##oSvd1|P;h5D^V4?oNS1O0SZ>YCI1f^)|6Hix7>ExTLz+ImSY{I-xg-}?QB3D95XOR z-*EipOZ9K0uzuHiwJBbVUNCqdBUW=}W{TH%LPQ%?S4}SYV?Pt{p!n&v&+@46xLDUq zh#7^UrD;dsx+Cb-t*B|_Utc}iBHZ>1MB*3V*6OBuGZ8g6cH18BIH^`Zt;R7+k&g(I^w6_vSpbDW2JA8jM*8nIAx&EywmHEG;+9c~PAIlur z`j3iQ6PTF;#+bl9Exz9QO)Fw6bDTebvc%qefV?9UH6I(9^7({dU5O%Ql8a23xj0eO zeoYNtN;i>cb<`IVe=Sp)p3h!P)Z{6{-fjlKnY#GXnK=sK@-t)JiOnp}; zjwu&KO}{UsBi->OqPKRITfj=ot&|aFD;TBTqRSUtQN@&ky zkXaP-@Pf$bumV3=c1G--23-um9avbuT&OuU#D(%J(*>E|*l=%^ z0iI}oj0-o#)>s?6`yY)J7g+HUw2L~)_;J%>fVjo# zF*{FJITwE#>$rcg%1@2QY%?MN(!2H_TF#Euu(8SNauxCBITI@GtfMpSaR}IKqUh>* z60p(UKX|_C$Y)w%8*C4RC5x8Ac9;OnP|B>J_&Ci1^`g7#cm(utI0(3q)NnRoh*6+K z*CC$+0dDM_N6J^qn1QJN)YK9@?8)J&y_?kV8O=0x#%8}wcmLH*7F4JFQ4rnXVy-aL zK(R$2JlvRGu2~#KED~6Ikoa(2^(&ahxiDOU627C>#wy8@9P-PPMx#{I5NP(3qsCrb z(Dl&jg0+0-IrLLyjE%$JVP#dELk3t!BO??>X6=_W8DsO6Xgs|djY1I7LIsi?KbLBz zivhj;i)uKR(^FG-2Ih5j=X(lL^w`I9ULAc4*wyxy2|^wVhKsk>&2QYg`WH7%zkF9` z+;k>lGyHsgedB4%EJV!b1aw(?YVFRp&L>;)F2>gysB_KRPgj5DRJ~y3@J^Ykv z6K`-lw*XDV5d8f(pq_S5i&@L6dc!&(n?Xpe9|s!Owpf~nxQ6MlGD=ZWza}gS1l8Ot+1#}zuph0JR&_d z^|pHq=t18P()n1zG7?k1!dzaWNx$+3@q8V=s}Of`R_yf4<)OX3+TqkhYwg|}&*rDI z{!TZdTYE82cd$P(7wKQ1oZfBmyX_I$KFW;CxgVDMZ?1%HieGSQ*WP_S3Lt*4Iy5rG z2s$ZpajBw+4z>aKj_!BrTa%VwgN0o!2QxCk)S8Q+=TYy%wlj+=iuBMPR+w@Z_`cN!*xXfRfOjL_ z-~R6Np2p%s-V@kPy~u=78`x}VReAU6)M~TvI^ETzzl7+Y#dyGXnMlQ+ffy?Xttdx+ zq+1UrpwLr&_3j5vq+<5?KCWPDR%MRO%XsmWb%b1@HseTxp)br{G(-mV*5i<#Kv>^4 zOxEVDY!Mz~ZuYWCmx2(4sAU#jz2WIh~sbo#?TLhpl`xClAI7(d44n`pG3~17;NGe*Hh1^ zuRH-EW`y7-z=P5YC;4=EH`ewY3HANd(&YEj)aQjtaPo%{wDX9g8iA^3mO*!zYYhShr0#TO@NMt^@tqVoOu1{{`;+T9iTq93=aK1M8++s%n>2Vuk_De`d zf`;Tz_Am!Mzn2ecg`#?=@no~ZDa}9psT@(~06W;V&f|3zwbj?ZUKZ;m(Iyt}h=?Sm z18vIZ2254kKbY9q9JW7gP&wZM<+v%tM@5We_it`MlNerJO|jA!LQo`fFwd}E|7M-B zP~F(h?0&cI28s!$+B&e2F}O_l(o$y8$1SJ=#Yco&F&tn(tRP*ruqh7P!ORMMY>h@w z(DaVlHoiaQo^0*>Zd2O*wL97VrKF|Zx#U&IPJv3A}dS&CAuG@O; z9bCT7o{|9%BlTiW!038~*z?!*VXIBZ*RHwsC~G2fwx@#H+L7)NuS$}?Zh6wu5-C%HWT`MmN(U237{03b;J(gH~l*NlWcM97PgfwnGQ6ru$lf% zJ+w#_LRa_B9Zq3yIP5jlVw({abzk{oDgZL}L}4TK|QJ|A-|wk#k0=LD>m z42n!Dk>hf`=RT&%ZI5?xSXet;5ANk*=i<6I`@25Ea(f=kb}di=#yk94Ps_`yBY zuc9R=A|fKdPVfL97hrfR8X>DvydM8TGRnqyd+Y4(Ql(RGY>+Gtl2a>JOY+@={QKEb zL_rDi;wiw|y1!6Wa8aBZTl7nT$?89_y<9VUoJyEc9hDmT;MfV8q)B9}o_T(;ZU3b> zGNW@O_C_!28*=|}&)VYHj*Ytn?BUvYBr;j7?WF?jwv6&n(|Rha|B_*z@O>N&kJj%+ zhv59|w`6?SfbCOO{*a(G>6&82gtR@{!nxkPlmm~h2KjwKcg^6K3=waSJZt6gzP37idJWz>$v5)S$oU(5A{}|2k|al_GA9G(6K3ChecFnBl2o-v_3Q zU;*|Pcp^m(eKyC(Rn@!$gKR?$hDW>W;!_KX8tOMPr9U@!9gO3`zHcxR_=KG-%(zU? z#gdcla)s1yldu(o9UGGR+{i^$b=?3RDMCU$g$P5n8uF}eddX?Ck#y@1wMEbPG)IUd zcxKR~A`Ugzzwm!JYinY+V9$Un50LLC)%=f*=+m3Pw~&N(|C1f5Pab4F?ISzV5PaBt z)zV1$m3y7<$T3LIa&BxXsKSDL7q(4fa7dOxU|UD4!wu?Iq2Dq%S=b}otBhb9H@UV( zESIO%DpYS>lIybBtiCq*-kd?2`b62K4$2JW%Ib-B8U@@QEo>Z_mTP{*0A|q8j4MB7 zs=HrU?kOgK4~0g%4m0B^y&FUGalR>k%KZh}zBAbYr};l+sCn7%$eBwQ|@wsGz1# z5L%x2A3TAau>-8y1C6=IW3cm~ohUvo4)JzS8OcBl%srWG4%`+lFvkX$pJb(NNR;f` zpQzt)|2R05>)CKRnrBH82m?pzkL>z^hSh3Y(nw({Lt&BcjCAMjPNCQ~Scm@fx(STp ztVQW#i|&~AeZMs*Wh9e^`B7}I{4j!A>SDOvOKK$E(_{kAW#)Y;eLHoFiGhmlJKt6m z8zu2*wrjHygU;V%sm0q%zww#VNv1UzGv_QYdM=YRi*iO`{E2~-_bcR4kybj$TPK-_ zM8s#Lw{x<$^A&`2x_)VtnV5iRG(!bNuE-^fvA_T3TjWQj3W+pb9*8hA;Cg645u->V z#4X%ja9{u!obPoS%{lCB+syCKrmzFEJ%{tCgfu;4xtkhf&t9ZrxDg^LSrW)ESYz(E zsqazWB10G8A-{H?%1W9)koaynRc%siRgfWR!Zb$if1{Y}$GG^9k92cQ>}fCwKpN)2 z%2&=T+3Im33$EtO-FFFy|AMrv>6-Wx6B=>w${8S^$>d6EG9h<}AYMKUcXl^IbQl5R z3?sMe2&a_vSFQK#CkoUOUIy{ZPmMVD9Hyqm1%!s>BYa|7)t=P%9J8U4GZ81&zRh`y z#T^4HvX8Grflv$rMgDZxM|*b)P{l>W38~7ST;vH@}{VpS7aeHYtFbB4V#QC65t*;5m#=#nAzt`863%{G7QYFD;@Pa?{aJ~7 z-%B21e|s9i)!Lpc=$YHtsKW*|cvhhFHo-f^^KyJ5xHE_K?c~iww3mFy5+?`i51xsn z#JGm5qihm)udexQ?uutC66BYXK?fGfD`K3h*bBj8KXeRq5|nR0T?b+Xu0r;c;EmJK zwmLH-8sGcfISwXrO~#pD-@8oC8R5F7OFY?Rs6k%HkXqzAHvcg45T2w-UQGsCSy)`I z;!Y$NdX7!_{rFkleus$+_e~ri$7G8K2Ej;M6Xv_7?OrqYZ_H{Lf@@lXLS@Ww%eghp zQFFcjW)T>JQkf$#I22 z&Tpz=?erAA4l{AUx1)>T{xwTlajp-}{_$pO9h*ke1j9J_)LKB zlq>cHrWq>FLQYa=u5VQswJ62V$FGgkB`7hGJ*kJ|Y5rfJbCSxB3#Bi`Pa31 z`6kPN79Xh>giP>N5Cqrb76S5Rew(xHjIm8kaVRedTvQ)2)!RxYab;=tdD7OxD79N9 z;5H0r6K~5)v+5@T;Q#yf;1@y#1r~nd(GGFL$1K&tEneQk$^=(IXLi5R6n>BCU)`i4 z)El{f^3)4K^M#lRFHGR^aBh}t#Qc!Mz{Mvm3T0p)%ogCYUkT|0VqUB~j~@zEGi_~m z5|iFRIuaJ_0tZahk%qU^W7xAdX6gSISP1 zB(dKHexkp=w!Q#S;Yg{naRa8G7KZjyL3W9%41FZg6N*H_`d{&J_*kT=L9J@7H;DYN z*7p6WsNfO**Wd@c_bEa13mTZ|V8205#?Hp5h_q(O(@DRB7OO5h%KdYdPjPTG1W?;FFx`<1&cc#mzMgW^xH0>3=2;-TTINYvM^?ueX@ z|E+(JiQ)~m1(ToWD#5PNkx~dKFPqo?%+p$2yn92!$-qZ7F*x}&;&2?eIeDR{2i7x>3jgchp(QbBI01+lc)}-jtp;D=Ds9~QUz>nKB-B{fiK9)1aZ6| zYK*8kMq_+@O4mT+Hlv|yXxb0#Z#74zu(1MLn^@$$K1$Bu(}tOcn{ryd&As@$ztub+Xe-i}kQohzH;}W6l85m^CIuGX zXl-M2V|G97n)H0NjoNUqt5vJJTplI1a!Rvm*C#k=kSxD|LP` zi2h(t$Aa&M6W={jW7G&zG#nU)7L@lB3lxlr73dS=wUc1$(PmWz;MG$yL02xGCaOO=Lm@d>!{V@5?{DE1 zg?wr8bsH?9q1zaJBOU2@dwAQ;rk5%5>bvE>w4tDvU7p=^;Flh0`lM?_D!_BuOBpmjUxgXCO7*4rCp~fe` zG$KIy(^bbg-{gt0)!nQ0$*4Bh%VQ#ZF6)0}LX}~wFE!iwXp1v`?GwF1wA|iP^Osr> zavB~M_bGYEJ02s0;f(sVYlbK`T%_Iv$**5*rv@?dEOrUvwPrhGI2a;R72XpO)%s3s zWlbLF-Cn?vGnL;-I6r*1q7wD9Ft#@WbT(>H>4b*X;k)ga(ytuk-i{Jk-_L@$6a*?TwHCd7=;$)PlbFAz0(-xgMwnrZ?`$pdJ?fp&M>N6*W z5DU8XuJk=Uju9X{HZABRqLE?dnVBii&hUvE)YsH~rsgCy^xT;o8H<-s=3)SDEPX@e z%aj>4z%tX#wd2!G^*snW0iX2EGy%s^r?dSIBmFLW>VqTUEf&AmQ%hdC;B=RZrR9#9 zlZyFhG!r0)Sl!I*tO9NR;vM-bqh4LZba8!#P45p*+YSQW*P@LS1M}Ob+b!Ue>j)MG zzG}$Vv5Bxa^FFbXFI$Jee$C~XfNh{Jl}LT-CXYKg zJ`h^`DAUIY$+f`wM{LK^_H4-;AuEvPhzG$|<2q;<0jF=Gpm|3b)h-Ad*F^)1XYYl$ z50aI32=}TVem;6N3oMPW%8xPLId=Z=$ct)mqT^#Kf2Xzpq5y&a8wU9Qivmow&QNEp zz6iBx94U?)LA`KW_M?Y`Wa{|8j^`|7HZjl;cS$sKK&dJUn~+K3;Jd3#{5Hm-Bp4d;Kr+$scsLfcsbwspIsX= zD>G<-Lz!xxH5zg=ccHE01O7+1yAhAR`%}ptmlt7-P03K{&6q}o(sZ^&Ug%Or%x)R1 zdcn+Qlmb(IX@@pi`-%9RA58INnC&g?DY4b-c8IUC!^O$}XU`l{a?Eg$$yjwre(7rw z00C)_F&L|zfX5FhF?Y`O$8=uc{{AuO#+JcX`{LYU6(UZQp8h+j4g^IQ0(aJZQ%+(} z7t+R)JP_^sYYeOU)8o6;}|~VooLNV&pA~? zgu-Tin~9l~-^N-xhst_2zHdTo3K+qhWmPHT zw&-+)+!UUtjwXnanBE)^(O4Vk^sC&)OM?WGW3~m> zOn|C7c3$48bj~I~SBf-NVy8j}mvdlv&i_NcJEPHE2Rou3ipfVsnoM+(qpq-$q+n(kLJGRhfL1ED2}=;JPsGmkAa|7N?S8wTRb_u{TafXH3G0@a;Ox zMPl}thr^A#paQlt{=xpC2M>y>U=IXDzdkg4!}?&5$|*Rf`})2K)Q(5EZ>YF_7frE3 zEA;?YlC>#dR8P_vA>=V3(VZ)JJlC?ZMM}SRms2Ec1w245!>XvCLzR?Q(;NV1xmAM; zKl^4js**6pZu@CRS@q!|C~DckU)kWHnlDIzeEWh7hn z-XY1}d+)stDoJ({5*Z2E*;`rJJ0fK7z4z~>KKJLoKiB>JejmTbqd%_XIysN?INtBq z`#H64WY5Zn8nevraL&+5y#FkzMWG8evdWPggC4;#c7hbTkOyb`pPD(v6siB4oDI+% zo_-Wr?wNiK`ELQ+HPXC5v8T5rJNxzmjqTDF%}L!0XmQ8$)S+Vvxak!mlGn{2la56^ z%Dz5lzS3=Ggs!vu<=b~(etWUtXW9N8Cau%2#Mvaz9h8Pk)vw*`eEmu?-o&7jFr+yV zDYSd)pMf7K3~1QBjP!Y%omAr~m?VAmf?HkO^CiwJ!24dqB4UfV<&k< zpB_D@S}$xiEIBE|=5hIAbpYP@5Mw8!xrj;Ao>ddPB}xvHsqo#gI7>@IgeI!_Kq6p7 zsx^kqQAtH!M=EhOT$lwyw6_%V#gdy0D5}H7ZvKX$6g{BM-Mw5#UWVU$=kbjVPIJL)OE~@mfk6U>YX>N z`-F5yu>v`L;mkz({#rGVFX{9{F-y%xJCeagv)$#$Ph zlQ((zb7^}eOnPylGibg~m}P!6R!%llWUydcroCVhy$#JjYwJVVEApJMORf@ab=OPP zOkycP$K~k75MoCP zFOneRxi@@MEC=q-n>$@1yd5I3?}&Ikz8EG(UA*oOk7c_7{hOBe*r_n`{oJP+w0ZLn zmD6=;i$K-e7T$h}S&uJY8f3)q<|l|ak1`_Y_N|+^D6aj`S=-#2@HeW-goVBL7R_Xq1*8%7r0JW}jXRV#l{b0zC8G+@Ic4=oDcvTQQoWZ9@YZ>U!xzuWA(P05{=d^LGOlj^b-e&q9jM#mi4R#Ep*P+y4Qi zDM~V&$B@9*=*O!Dn(M+0Uf#2*=i>T@XzQ;=W?Q4<#`Qa@J=BTo>S;T#83mOv{8yjV znS@YYRe@($%;?~1Wq3=}RlWb1)*tZ%^Z1y(8cVL7^Q5b~`5 z`8dmtb{qeY%&>GNPk&-gQW-Dhs{|+of+Tc94sc~%n-h#9yn>4jGZSd;)ZXK_UCKY5 znub}hkS3+z=kyb2SSl?AV?|SxR!H77#Mk_A{=9R)JLi*eCYsO5f;Ks>E8qBMrHq~j zbCh0zU#5I%*14Wcd zpMkMTU!UcYWoHw3n41~sO?%9R1@2Wv(DRLI-HvXJdO^;K(pq-g#YI(9gc?670{OQ8 zfoJ8uhdA|>7u$F@t`YmH$9t^2>p&qajS>fg*Q=AuaZx=5I5G?tg1S7`+Z#U#d5(g$ zZdkLgKLiT{%irOx5q(goY_&h_%e-qrTANm-Yg1!&x5Ak8%7m4zt!cqb#pT5T@6n+l zPM-zd+X0s~wtpUuq?Q!k$M7wfC4`b8=%CtA2|gDoOvZBGYoyWp1v!7U;?`(Zw?aFs zm(boy%52SvJDr~|*VG)-I~D>|RvRc#w*~f17N@$8MUQ?J_9DDLHL{MzZCL}QsPLoP zNHI`0@|^m96k|5OB$L9G={ZzH@L(`uY753~)IRG*xC#`#(IGgRajQw)#SVnVOe^{4^b7)}!uS{Ojk6jzAzR!XWa z@r3v`1?-g|B}bj!rY513!SNUyUUC%u$Zq#Va?XOXD8Z!G#t#&bF$)Vw&AxRQMWl_5 zh1vJ+-Ym8h5wATFe18!S2IY&JHFFOK%2~6JK|m1lMrf)jh0v3zVh$~AtjmDouawv`%D2*idI_9Ina}E9UzgX z%(w2GCv$a3WmQiMvsClNE(t6dUp1`psftNnES)O|Gza^qrl0nW?54{>qu}>~A~FV| z9nP!T#1f_jBk!&5rHyJ==;NXGN_q7-qvhH10|Kw!SST=W3Y_?IJzs2LalGqU*Hw9h zY`rPrG1tme%hU$QngWdb=TtBG?WsOpbZ@$g?&n7Dy2(%#&!p>^`acs9E?+-~IZ@Q@ zx>kSd*?~_t4Ju7xEs-W@h7rKOne5=$&FDZe1Nx{hd-3Y9d1dAtje_n=P$R#%d`kYX z+;GL-UYECHh_nn`zgdHzRFi>3AS@z(KY z^T;OH+FDgrvyOHiSz|;xxh+-xjD$508^vimTm@?J3N8Ya&>aGG9!$FW z<-qfJ^to9H1#6R)M^vdw4@~;P$B^R}&56vK)#VApZcxHYx$JT|;5R%Pygp0!QEHpZ zFSI?wlj@$)sKlq=|p}clCML;>|`5v0B~I++#LFXJ%x;%SsLe5(_MOoWDH0X;ct1$gNfG z5imgep8E?kiik*+;z4BP!Q{_(=ua#-qC|X(ljf7Ln4d~9rYcHZ*ObOPNKp}Wje1qD zMDPErpxDW}ScsYy|0RD+l}CbECFd;|zZPncPnqrn1c5KDm0^|1wXw(i8`p3ltmzNd zdx`vet)Eck2xL!57Hvzsz9JaCcJ|+9tM}$AEn#djP`lIeqo^?!BpP1U73jF3hU) zc&(oSQ}L;G8bY@GZdI%qw8WQ12C!Z$WEfz5r@4Re(`CuWXXrZyb|Mq~9}b{0|F<2t zRf?o7?0qV473xX)1_orSd_46|@9=PlZf%0iz)PuogyH|YY0bG=`YYf+*o=o1*aIkJ}do-1s56=jHhwjrGwf5-Uf#>I3&CP3pCh(6UIw z(*pQ6sq%mnKX3UXOIQh*t>=+Fce}fq3d};nX^+qnODn;#S{gZz&`cd)*nJePpdgH+dRpph*6(QP4)Ng(D?T)%xP?lR-m=~0=KuR>q zZd+w1rw&>Xs~8AmVZ%WaGTphFpx2rc+0^l=uaBdgcR2iI{nLq-)(qFGksCbTPt=t9 zGuna3;Khv(;zhEP@*8^lal@Kivqe5BW(}9-M$whVX{$YH-QKoC`nDF;yk1E$K5(Gj z@5=bt)1rY*=ExJ$Vm)z#&sm&43cO1YCn1*lIxInY)O$(9!vyV_e8GJVOy3X16jTI( zFwe_XzSY+^QPx;DgR7Nk{u2y>K(9f1!q-xdIhA!m6at2JC@S8B$8d6TE{q-rkUU$d?%vbSv{GyUO6XHX{JG zr2K^m>dGI~nl@yK%Rp~$yjQx3FsCDyy)Xl0FW&2HjR@YC5*9(n`I(=s=8q+IJOA4L z-FB|g`)}=j#pDTLy-%-by7RoA-P3XtUKc)n>8f}(YFahM2+ooXw8UOj7X9iWYq%xO zT<#}*`d9~9lcu=|Qd04JpLGZ5O&(s`=-7%FJFd0`i+%iiMMw$g8-Bpng!fL+crXef z+bv$^ui7{!l}TkSNtC0HYL8`C{?N|nvqKN(^L}i$>v6*;C98#g0>=E8yRC0n|wv;eW!KhB&nks@AU(#PiaB%E|X(d zoWGQC2Gw}6K`068%f>6fVw~vJ5W3i->dC26{YQW;)~s@mFV35p8aGZ}WC@Cqw=Y`T zgJ+yEhV!Wy^+}Q7$&ad|H6ev8G&!sg`4p3BV(k5LbfJZ8E9fSQZ|SAI62TK}<4~5I z9~cnwyL;~qh~!7&69yL_by`2T7R_zzz!)Sgc+GX%%&Vo41w+hWet!ztS`+G2C&YqJ zi>YFw^4Ag+0eCU*j#E}B=#NxJKDmE~$EA&Kr+izOvo+nbHsh__JZF|~4)2^G3|(s1P&pH(=l>?COF7w})6 z5^0|PI_#*NUv2vkdQ3`;?*Mo@o-D=c6Y0|MLK~2jn2ZLS8`hjmh%QYqlb!OpuqI`P zKpWK--k1+yfoMXEZ?m+HCsXT{MKO-MZwGjlItlo#4I;vc9}5jucqy5^ZCBu-2_N*F zdE|XNULp`@8_gHcR^XB0-eM&!1ZdTrd$@)86+o-7(xTmjhy7^H3|32248Qpt-I!JH zy#Se8j)ROiu|_6VC{zg><(@kahz2lf3-d7qjy!_Ys8S!@)h5%^w;;k_I)?&?8V~s( z|Ltlc98b=;)BEN|V@s6=Sv&dpkJP@0-Ay^9wyVlC6kP{Kd|e0~y3Ce>lN zoW~oMcz`{;pYp{oF{0`H%A14rIN{GNzvlKHkV0&3Mpe3}UfTJ2v~U{!;t&Lm@^qsw z%Jgx9&fFm~jTY*M&03sD&{zEeEQxa?&G!mRSg?Kdk44YG_V2!rNpkR(NemKmNr)Fb zH;#%vU8O*MCw}!a@`b~o9O@XbYnxxqm$zKHA=~(AW=i{x=mjsomkl3Hrv=D4Z_1@T zMe{9|Gjb>sy7R-3Ri%#rxeeAgO!JS&u!SE9@&SU5; zO@iar*U9y<*3oXw#jfkTHXG)ZJ7OS%jHx8YHrI7>v* z_wsHsi-qf;qkD@KJlS-K9&Tg%2TV$P17)#LY8W74&^*Y9<&w|)*|O}%%<{VA1-Hr! zmNbB(3vM`l>x+5j4GP-d7sb^gVMEOeB4WKzK%zY0Ac^4F;I-(PnZhtp~Y9p zy{{I(wmk!S(|#Jm%e`@9!Wf!-ZHMxeqP}LQ2I)xDQSE+}p8g zi9<5v-S|2>dmqdSn?oO{wP?X#C`+5T&9}YhJ7!R+J#4~LWtLxkawY?s%w!gYwch!c z#0Cnx_yoF;9aY8SeUP>xe95{h2m~c`_l?{Qlh4z>&mWvc5heKjwb|>Ptp5u?#3%4W1B3Nc`!Z^ML%)<%*9??1;bx|7;jcv zu*BuSu5>?6;9j@Xw)6x`W)n85GS2-u3jIrrGc<&0kY7JIm{);GAGNTnJ1{i-b1MXg z*MaY3rRu%D=mC^NI!&jo?gq_2qlppN#YmE>pIm3wk|}dQR_>dS=NEs0kkmSyh?g`# z7EaDAl#Zw6Mznci1hj8B6hSUtiOe{$5MKXM+raJRJTIN<2J*?F)$WuMmE+Cs*WYT4qzDe*w0g)N=Jet@L zkM!6i{_%CaE;(T5qPxY#q_k&rf1Qy-H1|o_Gvq?I(<9XiEx!`3X?LJSwGiVFM5Jpk z#YyMoS^|L&WeuRxt{aC9O8B69&s`9?W zpn|@QaPcy_{!aa^-bUQ-Eli`uvs;a}ZwZPj`%$nOuY$wGRQ6N#_cz$S@7%i}Ki$~(dXYy9Q*mQEQ^Zkh^MyAlN!oFWD{>2mgUiUEE*K@%>1FrZ z$N*2)3>~d=@?wRL^P-M`ii5ea^+W61S5Zoy`3wI-OR39Uc+&zxYa>0cyv{L2_eC@= zM?YrE(;5mv9PRA$a&o3etD~Xga47z%c^b+22FjdKD4qw@5bAo00+z}eh)I{cZ_&hy zn2*(@Ja%uByF|g4rFbU_Wp_CGEbVQqTb1a(?XQA-_FICavEPQi6;|h`R({4sl|HO| zI)M{^BBKrVIEK3jChCtFjt}9Y(?r!K59(b2m^YLc2@#{la;pH3gq4n2X@bwGm(oGN zMLL6gKeWXB*tExNo(UV;mh-~RAVUN^;P1g6+CsJ?zj>ntWzBAABz`WBFt8BEl%!9i)ogHFxDqn7#ZTZtNSYcC@nBoM-)m6T$K>88PQ?*82$eP>HRz61l5Og=6 zZg=utz^uF_X$$FcBgP;2KA!@n$!%rg$bdZk;e#Eo>ulkume^E6w)^M~b(GAAC^0wr zR@f!A&BYZ(WEaK-!KA6tdxA&y;UctwG(G;klK1D7tA7V-GhIvz8-%ANgtts7ma(ge zgRwS+irF626SchUM<{RT^kAw|Sr-xQp5@B?Xjn{Zh<`NG zbFK1~8H}6?XtFxn$#wnUPurwak)r;Re#Msdc)j}bXUWT+q1r}^ESyK~L=~(sIRzhz zlXGSUh`Kn3zU7qZTQt?3a&U3|FxIwh zp1>9nfKY@W;epV#J68gwF{uF5W|fCcR?#2{Gm*pxn=1c}aN4&`^7+d!AUziUW1ZQZ zQ48R#20QJzv$fIOIK$F&k_fe)yL^(&`<6&0sO?_XRKTSy!;DaqNecHU+fU6&a)+b2 ztzaB;RC9h6@hR@PMQRtIY@3pin$ptyx#8e~J6tI^hnd|jz!N2T=XF;)5#PyOQq^B+-9Be6KR68bf{T6f6&9Aj3 zKkgQROjp$d{aH{5exTU5$#t_JoIjhT?Y$ir&L+I0+~OSlxpdMM#OE0I27i^!HXRrq zx5KBSw{?I1)Hr-`so3!{qNcQSm^%iAUIDz$PKPN&9-buvXyf^zJH;OuH9u~nlh$|- zcPhnN!T8P)B}2WVliajaxo6a49-jpXw6yr1prn#m*v}%1i544pB_(FSjF;VK*j=Gn zw6jJ$;h*S! z#p(ZnVG5ymXs`ak^#1)V;eLOF)bRfxfB)gXL{k5LmH+z}>e+e*+Xw?`m{ZfQQhZ>( zf(CjBRZ#x+D-L&U@f=bS$d)~2-A9M{;Wujzm9?dq~A(GZXWNKDSNLKi~C=$A%e6+cfySTBWamgC(q>Onr%fCW`_b3Y*JB8)uYxK0KuQ-csL zg-T2=?`Z5Xf_0pl>e1n*Y*yx3>h9O)NM$QR$)~BVeL67>lHqJO#CC(tSo$wI>Y;yO z$b0JO^#el{gzxZpe-e<}=S0MQdtst#1tynYqoc1=@l9;VUEbDlOa(zzsuIV#7)npS zO(F%dK~Ca~rik)mwtAy&;B>A$&^5I<{=9A+5-(1NU1#71I)18T>S>7;??IP&vnKrr zG6*5+6@j|T!&2VxW@^-TL@j@FZJ%&f39=3ov1p&o=vms&FT{hu3AG1u^*O~4D;u<9 z-;W%TBQVvkN866J-`m=Cfq`BvlSpPd>9KSL?uQy@X5A0%>~PrNT*v(&KT&i6@D=Y# z`5Zve`~)tdAb!;4#sdVV6+qVf1dyQNzUvdSpXTEMg7Q4-fmSlG&1bbegk-O%#of;q z*O#)|QHh^&*7dZ`&W#fC_>s~Ir4Ea~GZ<)y!vIs9XQxN44Lt|+Rq#sm9;l#)zKMl3 zpw8gQiMd7VpTw>^4%bV{`s*6xsUvd!6a57KcQ-i7KVOVW&}~7+*!lQ$r(vx1?uK3d zL#fK5V?7ZSpZv7U8zC}izHbV%PM3Kd=NGgyAL(>j2i>QR;NA3D6g|s6M{CDsSjSW$PY@_ZCW{cp zU%2#O39uKqKdB<6AoJ{hL&*l&6L2vbX*T?m;Ts`cEWQ8tSuGl%GDZ&j`30(QLiFM% zhd3iwavsn+SUj{&2?%0}kSdLQ5+0@M^=ZagrK)tZSJ9#9(Z*3wCx2%1$ptu zyHE&Vqp0$?tPI{k7%-SRK0Ue%m?FB6A=@fA>>vs_d*2N=UZyNIB27C>CN;;>Y~`Nq zL+#1^sV(qj?H#13qt-ft@vW{tj^twDKvF`7D^2#_XBc8F@i^!(M$rH7oJ&-y44|fW z9~*XXeP|20v?JiYqLG$kJc@ijTZ}gM{RDFCNpjGHz+g)9D$jP>LEKQXEffHhfW5M8 zZGi!ZB3(>)4Bo?3CEK6GrsgJFkkk!A_0vIb8H6zcU5LNrY=K`26cy0r$<8QSHuJ)X zm+>||kU~eRaqED@!Ea~!XZmQ^46F zRfQP*Lcm*qCL8#Ka#_27Xsi<=-MhK2nc`m_3X@^usuu081P|@mZM$f?#nq{k49`>98}~2=?>0< z1zneY&j)9J@ivrgX=luO{{N114eogxmKxg)hJ?Y{;aEJY>^3Khr!Gwm1m=zmy0d*< zcm4h|pwzBh{<%E(;cNtB@*uIFbP_v76M?neET~0R_?~KY^D)s&>WNY7sop>_dXkq3 zw_GB$lKS>rv}d#I&A%z($7kp_aCq1LdKu06yx;UmMDM+y;_o7w%(S%fV?0rjQU)JzyhOrF*A}?z9JA284!B%gWs=X@{2{;)Q@iQ7a&fu z;+HUbSrQoGlV0N~-h}%GtT-V!&C^KB=OHX`;6Ogw)LiU!$HL(&z!Sxq5aCSM^;l54 z2CT3P_pT?TNvK}HNi^4vIUJadB5 zM=|-TD_GA_HScG}T5w2xWMw9aLn$2YjDNoiT3^+SekXc&v%;}O(mzc4&6B%O+L@2{ zsSztG?0OzD)>}m8(mE}Jj+U!<$C&jT%IvDS2`yF(p%|d6A^w4%$Qdq9u6&+*H!$>T zPfWxD@Exrr#@x?mA;0npDUV=38SDFY8$Zz6D+x^RhCL9=lXw5}e+fV#Cl8`IuD8Af z;kizdV#WI|)b7N_yC;Gxd8};LIjE7RbtWzYB9_^qfV}~kNf3y+tfKyoRCT}s8fJ?K z;p03L)%vHUO>gF2mizz$GE{B-%es%fd9(KjZ-)xqK}TJUyy_}YlwSBwj0$paK%Rbz z8{)B0>Ldvd8nok31mU6*v4U{-HDj*tyszyWOceckiGzZNN53oMI>M1x%%1Tet|#Nw zf<{h}dj&1wnj1V454CTjVy?}LdfJhO2Huj~d;r0MB{=<@U?`cldIl;;ku$?!{|~MQ zylRiWe>}TOK2v;>u%%w>3)C~Vu`;$HA7-8^SUr7pX=lYK0>mBPYu7JPr%r=7AYW7@ z-RQMahD_&Oc|@l5#whb|4)){P*u{%~HW# zlFzJ;GJm6ld;@PJ?DCa4zNU}IcSD3?`0c*~2?8tx)KgTg$E5<~=U6InF$~EqSg+*t z6Nrc&IqwEE|f z1I~>;`*~av?92;whD+9M6)z*!3NiOaYepj(h+++U50M!b( zG&%z;JPMz~DGDGLa=+YU1`)`zHpAVpUlt~0zp?6W!S@7Rn-1N?6~niuWe8eZKx~cX zD@P02Qk+G_x8SG+y9Ey4YSItmCznN&kJF6^P*=|H-4`T5@I3vM&Y`@LxWQu|nj(Fn zd3R5Q1yy*VKH7Hb7jxDxZ`SFqpJdLzRI=WG9{NN`V!O(h@ZJI8RY+CBs0|7J*7NyA zLG$iw+i5f*rjl)`Z|%#Hk@vJ)Rqi|?$T<2PyU1EL0Usly@IZNUHE~Tin!nr3r&ikUhX3dtu_V*T`PJ6nahUk=lWq)2pcD#) z!O2!zSDn6uk3!&?e9#U(?5^maSEr@i?=1=5SC zv3z@8Nv0APRpm}gdA$lrZ3cHJ_&`k5gl2USO$uEztB-gnQ1KG?JC6_>7@8|}T0?5$ zzYxO8j-vkr1_PB%Obph3>z~^(ayT5tc-R8AGL||?7+rT(M*aYf=Y|#QtS6wzf%~Vr zK_FqSsotF%j9AV7ttcc#E9e0G916}5tZi?a;-96G8F_}7{sBzODO@HO%)IF;P@BQu+q|V{@h@+A5@S~t z;HbwHaiyd_O!J!r_8gBw1@wP>k+fS57AO?JJjx@^RA#TiF7w*Ph?8>@m55}dUUt;O zmo^b@Aqs4J`44`{0_|#jzb_2)^V%_>!8773YY5DZA~` z6MAP62Z@^d%nWSLrZnAMk=5wu2RxTUH~3uytkr@ABc!_2RpW%b<~3ZLURI=L2)hW2 z%L_x|CtHZjjzj*};B#Hxd%>L9o5PxJ=RINVS0-3woJqleg&pJzN-DmOgx+?Kd)G<6-6weqL(ztH9U_G&Zd0QP- zOY%~4`1!iDYXd=9RZ+9A9Wy#wLxlL*poN^j9@WGA?G!L@@L9}!dhvq1YGtfM6YnLC z+U~FpR=h;*r0CIzhpudRnCwFK5}abeDMrL>e+yR?eubq((ISdor&A?o4+&N_Lbg{nWdsc%j6 z=1e@DYS!TxuqiI_=ieE@tO*)g!4rEa-LSh?0@Ffn)Ee~kvTmGVz94jP5`_8Z*>9&8 z=}R={Qo~?e5l!|&6QWfm=X1P)qGok>%Bu*xb$BrHl;zpe{5PJHN|Jb&05A%euw_Kv zv4#uPGQ9a*6Gq(;-<6v;6#?}$JNB5qoPOL8zO`h}LXvB|$YMTza!;*!JA}{DQ8ZQQ z$&=wX+lgLniF%BOp1oKYLWUP>EVZZmf0-mC>c*s*2nIz5Iolf86|OxeElYjZbHeB3 zK3ad`pBk2TjU2DlGN{EOVE1C}0k0t<$DUvJw3g&mm~JV*tCy}dM%OgigI)=VjlJYZ z5?kKkIJWt|r?0P5MO>L$HZ%RXtTVQ8eWl&g|FNVPj@ZcCj53GYDT+CYJD0b^Tcdcx z=*UR(uy)ozg-hQp*-R%=vYmKwQz!giwPs~XQ8F~qtwHo;Xg9ytVTGWh`yoQLkv`DR9h&-_~suX@aD3-kHhhu@95 zPNJBVJt(3noD@=3b`d+pmB)lmlG>u1Z?)~md^mOKBVk3fj+*=2e}+AS%@Kqrqn*8X z>&L1hiz{&+x_!#%-W2OvU|u^%Wj(E$*`IrACxeNeq)ra)>;FP~Z6mP*(BfjZ6UliD zWI9R5NKm+qy4b!mD#8!FH*+SNHFjB9B881v(g%@{Fsa&tYwUqyKiUYVNK|L9J`s^j zd}tLAMC*GcR;<1_1kiyfnSKt7PaWm&H1->@!gPnO*{d;&>)`(QG_XSSlIF|n77sd2 zw&WiV-%F=~IKp2kPAI*CIm3YGSBVDJ&P{xMRNZXu&hsp|c&xgir*8}U zS&Ek(Qku|GpPplRFZ=Tcc1Cj4d9g~7j7vK%^#qWhlTd0$CelqL`ey;cWsQAarRhV@ zO}?TI1!sDRxvtE+Nm2fRN*VOoUeCp;y0F5Uw#gfW;u6TZoMS&bj=yS}EZ5*d3C(&$ z`8L%MEn=a-qIjyp$G}~kdL^f7mU4iPOcYkUfuTP87bMZ;;4SB^>el5K!fDSBE6i}w=C8A5 zB?YP~YOpyQVaAGOx%Ig*6r@{T&|dsJU3|Vl$vV@o;~s=%vdj@-a1x^WEI81RFgk(@ z;2Rlw7JP?DL86W7%9^~3iTHF81pQ!%?>Uu6e%YRb$4>S!#zStrEJ&TlMCqS&pdj~I zWB=QV59_qU^v{pMCTD~; zXhWAgS!ldLuuVboz)gfvIatRa!|x|upzlP(H*Qia+{D3ft@R*$`oT#e#?Ej5i&92nH-v~D0D zTu2CB`Po(9dN&;tKE3*&6vl# zZ_dtMMEq7@!yz9H#d!04G1;BlCG~a9ucT^W9%@@l5~hl3(w2A4=h}71_pyk*{LtDo za`p17H5L{xWGQ{Zz%)TqE%iZU!Dv+kbU#7G(8f%!zR2ahHl^%yS^ zf)Unq&I1yfqC{}E9JuWct_QRiva;zpxu3t!2`ScdL!9R?!=WVGI{Eemu0Zf#;f5`a zH3c;!qWcz=>5E@B-EGcPW|h_rW4Zs047DNqxq(1E=0gFkXHWJo2o0`Oi`CV_KzYaw zeLwLViE`&z$3=bo)v=mB#8}^Sw`=&;T_)Glc}uwWn zc`Y43p^fINMzsj%KMbdHqOV(slx0dZacGnt`1!8xqu%5=XY}8U5U_ug{UYb>Rme*< z=SmUDP|g%Kbsp5uXOob0UbezJhwiJCs+7_9jWTfA}&bd0hH|%5PxDa7q0mE((z4lVO zXP%7{$x)zhlO^_BmtwX>XzAlZOBG`9AS4aTBKtQ_12ZGhGYqs5%9YeLr(&OVhxf~E z5%=MS_%|Em%hmF1vPM)ak%0jAoB#fO{#u%l|M8`NvoAM))6`q3z!ALSu=tP2J^al{ zoEct~NRpTG*mI+&@FKqdW}Iwk4Fb2)vI8m(cc#kvem!NSPCdO|vND}}q<;w3R>9Mg z-1pEp1+gdABi;+vt0WK%ghk>fg!<#wME?Gwr{}1Zets=w&}EF@Y3MO;y&60QvHl_% zN3KrGnIBve*I@|seH#2P`F^DzaAPc79CGCmKL^`_mMIseElLjO&gsP2Dav($q6-CO zYyYf8L%osdPwG`=b);NaWRb*ONV&^YlRkm8rINvYC8&^=VTe7)$94i@=*X(+qOC)C z%0L(C+TQbx&`Qv)_)|{zaJ&A{AR0UUG<;8d(NFjuIJAI}13b8Fta^)9WdFy|64cHA zR{{*e;(V3>Qw;0}GT{K)(fFeI=i}blOu-Qze3WkF^4Tg3Pv}wixmbSXdF0PzF3#_Q zs`z7gGg~8`lYJhRFMuhKKMrv#3aS+kB450gu1~Xg`Kgds{oF$)Yj6NHK+B zTbGoe0-c;TUV;oGeKzDTlKv2E8~U~;F$G`aX zS9AX02k>CMepwF+<#HDUwA2vNWSuRSkB|R~27+OD18-!op!@N0pAdeZ!htxMxS-DG zN33rnXlNSImy*ltVEjiO$k#7R{62SC2Q8t{3XUz1&C!@ZUS9k# zLm8;W0S6>bl_`#NYO(xS5goO*_YL5CpK7C__tN>2lR)mkEc4GYF?N*EKbVJGBW^a| zjg(G7hD)}aP~i~NL}G#Gt!}*BvTF(?qqSg+FMoseKY})@y05sAPl_TS;H3?bfPBnR zNLZ-Bdq2&&j!FcXGvD|EVEm&ixa#f=z;Kbsk*%-u5;|UNCCD}Ad$OEQ0DM$O0{7Hr zYVW&u!=a67T^W6lEdrKvAO$EOT?n=Fp_K0)r^PgOZ^33zYvy7h+1r?RkD9D?3cNZX zWfNFH=C@MF6Z-A9Bldt1E~>OSx)zT(PgQDM27brOfyYlMhC|=Z)iK+WX{3MA$~HDi zHP|{CL>AHmtKec@ToNcLdqNv+SoWMsS~D&$axen-_L);tCw%YYB|coPO5IvZn<|;? zx6MS#IMM;#!l~uanr}6gNlB+>tW57+k%oN{fi;~f%Drq5(+xH)-8&Buj>kEQFh$~- zX5JSxT_(seC4z7!AJZ10rOui#t)%ebhH3DKE-kc^V7UZQP3$=TQ%tkRwZ1 z$ms}_N#$hwu}Zc8FxWzAw(CkX46NoUP-d#5qdr;L89xE_hJBvV6S|Sn`}IQ0@~X8lfi*b_^}G z8ndmt{Yp8I;0YlhUcf*>yOIucYFk_UmD?i!rMJD=;D+DWC;`FoI&x)^;ZC04^5%T- zPX-^4fmOAcdZISH7M=|_b5KR(na$k6Gu12;!KavVf3R(1%Pv+y^|z&o9QWz*FL=wV z(^vHuH-W&a)LQm+!(83n9ViB%Y3fuDoR;Wvj}cN6IMtH3Vxb^6z;HmrBb|%2-g9+b_L<>R+mB;Sa>OIfHM4<%LN~+xCjIYZ zWEGTfLQ7=olkJtzw}TCmmzhcmD2g}4LpeX)5|Bq?BE?7R7T!O_iPBh}F~gsm_bt== zRjR3|rQVtN2)&A&+*%Ip_eKag++>Cr{E#cAbUUKun14xLM+R@*zT9QkPni~P!(q!I zKgX*t#*0CLDvC0=W@XVt@)jZGo4(+sF`FMW_!o-bHtsiY41P$ES5cXHffAy^k8z^c zy<>u~q>H8;^Avlg6XVb%8LEDS9PM`rg6u=9Qr{jf$uQ^|)$2bQ;3z4+z$C|wbs*Qq zoL^pSuJ{}eM(F$8J!z3f6mR-U2jeE~xvB6KYD-qJzD?STQK5kp!p`5xM!dFWtJ#WGOvpJ~A-?bD)Ajh* z?FrmQFlefmH4N{(AKhzLif0kKqCk_IS6Nz#AR{ z=p&?%&jb2i-NnDNG+Dy_M66ANw?*>Or2#MJEjfpn8s3?bjgi&E{0wR$=|WdEL+`$Y zyN}ZZT(eUHJeIB7o>({w+Z($(k3gVX`JzCqSP%Or|E7UL;n`njsR;&ld<=N4i|?)4 z$*tQc-VPY3?uj%vSpM{(aET1?2L~rFvMY;9%qkz((V72!XKdUX1DZEwGOwe4&s2Tm z^m8+?QiIc{g@=zfAsz};_GKa&7mSz)WYH3f9>&D#awhBQjVX36lAg0h&o5)4`##(~ z=*z*_IM)3GN(pBTY)7?kTQh~^S0rd9S^dG7ukS`?&hH0wj$Yca@3GpFLOSol>B_WV zPNT$J-~IBgygW-u*|PFPJb+3lv&o>J9>KxCdX^<~m-ybkkI=+XX#D=2IcLZ23%V~# zApoGj{;i{+fiL|QMUmO0D7(Q+Sv9D&^d$9ErJ&R=Gb#cB?QT7;5#2op^|3mPSeFY< z^i&84MfpEA{W+mIH6Z_#NYnAk{>ipTaN;LC%x`qr#(-`8Kf^ut`Zkj*?=*W%hoEJUl|uw*u1?Wigb5MOGrzHfFekDF4EG{%^{TTZj^3>rBg(@rMp?WJKuxP^M5|P z`)T+5*geeL_nCXASRKL5$q#L(6R0fOyovp$XvQ3Mo^8T%JI z6f=<_AW(uxjSRs{5K0l?^pnp9Cn4#(G_D*As7N@wI9+*6RS>BX_*)ouZ@j7HpGo2* zR;7;i*<=0@BYo|Dn*WARxN)juP#hNjJg^;1T4SUtDYc*3RfF^V(B+!88#a(7Bm_+y z9e#pSAD%#X%huO-_(2m4SR>e3rYc5Cr*hDPGq31q7e|f$rtQsyv#3>vKW-SXR>QtR zk{(Z*jcH!G3C`CuoCwo*EKLOtOIP;iA_mLg0Xv&AP(o;V;ZX=d0yNe>_fU zmgv`MB7Sf45yU2I#(B71N;_ufm%#)W$bI-OH>MD;G7v`oODJPOSWXLjq;~v#N0(Pxhd>I0q^N9Ov{{#zV&=RQ)GjH5m&lg)3=Vq zt+E^cEWbCmPN#jD&cg+95Vk}@A!e{u_qOj>^OD@l#_!bS1ppJ%6gfoM1`h5ok9tjp z#a<9faBCDYFj@evXMVQaKi3u%|7N(g4CCEU*p0l?g0>HMD{{Dh8V(MvZNJlFk>!I# zCF|4U^id<|xlkx%aI=6YID*)5sSs#p6wG!)q{62$d!0I$e(?c3eLWMZMvfrdE#DF^ zXs*dekO8Qqf?4O?QrS6j*2r`P(&4VzpmqeGRtyFUzc33Jm}EXxQVM6i<cNBCt?e7pgk_0`ivP4cO`b0x=5-QJjMS^=XEyGz~aHX6ilu9ubrpoSU*jVcRWG zS#|VI_Bpx->fPkMD+udg0WRqS!*1A)>4^D?jGI*qze8#tvnP6jVmXSmFM;SF%{ZiL zl8i9&VAnS@m(&EY_o~Dwl7=|GA4c#`TFi1AQWEsER74$qe*z~#m&X!Xs%W=R@W;2qUMe+Tw|i0Wx?Ef)pPvna^;pW$=XQy&=ML%{R~65TlT^@OZ| zTG4uKo?=lDV$=D%Y7!8<4;N2hj+?55fF)qbXiN|+WJEa`-wz=Nb+8rvU5$o%wJ29E zGfi2DGoZ>CpI8P*3q9&;;o%rwMeT^M4hI*t?&B7a;;;80VsEm$gjFHgX{gBa@`D-^ zkFU?MxgdY%!_6ys=bn% z2jbJvsop;ca+Iy%srslxG&01-%tuk)_m&DVeGB_9WGRH7PJoz>Dk?;AAq(>6S8f8j zOg$8g|ku#z(FD_t8U~ytp}T~njgqxSY(xU=1u)0*RohbH}F|E zoOJ@CZiScqotgko95<(*eSL85=4Lep`6FtAWUS``+XK;lbN*cHiTgJA(P5XTm z?0UDBoD%Ucge0_-rtbSRp|1;GhiAQ1O{N;6pd#0xJiga16uAwfFEPI_z8l|2(Kh%Xc&W7gj6o72jlq~VN6gJof zWx@}h;vnNvSiNR0rx0Riu@RfPCJ&59NtXN_MnNDaDeX^Pc@i>dBS;%7JuY)~8OKMR z5`|Oir9ZND5}(#bPP{GpU4aU_L+YFDjKl8gz|A_R)}mr7#rd#ns-t$eeaCg$SdOm^ zl<`$@63>qvq4CsnGJqy)j)rc`*&_JiXI=ME_KGv*?e>%gJUxwBXi7tQyZ{ejIGi@csAYooVMh8RQmN-$XrsJiY%D)n0hjBXu{Qp|P}C5%x_M8Z za&zO~J{Skb^jBE_>7@6t8Qirruu&+i_Po}%gmy8Tt zRtUt0jO?@-zO<URnJvw)H-p2tgl{t25|{Eho$n zn7m*4c3hq)bakB@vQ6rmety?_H3ETrpY;GjQ2yQARfye|b95*6p_kbLq#3_VrE>`C zp6t4u=<7=&734W21t%1%oVxl@F-Kbs@u#pCWWsxEc4_n|{HIbU%@-e1DbXPiai6D; zKju?rw)m%u^db&gheNQ-%ez{(1mVKIbGk~IR_XL?vU72lF|;@A?;>?3Oap|>%&W1L z99w^OQKZaHS!q?|I_}^{fylmBO!Iiyo%{Zul-9UH|?;C`2=_A`)V3^!N_-V z4%&^YNey@Hv=|Z3KT(^NALBEv=2U=EI#aRBtVV`-Xx;JhwO)eyjYD}U8Lxny=It-u z1)Yoj%97U}ni`8$Zj)_6z_8CAztkAh`tNDn>i{HY*YfR|fLmNMGdbeBbzd7oxzA%@ z;j{O(uA6ErJ9SY(k!9Tk*(RK3VQ*NXUY4mv9u&k($DZZ}(S(wv>DbBI(CVRNdNuST zTlK-i=Ca+ST9d?*(c&_$J_X~Fn}M-%|60}ZN=I{`f-xoI7yB|`?N8Dc?t7dOmx-s4 zudGb}7DE(Ch^?vF-YBYdh*{x|n#1OoV6jN;G`Xazii`DKO|wcDUDx|}y93M?pRL@E zdXOqj!xQ^VFc%Z0C5tEb(2jW@t}s6$bxD?8o}yA)RP)#D_w0}oT+SI?6vu^}&7R{Z zsf3OjR&$`;T?1{&t=?ZY{7)EobxM4_MPAq5l;V@-LU4**vwpuGdja`Sw?0SCq zwnVb@%7*O?orpVGOSlL-HqL{MrfN>;LqZMg=7&BPlUCUguY|siXYT2;bLlbNMJzrr zgb`oAJI6jcA)J4^ro|sFHRRJjV1nd3;myqd?j!IYfhp@f!$)a-Aak|d4Nz3tUsXx(F-8n4Sx#2S1 zX?!xTfy6wtaMtn?yAvVoXV+I@Bm&)i1s_S{zijmaxfSdlqyr0`Y5w0_=(+-*U)iTw zZvEa0w!1UoG`CmozdA0DN2%}muF`FCZ^{;~eU&ckXg@a>#_>Ge^mo#aaJdAG9>I&< zAxzZs&=;t;gV;e^lnaLD&93!D=N3lO9lZueO2Eq5pzyBZm(QN6lApyseCG!>`B9@t z@btkww6@i0)Agudy0GnusVL0+$ghwo*DvV!IMhsD9vzuGwK@F4IB$KO&_zQ*+WaaJ z2}S6E3ctK?WFfsq^6KU@qP>F~S2_IX==<#iF& z3%!X^s|u*~=Pc(!1&*O7SWAy`K`w*AmfY|Gf}zOpfrKSUrY+8w%9X$;UJ@eHb@1HQ z^7A835yu1WBf*mpg;v+?=qpfxfw4E^T(<7^&d!rj1N)bs+cTsHOk}ixgrHvLB9LBP z-_tN!rjXBVW2JNNro1*#xT^Z%Fu38mlR^KU5cE#k*6oGQdK-be)%JN|Q5J(G@XylI zb`)Cm#TQM{?jk5Eaq_yp7V<*pjECI_a$fi?ZMePaOF?VsG`0NR8p-#9-d|p}cBDQ7 zTOvyeEx2>;x!9w%1nvKl87=K_`NnoNxbE!|w>#UZgK_agNqj}^T(+fC?52N~f?d$h zIJY~VVaPLd+1c2}`UahE;GgCFs7`f=!Od>>yZu9%s$C)wuAQs;!tdw7A@Wg{e0Gto z6#=3}CL^qmqG4XRR3=Hpd+kqSKuG3C88&d!uw{tGgQ5eL2zN~#PLvO4=)NZTIq0=j zGhzR^GG-QGnnzeSTEbsCE?6bdt9-=n!hI4>t$^KKf5NPIZ*Rem{YKK_xw7;9wgbWLriM)YC^B_ZB5 z_4Few&)^&ZLbI>-)Q8l$Y0ciMmFoJ3L(>UaS3I;uMpAm@G8TN+ezBTX%v6!6!FT+q zZa1!KA8rE!Rb{?W4euOy3%usxFi;ewwin=MfNxi-+LBsV_h=R}5ZM_C?+OENvC1y+ z#&@=tOIZi&brIOQ*DEmy-JpuyCP@_#m%&6D>TSwx8gOzm4zl`}f4hIqbiMjxgR#IMo|zg z9QjNXkv*V8UaUTwa3{03!|Zk=*Ic*FD%kZBOD;L*QUprnkg`(7VV@XUoje4 zi#8*l_uj^9<06Gshg^Syk2v5M!vT|Z|IPJJhS^spTi{Koi%QmNtze?JQ7J))z7u6I zO8(xfYnePV#;okd{hz8b$VZh;LJZjTx>Xx0fX6cOV3$-3zZ^C$YiaQ+uZ{ibPM6L6 zh9XmPg-cIYZcm4w#|3|Dzq3HPxP7INLy9=d{c=}L7PW>ZpP)+(C#|Oaby(x~sJ^tk zOE7_x8lK_RhBKYm4E!i6l)l`=)!E{A(IoP?AT#+A^)=}JIK}ClWxXqNsxy}v1*P5` zAPzZXPY5Eza9^dIV4xW7UQcrRuM%pfvY$gRTf{U)6-<+7g_LP zhZD0Z1SLigy}ns*w*W+uvBxJG6f&>QGhIVIeuNDhnhOqf^dLJqSxdQr@>j43Ka{)? zmb+iLshMdgi@bDh+)~Woq80~aBrPYWgMTDuOv+~zXx7h63{%z3scQbg$FI-u7KdFv z8Q-6exJ4ku#wVz+IdEjrD!Jb?N>S-36V?|9F8CQ#T)e99rIpGpS+ndQh&{b0F7dQn zoePsy3C41FY;bmpMmIF7b5QjhsiM3kM~;NrTVyQqz&VMg4ml>1@%Sl)NAFPswun`zr6;|{(6HA>`JYSBrLLhYL^H`X6 z`{hlou$Fi7;z@3Hq8w3p%rq=n1WE~>Kaek7&-f6Y(lwsfbqq1# zH{TPIV+-H-<-(OgDad2O&JVwQiTdN)vhQ-cNqa!AI`D}!g?4l+$ueBr zA@p$UK<7`RkixmJutGoG@!91^-88I`z>cr~ zf(!6~5oG;^jn_RfalD5~P*}KLTy#lVAVbg4$E%}CLi%jzEHBSil=saMy-}Ai&vRki zCAMS{xr%Fv*{Q}g0oH8wQBq*MT6DazD8<$qAK;5HuB^EZe~yfu942c-LrKJVm1iGd z@PR4!-9_PkdO4Fo8!J$IHqg4&sH6S2B{N)3Tv1WyR($4lM05)Ekl^kq&&STNwtYNM zkv^1^Z@+IhTtoD2(K_V7U;*{;#FP#P?HOd4Jjq{zK0B;1v zcvYmGp3?%|tS^E9=cmMpeeWb4FM~!M?v(2rcbig!O4OH!U&4R+>aqC+MZ_@0%X&Wn z_sth9k4r`=$=8I<=K<9XDTEJ0rzR09w?921jh4h-VWX2#4a~#wVtv-u_&P!}%V4&b zb1!2@qQIh9ap%V2doQgT)(sqz-xFiNF(F%ha6wsws8=UG@$|bzaMQ5qI>HIAohGmHOm{9u<`y3=xI#N7)>(On zbV}aHzIhBTWq0GGQ3BJU?&DdCiVmwD#BB!R&eZ?^M z2J=J4wO43QH!WRn8PrGNU3vtt(> z7%W|Gz_XXJzO^-{D1|qbj)!L-4z1!N7ta(?KKd0`sDj6=F$)^R-<4~7bl5}I$$Zd? z+xZC%g+?pqmpt#v#=Qa3aswh6%3{}hy1pQTN{@|Klx~`L_b92_9hy4dN}e(4!*cpo z^^{fC2tvOreyV&l4Y!w<*F=l%Zp7{EdJA{03N`ZJs2^&U!-nmC5zP;N?EKc3dtTN1 z0uQ^E5BKoCKJV^~IE^u@1-C=qj~ky_!2H4|#J6>H_&mI*BmjE*f^GtGv6^CG(qP|2 zO6s%Hg!-~|s|oeDg`am6)Oa4w1xw3YN}TwD3<}zn=*gsn6vz><)QhQNIhy%T{}^J= zAiWjvxB^Nr=kif7It`mLOIGO;jc%UZ{R%%88nV;fS}&H2!y^xQcntJwdo%8?1nncY ztG8d7)5JW-1bzyp**4YgC!1)c+csAlwr@EkqPsu3aQhWEdNvm+L$J`0p(|J7d<7!n zQPHNd7W0!bf9xMmW*s65)Ox?c7*5eK=PGX$&wa(;|NcB)1m*(1BBm5t7k(Ip3!Yzu zzF24wR49y#Bu|dY;QSgSG8;oW&G7kQB=&vtc?&--a84l-?e+avPkjuoQJw;kv}9Mv z;MfE&v_aXcp~Q38M??$OS+3jIy!&_3P6<17L(Y&cW~gQ@An@`))cyEx{5I(JZ^%*Z zteR{NU)3yH=~x49W^!PJ>QnAwocaA`L$+>a_;f387la4A+7aMGA1;nK$HsZRT26c- zr89w4m*11Kb&ktbV3ZdaL3neOl3*&wMeL~eMoKcWweGgQYoB+M2lRji?IVtx*xe;{ zJL}d|%-Fo^yc2WB_pQewNz?hS z!jrzqzE4lo_{=TK7U{Uh-=O3^$ZCQ-0wOJ-sri;iu(P2T=zY=m41`LWY(AF7Ivh1A z>dg+XmtJxGz3b1@id9K8m1D@NPPHe>BBTU99Zwk)PwapGY-RVq*d6#^@J^G(L9?=o z^e%!3=dL?T7SNB)H?N)5b1f>_RGn6d?0@JGR&m}F&HyUog35TROTdLB#OJW}=~M6j!8$aI{^Niwj`K)9u7CIGIlpUhsc$kkVAQ3mZ3R;8Ud zY`fNbB>^Bc->&(CuK&aJr`Xv6m(8XRrK*p?TSB~0C8Gm4J-9Yizr}rYX|ttV=q|MT z@cVi(Z}1%m3w5q<=)2x}!)limY`v^p?1x0X0iW{64cllrIQplfPc7Aj{QArv=6z9o z1+HvjT!K^pk{o#=8Oi2NcUJ$Ose7lhaDejOY%(p3V@N2)1SWV7v!=who{gPkpj`sI zYm-dq!1(oBFbZVR)@M~dPnq-R=%v+)~8QQ|1ASj{wUoGzYYsj^y9nLY*ad& zyg(fg_brS&d$V=dPfyLnr{z8r27*@jl(@v>Y$Z9TIN1FBHa49^{_M)MXr4IF|S8Y&cm4?6Wo3txS-XiG|C+IsV6qVpb(^kDv$^*m94po!d|hpx^AqE zMTxmtvBdpZ+dAdD5~VZFh(6F4y~0Q=fA6@N2b1K?(tj`;+-&4o1_xJa_ zqW9k~i#{4in3z_1PkJ_U8uwC|8*VOMtRz}vEdM<-QaxLqXzak#Em!#^FR>#^egEQa zt`f6CTpDFE9xgG(n#tHu3a7wBv9cXe=^Mem%8Nk~UM6!adM3#51rY7OD%JMccw5|;FIF#9Lpg$V%v`4rY*iJ7&tAks3!-{*O5b#K=Ohh=Q}DTS z@|J(N9a*;*N-+zai?rj~%qDU4dECKW>txzN8n`d?r)qwL-rRiz~HTKE3C z8Iw2g*$vXwjiXDkex_~gm#r$MYMG;J*h9IOz+VuZ+!4U99^Y8fea%7jcg%`od)ALU zLq_(wo)L^^crh@DB$X9}8m!8^m~qtqj<+!;oM#I2T=W|cqmvB7M>=4$`n!k9IN%|( zalVm`1q4Ao&J6+#CTwSCy)Q!YN5C~!AQ3FNd&ic2f0XN@qisD4i}e2K4PX6u&?)&0 za_wfL^v^%u4F9bHzi;pir+NX}RsY+83_9fb`M>6>XOk(xA9^d>o@~&3%Mb2ew{N}Q zp8>g$_q9jN#|#TG5Z`u-D1MOi6KlKx2~ERxlcYSw7Nh2xsE?w2KqCy69}h13;T(}o zpe7bG6_gTl1HQbZatmHCZlzELr6>Bvk48Y zy=rC`JVCsp2(i`D5m&boYoN{Eds7EWw1eo_AHhnAgkg z`}g{e6i$|j#a%j6hCLPo#nxJNE7#+7m(2ThPdf%wFBocGL)r2buR4FaZYI{l*5dB_ zqokCKCX4xVI8>*t62~?c@HU^Qg0@UXP2B_DaNKXYrZB;Txzv|7vF3|zL$PQQ=C356 zu14eFgY3aMN-&h!;CV)0Ei*l4rNvIuoQSI2U?tD(?mCzHaIY}kA(J}K!6zWzL`3%K z{LOZztNB$^f0e<}Qz_c_t;dm=_$b6fs4IelsTnmE^BA#jXNRW%PP1(ySyjmQgR>+} z$Zw8{uSSNTHoQ^N()!lz3)Ome8s1sY%I>1nr&WMkdtt-Jn-48+ zsU9FcP08q!p_PTNxTllE;zFYQ|HTAL5qYY;;JMoxnF0dwwTmxKyl#9`pF*fgmL8uj zNSy=G*$hAN;z#G;DkWsmwb0vN15Y4Wk9bNfjx1>`*%O{v84{FOQ4-YXTU78PN-QM_ tGn1%38yyW#XUw{vThd`dk12 delta 143162 zcmZ^LWmr{R*X}}8l$MkZ32Eu>l}5S0RaK&?rx;JySuxavwYs?{m%E} zoPBM$uDw|?)|_*UagTA|ll%#!+8e}ThA@zYFC-5MIMN)notxJU#-JuMFJ3ypdMkfC zVi@3S9=T%UfQIwQi_~1o@2!JdmCLQK>{Q@u;m}`~-4XrsalEW<2Ll7Y8XQ;V0vBT~ ztt@`VzkaB7pV)Sag(KxyR;wZfjo$dEV5TXx-fZGxDZPEv=}u*%`w=qlFJv za^UQO`kq%)nkx*5(WNJ`$*OA6L8v=MCKfj*CaF>s7{P6LaomWAC)5#ph}*OG1aCnb zhOj)`aP&cn`P;913ueaZu7$xR%i~Bv6%}laF*idqS|T5d)645ib8BG{zjM>Y*|mgWslxPBNU>*~btr&^S0*55`%$MqAtG z`rN0M8V3yxwR=ebG4kP&_OdhQiUywA3)F)Xda4*%s)W}B%5SlJe26fOTB#bcXWkN` zRiVn@$R2JT%*`PDnIGSt>u!(;^i!UQQ@TZ z@nMsZD+99ueOq5;W3<77#Kj9(3)7va7hnWfFxu-^gnR*`_8=Mv(Mj?pJ<1)6(I#Scc+A>B(Ze8h--8HJiMQsQCMj(eZJY zgU7u@y4GfLghFXbRS!OagSd{>clXpq&pmkuzZ29 zak@DO4-fC+;u0roT4g(*o0r$y)6-^n{EbZX2|PR{MsQ6{&97fN!oqNX6vg*OpWB(~ zX&M?DaY@PB>uXIdEta^x=H})?-MSNZK0{G{&of0eHFh>OXM6ju-d?MEG-+vRXC7TW zJw4sOuSDsLo`sVW@ML6i5(a}^UR(@xcffzzx03eq5)cp&FflQao143{vvY88Fg`wR%%Vw;gA~xx(gTH-CM>8=oj*EqJNy5`T z&O0^E>%NEP6elZTquUT0)SHp#melkmBE;9@RNiCLw{;Vu6ExnoLdUoT<6FWfkj$>r7o1v?l z;TU3^nG$)a5qdl9veB>8H=(l89+lkE19xMmp;{r%VmDV&W?^>?!z+( z!t&t)HWy5`0u9emlj}DR->_G>07GS7OJ_7jnSG#!_4@0hCY0GlyQz7*-w%Kv6OA5P=wfLg4k9lf4nyOd%BgUDMK+@Iyh;QJH77d<<&Aba?9ou7-u3*7j z9GD1WacThocdW#%9rN|Y;o&wRGcl>ycr8~?`Hw(*r5tTt?HctTN0DM`?*C$qo{0c|TIJ^OcVt~cf0mz0mTtL@hL{bi+2S^d}I zO2WR-dP%%nc-u7c-Qur@Icp$sKqigx}*+XN}pLt%G+W1|qbRLFX&AJd}+hTstA~ zqHL4l^2Ay9x>o@xK3wWfqaK78;!j|;>6uD4RT${&N#t^Q_>-2E1uEd(HjF2C1t~oe zaye`zGXTvWhN#0x1bhaV3KH3Yt=T%OsrKDzZjaXImv55%!@|yt(rnoVHC>fw((a>= ztZI_Z_Bi83QhcFE8?4r3X9LCBPwj?1nOV_3!{zSs+I+VpyQ{&AOn^Q4o~xe0cIx(< z8I8cF>6NSc@SpBMl=E_qJ)Y%-KUy#uBH#q6*AY?LFp34A*f!@!X^5p4T~u)EXQl;j z=i?0{R-<_XAKnD~?G4-*b@j;s{R)DI{hd!u?goDFWM|ktU0v>HTf;w@jlTS;_4f9b zPvjAQ`sUN8Pjho~_)I#=%8r)@^H5}>rKOe57#Yul^)7q|`Qfv3a@dn>D+>$5yN!F| z9~wJ}IrL@Z4=DaZp}DWWAI@)Z^Y-=@TGBQ3^>l!Fi;DJ-wo;z$wcBm$Z0&CA)Y$)&PPq$GcykCNnbEMi zTl4U3B*N`W+&S1uFU-`^)}CB>zc{*!Dxkt=uM-y>z2`f!y092s`?R4b->lY!gcYWKnnl-3EG;LvO zX>4MluC4t@G(kdOb-G)1Fdyvx8fyy)n6wq+;+?K=oiJycDgJY>o5`;pWVS3R$DQ)AviQ|b3j|X=}iCEie`9?q)tO=2g9;4B^ea21FtsSH#PPws z{uq8Q^%MF{u7#CVljk`tJ3F?X0-g+8cyUFA&(RVb^Od=!o4- z9IbU@awN?2iF$e6BA^l5a}fe>>FMW6j5;Ol$}LPxq9Y@PksW$gk8S5`$H4(?2mu&c zTFx|qkCAUAUH7IUrM!=p{-lToLC`NSFfb+tC!#Y-I^+2G*s!F!yuAGPZ=s9BOHI*% zK;7fh?YDKePyPPDd(MZuLxF32fbcc)O`ioOhwb#6Xlc$OeLX#;?WKwF0m`jEY1#TX zgU|imuLkk^-grO$QAz9Q2TSdbntV_7qJ-3@wn6#Cnyt0r{yznIxgjTy>I{}P+ImE~ zlBkD=cte9s=1Vt%t_-?ty9B&MR1(jjD5kILV{TO7Vil8wQn#`(+S{IICW&TN6wb(y z)TY#m;CzTbG+Y!>XLneG1hbtk{v?rBQEhyRJnN*xu(8;2Qf4L#>RilHiH3$B!nhcG z(Q%l5mfRkuEqo+{n}>#OC_%&Vq%G1Jzkj$vTk^3nXIpbs0__2HHzG68b8C416sO4b z9M$z?3n%$!y~%0_$3T2?grtQ_X>akd0i)L`O`SLXpdlza1kJwZNq34TSgaDG?W zgyGBZHSDY@<7Nn4Ypb~WXj$5~7W^g$E5s&92)AenHM~-6w)sN;lfXgeDet2%^VlfH z3vrt^F7o7#m*V7a?yJz8S0KQcrfj>d(ee>1oJj z!CZ8liqumvf00+flqPCuh^b`W{rxLjNb@H zu`L;=i;!}t;jCPkmhk|VZeNu@apQesuKy;S)okFK6h(P8a!JAQA&{y=W0&RwpF;f zxp@*78ob;<8JXVN+S-m@KA#&lZf=jcYKJhl)nxF&!NGxS=BxE=Wr1V_F$V_+0jDh? zmp$q5SZZ~(`(P439juVz2{SIE4gd%wlMoVmLy_=&chbznBp@)5QLnzbdxKcO`)6Dn zw`t$cEQRDGey@q);gbCP{K7)pt)Z04%1S=s!!@uw>iYV+4K;#9FiDKOK)cFzB41NU zNePO(_c!Nn9->`Ju05?_w^r@c?aTJhL{dUZF^-EWRGO!wK<+6`_~zgtB(Fzqe227v z>FwM+D-HS>>v!QCU&K;NPo#B;80u%dvCrWETH4&TpU56KdHYdsaYB3Pa^sPGCRe`q zvx3$UIH!-+Bu{~F(is8bl=1jGay#4!t;-JAJ3G0H9``x<`7u#O#TtE=yjIcC`Z1`ksNq%w+En`?gb)nf~WO{&6d zPi#F*`g;UXXEftvNpMG2cDx(yH;QI)?m(`-nK^Wz#g4BQ8?WIZHb<7bBSSmFZXp7K z4~Qpy4x(N>Ge4y>?3Zso6I`ZtV_^iyCcUGdnqGJUtmv5#3xavInMtx#m)kqzd7-$G zrwc~7`WYM5Tw3yYBjw;&hFP~Og6tTHxTCtj$+E+SsE@e$Gh(I*hjh$avi6^?F` zB`tTkFayt>9g2Ts2u3LIg0DT*G~X{zP8+>Op7GjiQl%{@Sba;^-Q*EUSCC_r_m+mO zrYR5ls*APTcm(G87y)!b4FG&BvPC(uh% zQxmdXIj1~5T})0+?gA%Kp1O8{4bStN`|&dg&PGZv*Zfg_=e2`01N=)3Vvex)$ z@(Eq!g%9kfHHNXKX7C1N)Ra$`aiF<;sM0E;E~eU|SBB(^h`;nC6C<4%$i zLg<0W{2OIWC2FC!2I>oY9PG11^bm@3zGW{lPB0!_CjFc*MUmnUxj1y--=mv>&d!$g z;~G8z93IOAA&O;0F_N;Cmts%8I*|TzfIs>NTlm26c=bhkF(RRqJ$T)$RkETI_K0)Gt z4rkzVH6o4da}F0y=ayt@4B~$4Hg+=NCy+5R@?lt+9vN&U%lgg6%|Ok}&MUw@Iw#fy z`)20Fg7v~bC6@gAsAB+mWI*u4kZ)o%_PXHwgH!e0b)M_9>l)N;%p>BwP26ZAK9>TA zkkZnY{Fm?px((p2Z(rv6=$fYEejhD$lkxtAQ7?#}RhWB5R(G}@1xlr~J8+JaogDIe zCjE%NpH1y1a3#ts+U#0j85+H@*g3j_;bk!`7?jnV&~G#^d>ja)nh2Cwb&yIIx~?=7 zbwtJwqE=M@uu`#?(6;>Y=b-=r-~aP*QHdjp(lUrg=Ciu}J18)^+k|G@gtSRPbiL~1 zFOvsK+z;Fil&n?u8cn1a&C_(3oCiELrpM_DRgd&kX)s&`1S^%5#VFhZ$PsUy&uuq% zyg$Cn`fY5V46vJslL!3y4eytbhMg#3la?ZU>$W}nCZ?QExg%}Mol!xkK8b}&jNDdZ zZzw14h9_Q!_)%(WoD_6J!<_}aBJ`ljuyvxxe|Us##xU4lU5gNsbEP4>^x+j*^l|&lsGQQog-+_RRakz>_FparyHF zMlc%T*QfUWaJFCaf~V@Ys)FP_sOw~3%rQPWZ2rs8 zF#DA3l#g>E!!AN}wO-hN$yl7~>!J;zM^*TyuWa(WASAZTPFC+dWt^YpDOca(7M8pVAZ#KliihiFVME)@$ZG7SU)Wk?a;7bUI zj;*huY+#r@TIM9lD`P}{-+h{Xt6+!}(p%7n>@&BoOGpp5)R*B^alRMa>h-D@>PR-# zX8MkN(SxvtckfCswb9m;oL3SN2EjyL2?~s&8Ao%Crh!Z1&P>ydoIF~T zt?ff|D+zknM~k`E?5orfL?d`2eKdsWoi@g6Pp-LY5?w`AQxj8n{uNE4gw+o=Jg!o1 z_|b>}_cdh}*mAgr9dms31Q;4tCg4mDf}E?OPU$ka!_ngjFI^NI|2^B-kEZf6dYqlFEkmMHjV@OI;L{A=_?;u{qTT#Fhdbmc7Vu7<42n=T zgc4>LJR$l>>*ZFBb}#3_rDNHtV}%M#?R)zZ`G7^D>88++g&U)|MU{twRqi)0FhvtP znS&AJbqR(>?d%WzreJYi;r>hsyc0sOvfRqX+D!QvCl@&%4-*vN=&B`kBt$oev3g4T zX9BndFXW(U!XG4)@-67>CEqJoZI}$hP^Y-4+IyHbJYYNL#bM&C54c;-*X4~dKkr)qJNXlRW~hsw}hCfD=4n`#P8-W{(~a3g9gKAt4OUWDKK*CL_SD@X?Sjo@KcIklleS> z;Os_|2>&k|3A8;NJZzAT#q{o5Qb*v7h2}G}qPb+Y)Yy-Ord#b_hC*MBb_RG`m}w#& zzI)gW^&eaM&FP7Z9jh+jiL+P{g%BWXYvVs@_dO|7+Jz{qx;~~CH>8b=>;NVR+S5k~ ztEfSa%>-YoL02pQ&B@K@a|EAHH-2tJ8YGQ_yRDtH%>HoUphw;GtY+L?_*aiB`iGYD zphTZvK|xO=rP9AhGI`JK@lM6T3l)(L#s+UI=-0C_kJa2S)kM_!*ngu2e&X%o?O2{% zw^Z3?=(~|H!Rn~OB!5}=w-kcnxjD4l4Ymfuti`J-qmu|~s!wR1o&`yA`Zn-%*{0jIf+Yw(NS$Y~ulrMKE;Jv(V$@y*y>O#t)TzLy$ zg-Q0a;=TxolDshJ8D@|>$5bgBEj@wzou3-ty6$%FHae`jyV!bo@fm#0n5>YY=uiF% zP*ok*N+9TuW0NAq@)^gz6!$I_qjxy`@J43Y-aSZ!Y1c9b;kphCN;bw8k3rP4c{PFf zH=o@L|4nTO&L*U@i^}w7NfCEN2!3j>z39G>*_u84HCL9ksmP|X&WCW#S zpSs)fDa#KlM|yG{OXebn=XGs{6)uFqVp@ti@?!iiG9_vm3iERFDH3ee^(Eizw9^4Y z6RK(|N_=jVBTZ?mz3IqMa6U^bDPtq%&(>~Bi^VMz1c#Ji`=kAJ?+G_|Pp&jSr6qFj zp3Ac7BrP2pEsK0~-2r=qqnyjfcz9;JBo^0@{IOW#WU02zbEDN%9}`67 zL9)-nlas^W%veTPPEEEcP1MFDh&tXD2oOi%ONwM;Nppgip;g4g7OJGe)CyUbbd-)| zEo4#eXX10kDX~j`v`7>s&`*!Z<|$*FwBx?CSdV6h{)Ci;0{g%W_ZzZpp@*V54?d{3 z$^CTrAqqxhEgM|bNSJ6c~Ru&*IQos9h_U+@+ah_zAgIQ zY{?A%3%EoUDNeF_XGX?^XrrmJ)+;N8lr1>`jf4uiW`p!1N{rBmp!psq+PqDBySWIQ z7ygwo9l+AMrQ4~mtcWyDP;cEOh3f{>EQ?bp(A+t{{17z-8B54`2x?mQ1nN?A>ktD! zU+<`ok3ma6r?8;O;ZRdg$->K3NJf;B@(m|9e^q9TT)Okgj?j~lXkLYTULIzsZ>_|; zDkjk`&gZMCsY^hV;JCe!c2VTDZ>wr5ZveUCf^Nf&^Et=JDEWv{6ibZFT=K7^-ru9D zKd=Em*_)N5OPU{`>;6d8)>C#h6Qt3=_^9~E1bvMj+!ttxwe=>0!3hBiStcZu4q=TpLY> zLfM4!+CkJ)BMuJ`I%L#?kjJ4>EcCD{;moG?ZsZM;;BN$dQaGFewLTpG2-?z5+KX%c?n#~R1rfy zeOoO)N!JzCzns{F@3A+>VDe88MN6(39&owmBWx|?uXfzb$;k1Q_k9`F{gc(=TS`(4 zm>gsz>~LKP4urHBK2PMZ`~bsIIgrTBcw-HTaHv;q#&WM> zd+i!ypbD$70H&mDJ;EqV8vxFDx~>*rx_f^VBR63d%wBH~5k%dw%ENTZ@pgu)r`$|E zHO-G_jB*T6-s|sU&|)#72!2W)>AoLs^t?76Gw>PaVF=~-_!&<%6LE}f8S7qBESc&% z1+E*KDB%nx0pG80cxWbvl}U=I{hc{Ic4)*iAEZZtuqDKDw_T7c{ zjxnKi7jNoVH;n)g%2LwS2^AyHp{3&ht*Ik_dpN@bYp>7HzS>e`n&RTbx}hEUDX_CL zzL#51eDjKpHls3JSG)5$K&%f{4EQ7h0kY~UN;fQjFGU$8pxcSZ5-dh(gp2*JOFh|3 zJrMxu`;oD*H74Jr+6sPoFV+2BnlfX3TpBT-nBUulZM<=(w9Z3tW<)jlXWClt@bn}* zf8B@Wcz);r9*)kLxok7D!J-VQ_Y@dW!Um^e$(h&B*F(eh{#z#9q}FA3eGyy9o?6>< z$N?xKP$!57CKj8`Uz`&%LJZuf1*pH&I6mP(Yh_t6rqbIk(Bn3nWQSuo|f(Ak;@Pz*}%HFuq z9Y2`MKh6ZnQ>t{c6+$JVw;~WOLdCqT%7WVP@t?X7T}H$Y4%L52FpedLf=Mz;D#Nfu z6{;mEzPoa8kVpDSQ>oAxBd%kjYKHvhc##+Hnm?kKd+lJdM4!Fq{rTS~ZLu(X6-8XY zA1gNshXO($L{QR|EuwJ$HRtRVl&7hffWP)#Wv8IzsM2D{Snk%iSPSS=V1!a)ybR?2 z_XZ>gaZsV$p;Qo~kYmzLysjkCadIeaVc9Y)^VNzKYa-#1o&Jl9`^8>HklS4@Hw3>!;)| zk3R{g0jMk?=%3IC9N_=0R2w%tG52#RO8<-p2o>B<*VWD+4c`2{|5JTCKhd}7<4(^su>NCl3X?EV5EE9& zKc~9cG%EFP82;x}=uAR(>jiN93p_Mdeq>+f z=h=T&##Zki+%F~15JX-quy>IC0lA^^|L0EnV@`-mq-p=ofC8<@b%yCpvP`p0VI_zU2TP5;&A@E1j+oD=uqs(CLE-D^H?1b zi>v<|naQ5&Tll?Upd$fBNo#&eibDo;^)j)sI63T2 z$QD=MF>StnFQI&pCM(+bm8>W!%#5L!E z6vONFbei|t1&!EoWz1uma=fc=eJKUAt%+K+^=qGwv~(}fJT+J0w)m=aUu)W(jvpAK86dK>YJL=#=i!*T8FLPudbcaMQO8yrE=ZIBlYpFf4+uAxl43i-5-M zbU+?yYke?tC6r5>7krjjcY)x#Z+E!1Ih%9I)H``{{bc$?`*BXDexRp^h}$&&vlI0# z>ci(i`L7GCXHN{Ge%TOtpCW~P3Fwsn$^GHzsza@P z;*Z-@SGU&#&m5PiVO8*IgXcYJWTVxg@EcZKP4ujap3_9DeaoTxlQznFOUHn1PJ85% zqd3qB7aE4lex0#3F-`#{xym|&QB-Y7ed<_0KSnZ0i{Vb*NLipeWfC2BRp)(<1Egn} zLF2r#HP<~c>^8m=Rw~rmKYQsJ^tIIO5NYRv$<<0nb6`sSwVC64FM4KaIR1y#k{8mf2e1CWHnarl7=%xrq# z9x?8&*sX#SvOioFl-D1!M~F_KuKR4cKk{@+e7!Zpbi=|bo0hg1%KuTLPEJVDvdAt1 zeA?X4bw%ZBax;kmVsYvPkE6TE8Y6&|jB2<<+}Tnf|DA|Yxy2BAH*a}Fsh&+nU0wi?IAuBZz*7Vk?5lf z>5R}48yTZT%&+E;2+$<`ol96)H7eGJj=ufQ8jOM(`?h+_t720&G*XgidlN^hni{o_ zYteI`ltuabNd;k?l61hAU>TIUhY#m1!EG$e$2kU*#CMe+S{6GQDKo*1qi3H?2rhTc zbNgQ}HXZ+wrWiq*B&nB`Eh^a5h{s3XTQ5q>c@A(MNaA8eYsTT}MYyYXZg6QNgcFS< zN@T3SkSzCB+O3eEH{{pf4X>I#`09yu8SPc$)q2iob3QUIA#vEvH(YHlwhR!HM@m&4 ziVY+-J~K?!&)03LC`~oo9%R^SKEdAguIK*|y|C3c zmDF=OZ@FqYRDF`2n~na6O3agDcSyY2ff8%RqK{x-#Qgef*6m<&ybK$AZLzi;)@{M- zx_@gi5TRS^eB&^47oErP3uQindWB$gC18Gd*mnLg27HC|8h;C}xkJzuVgU6Uyiab< z>!1imfHl^=ILUglJW7(qgp7EW$hp~h64Jw7JGvZ19#bGmKvu`{v1O48~ z;%&Gdm)lS2G&};lde3ND?WF>3i(|u2587s;moW8l>*-Rj6*Q;RDLa1<-*%}r)TzIYLLI3UG zmjFm{3CW&jsIY-aiYWT+wv`xc5sazV_4RI*SeVZ-sCC(Tfw zOOML*E8&p1n&$G%e70Pj0z)FdmYjG=WjGOLtX3yfHO}!v!bYg03{@JUH&2&h5iRNI z?<}Pjmo}MJ8U6L&JRzJcT+GSNulKx$nhjLIYXX9~YCI)H4eQ@Upx0fSri{#}4Va&z z`1T{5uVpT+=5&o=2^RzZ?w{7IS&m16-yjq4VrwlyUlCF}1Xn%ha&{@NvYwyMlQc6j zdZU?|Sbz<@rKNrGR7BD%q0&iFUFqcX`0Vs}Z<@cWSMW;Ys$!az`VkgjVPmtszTNS| zNT<<}m7g`C8f{_%95Hvqg7i!r#)?hRy*O|}lZ=Ucd^(nv36*wDuKTVAO2^Zqu(NY# zxaPshQO@6&ab?TBzHtilztajTwl>vZEegIaYK38l6Bi+JAtn3X5ZLJanrv%mTx~Y_ z96#)0g7(a}bL4J~BQqoCmBXRZQ~=$*s3*G*R#n->iSsTv%%DgfP0Z!(INYK+W;$#J zwW(b9CtR#z8?4r^Z7Uqu%^l;vfHcOXwSn<_1t%vV2x!UlTJN0hJN75-=J5E64`=O; zGcW-3U@=tJiOE9$kf&FzSDe}HNOh^7yrZNkBc;U1BfqDv{L+l-3@0XMVnPEt!xJHz zeyYLg%`pha$;nF0W!$n#Jy`4F5tP78E`ND-%nB5jRoD_AgS+Zl^*?_<#st+N0qGeg z)>GwawVCSTnmHARSge?<8^H{|=WN|&VdH{#IG@a4kfMJ%LvePsS!^~fTh~KSgxr1NFOz8 zMI+`GCxaSyBhOxJsyO*-YSI{i&Q+1SR|*~Wr{q%kpDs}`uM+$~xl4l<=E&A`GE z0E}6>`!qNi>VB6+(8bA0_YN?_bq7J5g z4l8ST7A>8k{1$bB3iyy-B==Q>7Ci)L?jG=-`$o*L!IurAZVC?vKA4zlDC=P#Uu8rk zdRWyN7^IS<#c1iMPkVn+fjDk1DhIHo_=5tjHt>#hB%#i+^Ylv9upaHBBA16TNhaa^ zh^ipOE$+8U2nsJIt^GKI-pROw!^6Wo?ptk#d9f_7&#JE|jEvw{QeFXbI=t02uB3XM z?bI&YdkP-+(|BCJIgeMad%1w4lN+}mcy>%xf|Yw4jvh9L&ENjqA4u?NfG53&)ZqvB z%|=R-ima^6@>1^SBr#^Pveudw*CkPAkZ`JyFYzR!W1i~aX^zt4jG z^=p%U{CEPWWPP=&KM$0t3b05Pm{%{H9_t>gt00`4`}KIUDP^fe^=i^;uS!iO^Nx#& zfoS&2 zhS`DI+46W%?rxwUEA641Bh?wP2Z^9CB_Fw*41^S=su&YZWfQj6jM0EW{Wdq$v*-XO z-Csm_$Tz3B4u@Dv?s*VtaNYj&e$#d?08qy zH$?nPAd_UL6`WHh-{UahlI(_VH&g|{g&@0(+YE5*KJ@ z58w_24p29XBs!?gTrV7KPZ&Q7C!Dta?yXABU-0zrHokIkM&3R^5_;mdb_OYa-;q;% zkSL;OpVrx$!QD2n=oej#_EjD)Q+Ewl->D9Ko*e?q{Dnf_U~3 zAFRX|3}D~0+lxr)6GWK|<#%JFo<21xTb4PSYn*31Dr)NFTHff)nc28SM+DCrUeVRt z2S}vVRCCeL(cMF6jrSGWC$FbUUB$Q?8iftGUr_QOnn9Q$O*!n{0$)mcBS!&v~ z7$x0TgxnlIbtk0Qj=U$4y zU|tYZw3@IT9<{2dTioQ{aT}L-1`l9jil$OVD%lDQ`>0Ax{8WcdEx69k&6(2DekeNx zyN<}nsHh~8w=}S@)?CiZ;e-mK$&zvV5jD zaAXaSiDdOe(VH>?x5;u*dBRaWqp4*Eu(^4jA&c_gLQO6NRj?nh+^Xq=*y7#6^EZJg ze2!~lGcMZ60$~ExcD%l2-bPyW#dNe_7pKL-;rcd?!|7l2j!GoJ{-Mi1s`J9Lx^BpP ztYh&j2BZ>;9LX-fu!bQjE8li#c|kd$8p;VXJByr~YirDLj++C7-zYg63;+N?abdS1 zk^{`|_(uL&;05%3XXh?(LXwiZiMC`5mMi|R;1cVh;O;`pwg*8?aI)wZw8zBucyzcx zn>32XZGDD8P=Bx`b>*8c|Lm0`f**wDpx|@l?k%Wa)E;VD{T| zT+B7r1Q71ir^>vo=4G=WCdUfyKsgZ38g)Dgts>!a+qWGn_Du{1q@%t)%{Z4Jhuopm zmF^iOcJ0g#KsxvX-mf$SU(Uq@5+3DwTGflfWWrv50>>aVyhdhve#qBT*B+VkDrZ659!flv<`EW}`r zM+4kKW0TGPr0dTz2$DcG$+h{|mp@|sU%ijU78c_F{APXajIFkwni}|9+rc4+FEpbt zbEev21zZbGd#G{^RlE{z<%PB#nV77jSg#+1RSR)8x`H8j7Zd$fh)AKE1CP<8<}r9A zb`dpYSv?Qz930B(>YgWTo=biU(DH>Un4i3dlaOb~l{z}Oa`|xZy?HY`H}@2vrORDe zjgpAKA90U!FbYbnvtI{yt12o5lQ**$)d)arWB>x)a#%2VdD|$U^OMKuZ1Uigl4ua> z%k2@LrI1CAaxTOU$yZoglUHk%W60ksHmZ`T@7`(4>5h+82XOVaN-D`_{;Kiloo9s= z=*(rzHj7FsG^ng!e;<6<9KN$0NJNw_2!Fon^u<(M*d7M zTZ}m|#&#O_z%@rv4~wJ>jkl+)&l*8f1VPctl1kD>#xP`*nX;h$Y3ZoYmp6mr3n=>K z#^dcWoLgZ$N*px?q+dxmTfpAY0?jjTPu^2Pj&ksHeAWqRxH9CVrx#{-bM0B6S2H!* z>T;7WK4_?i5f%u+DXcY3sGO_yzBZMUD+sKuji{2G?OfSealY$HYA(Eoq{S8UX$bgR zyR}@rL+0fi@pj&1i(eV^7zK_(ySt>Cmd^VjP)p-LKGRfScaj8tywl{ApwfK3o3V+N zX}tEtFC*vSc0DaMeW-hM+tk>ZKLN>3*1uJ+@whqcb`TH}Rm(XZYzH90!ytrqW}%%1 zw7ChJnz|~n`l>MyFS9+dD(58vN%iB!6r?CdHX5?fe%1D@AFHWhZL{G=a;t@I3@GCx zCp!=kDVItdf=KUW6*U@rkYR@V12#d(Yym9Bg-BKch8}4#) zS>ti5XQS(5Z~v__W@C*;Q1?ZX=Z*E%UX2WiK*-1_I1cB>oE8Xe{uumOaka7U<@LbB zXSa-qnjn{=*w-&t>$-h58!veA;IlTde_Q6ObwhvC{v#M=RnW_$nwZyt}zS=>#!ILi*$%Ig`34>?%tNlZ09q>(QeAo9CbiL~<&so(D4cs-iV$fu( zJFeZ&;nP2veoUXK#%Ign8)~udorGJOO3`gQS4?V0L~5E?`JR&#*QPILqbujqUqm-y zGh0c`P03G3C#k8K!!H_@S|opp^4AZk-cU>NohBbr$+WB#U`9T@y~l zLr|;zuV2ZD2^(Cu}G?S3PDKTEfJD%}C8h#$bXLbI_@mOnUGmnBU_Fn1F!b0u+>0Jx)AHo=>P{`~Ch@pg(5HMS_d8GkGflle(rVEhS`p$2t> zy|EIrvkC-Ary%?>ols;JR}m~H`?xzrsUn&vJ}SvJU^z4O&4;@1u7p#S0%O-AZ}8rr z_~P=IfaqpvS-gmbhPLk~N2GifT=Vz#vO`IMTHn$n3mFJWsSR|Bam?*+{skl z_Lf`IwdBDWW`iHbVK8?D;h!e&xTU>40O(Xmq15!GD?mkB=&CtA2ZEqc6lxz>u5+MD~ceDts{W))(s`;;F6L=o_rjMY$6VxgC9%WRn6yV6J?_DdZSK&SU zxr;hXWy0o4C8^!fvGmquyPihytA)}0a9SYv3#pDgfufrKKUhwc0QQ+GIxApzxt$I! z(fj_MKtd)?(C)_0ilci5fqkOFtd$TUfg_)gC3|shTIF%t%^2FcSYE;QICtW8>g%yZ zFm%^KoO~p$p5uBrH^p1MJHy^IkaTnf{n;N!^G9k3otD{yduCTMMHnZImUAEiomMlFAkDW}nHw?ie$l}Lo&CRh*P$(kyQgJvyBkU(8TkZH1}UIw z0f^}Rho${9iL>6+EU2s%?e__BwTkE2R`^cjN`%$81`jClIie6)f z0x3oF^~vrUFaBdj%Hv#w6QFHR8uh9Gn*icho{^nZ+?W+%;5_+{L0f{jiK-}5pJKf^ zp9p~ZC-k(Ce5*DS6@a8bG{(sJ|5Xt{lyf`~q)O{^v!Z4xp=ZM{NgMqH2o_UT{!vx& z&hhYr9C_ps;r}{%4M2dTRi2v`2JdUaV`}3{po$j}_z?rcjaKFJNcy3#v+!oz1sX3lLb4-&|iof zGKbP2kPNK`_O6%xbTnq!9<_P)KMeWNA}Wg~FN*{PPQ;6C5i!o4>A9)&uT$yBky6OO zg*w$61m{;F;?P!bbF)B*$DVaqs#iq>?Sm%6*9rX9%)6#H&Eu*B6nPrNl;He-rnTJ%-c)wVM;Veyqh<4JrDoLe72VrLq>8Z5;2 zfgWS?MWN@367=A|`eg8b1j>5v|6jb=gz=zuF9&tgn(9?zeG3b*J^=7&S*`}2eQ`hg zE=#3ANGzMLt)bI+D|L01!rvcuUfe_e-vLObX;xCxrG}>eygVUYhT{9?agJt)RY$OFMJkk@fT!v5Rlk^r2hN4w;}!jJv& z|1Tq;R4HUN4bg}FV1Osr>{sF`1{T@}b>qG(GX5}>3P^MN=(49gI6!n>J`T6kac`cZ zYH8{}jB+*%?SW}jq>qs*c^m)x+k0gE0BJHKgB2PH$p8EW5_7fWHP!fIAqh;|VL5r2 zv;m8`R&EHbv}}FQU8b#I`jc<=LbT7Xu-avwU_9%hCmm*PK0XMLB!6Z0D!#(doiNJS zG#!#*Okcf`X1g&r+kkcwPg?Url?EABXsC1#^sh1)2wFZv%0QoE%l|{xUq=P;g>9qo zV4)I9E8QR^jkHKgN=qXl-JPQ%El4BX-QA&dcXxMppUv-izwf+fJ!|oYz`}u<*?Zsj zbziZ$Uf+5-2{9HbXUvu3OLxHS00v-W8b*M)X)!1sN6<|&+u3Si%lCG6&jV()vl0T7 zs<(=T9a(Uv?-%Wd4pA5W0oZZhTN;+(q3WxB&&ZsaMr{}>WM!K_dc43vhyX=WfnVv} zm(Pp?LM`257Q3AUeM|B+mo*)yRb{3|3N+qbdz*XdDOsZp-g7%JB9l5_f_PFTr;3Ss zK&=zMGk}-N>|!(ev{3elh6A54JS{tm@omES!uh@ngZv|>E1JK6+1f)!>{Slf5A5Yh zzZq&W#i_$OOF%QSq40c#z+$=i!S}@6Xf^phwo&;emv)QgQ$ZTYYA0j*@f$H=;{3;c zgB1iz=i~^eSo$ykS=5zO%qB7cpM(0%JxBPXmS~EVj*1gX_y<`jiHm|_j zBie7ViZ=L`fIy2WUa%O`QI=e>i?cFK1PS zc3dx8{#~!iFoA9TI5-8*GaUUHV9sCgCd^S|(u8*CFw>eC7yD;R+A1Cp9;#K|1X=Qd z{YUKG`@axktql^YlwEkSU-YU4o3A{s>>nDPw{)^Q!6y}xQ&;`C%@QR!II2Kz z%xddn`U*{ho=xZDLk%e%3_vahH#Gou$SpIakjwHbUiAN2df16;CN<(Yes} za`gI-%kO}f7SlAO0QcQw8Q47jAiG3Zw$3jr-<2-+=8&%H&YmMxj+!B-e*~7h>pt1% zR#53e^ZSTPLzL7!92VY{LqlsaVJv=lzH>1$=Pt&tye~%6s-iF}is*85oy@%Wu^t6r zUyp@XddpY$!oXoWIX@fs$6gpOIKun;zk|ydBWea3_pBo0XRI z90F%5yOG+!&j8P0u=CZ!p~`+;G)K=R00kmFBhOq900Xn;r@^vTXuq|9tY4%pUEP^C z%0Kx**X-o-aheMd#{yb4P*(sIbimboY48qEhyV(B-47lYhm*~rk*Re%mX}cCkdc5p z1II4!64Fn=vDmi;M}FR{rcI@e)sTfr(x>*7L%x-!Z>4Z$>UOC4gR-_@77k$9vN}iQ zy;<#f%QnT_6S;nUbYsO>M<)L@ynSYrVpI||~npL8|Jn!acax!mk z`choK@536(*Nx8S1T;C>1|4ptj@S}`DoQP_ayOJ>4OJ*^Y6z$%EP_B$0%+$WBQ|Pk z>E(fL7o)m1x-*o#Dw8QL-$a)L81&MABgx7us+OFz{}`zO3>E_!+;$yi=)JN;9Z-Md zwf|w83M{pnBkl`{xm)_g9#i4EbURl;pwF}dugVaJkc1*60%4mnd(A-UfMeH-1arx0y=1haPuGcQF;ixKB z_i7WSqQpYO{X$=nuM7@kgsvA;ml5jKwoCmBp#kz=do-%|8V~wP^6Wc1dRUlkiV8Qz z|JEJJ97V1yucB=L%&sSwht8DCewTgzcw(R3Ix|22HRq-1Tq9pEp@v?@XFBY+7fxmV zE}umAb}^{>zS!`6jOlX;mNDge1T$z95f%{MRsGujw>}=$S4g7u!W%3=H@{e{m8cvX zDfJS=!2+AsW(xi0=Cnnl8w=U2FpMu1E$AIoonRlr0recQrpzmBe4r2F=hvf03E#;v z=t@TwNs>-BQb4;b)lhgUP|wiTH^*mx`!%t`Kfn|I66z2-XuZqt zn>LjBeaAe$&|sz(d+7eS_(5QedZRV+e zFK|0I@C(l(t;G~B5EhDhy+t3z6e9E>Sgh8*tq2rV7+!4Ms4-zco^nuwSgFeDl#Ofq(>MYwNQ<$JqNm-3(+TmwHLj?eFqiiA<7cq#YYlJd}+GL{b*2UJ3vzGWT zWfPv(Y3rCe-u^2)F^L#F2%hI3;ceu-ZY6Uukx!q->qE|px&X8&P*mPCn{dY!0|hLO zb?soO@e@Q)oP%%C#j;B(3LglK$3^-Y;TqEbGR3%B6!czI>DIS!3QN%rpFu`c!t7Il zG(rDbwsN>V!Tdb`8MM94{en)9^n9297BZ{W;d9$HO&lZ-I^&XFFu=3~4RYNxC zPaJY7U)Fq8m1PxUV&iM9Z_j~(5C}t44RHS8Z2?~m&vohW*mykmr7!NXQ6+V0-}Ajf zl3hg&rWDms^P=Z0;V(SSr(Z>J@W|YD_)ooVnO$sMdfoj`UJBHBKXn_E6`msey`(|) zMPLrs9V@8)eVe(?zLA@Af11QN6gGF>{U z6H%1)Rz25iCTT+j+9%@*2lkJ5DBCC)?Fg=JFW|9kKNW?1sYDb zrV7`b62i#q=sHXDEOwLEo6%k*WeFm@dovC{Q*1I0Lcc01Dq;A}{6I7?;6N_j#u+cj ztXyu*d+N|_PvfDCoj_Jm{w>RlqG z`?T225M~FOT4ratHWaN*Xj@zAaK{^P0z~BHm3IcyAnx;1zDRuE<^U0=sx-S58Wf?nd?b(YBUPt3($(E3nR>`dp}yD8Cp+Z`*q3va|FN9XYwVKRZ@UN)Ztyr=+RMx8)nyr~y2U z%`W4uF!IyW1b(~E#$Rtk*FNsAp5rL*iO5oi6?xS7w}b#0t8F2RR*7Q>(Cy|6;`kiZ zoVB;Sw^$oNqROJ~(5k#GjPD8mQJR^Gf4eiT*tPVG936f$P=(~k&zRpu7b z`SH(;VcA`jT>b>IMg+(j`Ce7!KI4Y^CZ+ot(z&`=c<3QtX zb7W#nQBma!C`6Flr+9&(*=BYpFSiT(G{PFT{wk(DeB|&D^qP%O!>TV}uqqf2*=tHm zpTgP3G&>)MM+ZwQ%5GK5PtbOz-5R^Qmt~j3gM#KqOl}=-j@6=~G-v0bC8} z3_!L}&qvVbwTs8(sy&vE063FzC^H7I$zzPNJF|t&djRL?x-hj+?su7cH_2^%*jHv zb8(d^qYc9efi4cYU2o~)D-5xU#uL%xRU}t0`r#)p*4gx1L&AoUbp`9f8*WPv#}Zb1 z;$!1NGx9+j0Pk`Y-u~8Lfnodxo2}^cpUc5ZUpv{EEDkJ=RwXs-Tm_oz+P3b-JtF}# z@Yue$oxzl+Tgg<;3!EYT9%&&DOaLg=u~8-U1Ie{sd(darUa6Ip<^-(m{aXQm@*21x zsYxuQ4sSW+@21+VfmE1aeJ3|BYjW{BPDI#|RR)^6tWzcHdV&J)@yto61qJ;Kr09ebOVdi z0J$K88&;>n_;RlwJY6k+naMIBh){&;7s0fkqRQVvg}XMUn|D0%A*2%V6dBZg!vhK_ zY?sW&d74h|rlMbO;BFdKI}}oGD(d1Icfx?r2?Wtt5n&~NkYO3B$JiwX1~RCT%1W{~ z%uF*a1H~!+d4M|sh(mfTmt}c7C37OYLPQz@-}TNIPIoo7PqwyR5G}f2aJ$mck#Ykk z9IHE{A9Od%EmyBOffSuhw09=_X2xxJze&W^T6#QyDuY2JzUJ~BC10FRBV{VQ`qDoR zxdGn#+XWzeXxjOu3mx5$8R|-+gjk#9>6zFca6$e8M?ySu!&`KJ1mZ<2*Cl#FPKS#0 zK$|Ur?NFRIW)_$07e1Y1Hdd5rD{&2{l>^s*(!f;%Bzhy#SbO(Fe=`1iP#O6H;k{~1 z3#a*2tDAyRSeTj!o6$M~aWBl%$EiaqIgJE#0HMt6{p{@hPrhwVI->`L@sBY!Xz?lP zdxCix&^Y~%Do<}{^uaeE_m2o?nVlqmL~{ICwZ!<@fzJB8djs87U1h3*s2URBwe99- zr!(uEH{RtM>&T1GSwHvb(SHe5aa2mu$E79A^nML68ocj4a!i;si+5VH~T z<+`jOn5j2gk)`*kBj*KDG>34o%PA@X$B))l5epG}o)cTUV_Ume?sq)S$GKV!@xTT0 z;dLE7eGimqkwDm&tQCmM2`qv%>-%30zv3x8tM%+sW>9+sVLq>_4{Tc6$KNqK-M#g2 zgbc0J=m~M)Ql4u*i>(9~iLTCx6MW@JIAf8J#U3!}^0V_b54K#%1aHcZ)GxdCW~!gC z_PNe|U*ch?&`O9Wy1`69Mj;w*z=@J1WKA6V_9c{-CVO}U&r1{7$vQ{&x&sm@0jImP zsG7}eYzGt+9bcwK%M$q5_kj$#V_e0wnTCv!dW-1i~G9L1UpN2VB9 zND~a<;C>B!%Q9@X?kPYLTE?abJTd4ckMC}tE6I{qmnw`5kB!=3-_2TbQwNK&0i**9 z#uC!8n$D3FFpoWwmFc~nA}aWl~s(|w(^U;2$yoG7H(DHHM-)9k7S zH!+Dhb}orK-$}8dKFR*jgxIi*_OV4(?)vF=hR(Mon@_TGjav#f;(ocS1jYa=lSc9H zSKb78fQPqC(S#}V^6AfFY;5sPKj?kZCjbf5#6N^sY2cojnb)|$3u-#m*f0}lOKKCa zbE#=*x5hHsuAKnfSN0A+FeLfG0ewz#?zQ_v0~#9kZbaY>`Ap~oG;dv1VKH~MH~rhO z_&KuStAKUbq+&YIkr>M-=P-m~dXff=*x2k86;Wh-Yi_yV>vbc^<-8IFnzHzwj_yu7Yr}Jm;nvAm zk(8E}hQm|qhme|y|JVlhtN9=%j)9@E5it0WJH_~5XI8g8vpIQ5d6a}s=7aGfjgC@x zsMttqSI4ew7&xJ1B&W`A7;g>yz3iEz!pt$5aOT1l>do#%aZ}cJ>ip?7cVb;c@l_DM z0yvlj?{oBLKu2YB=zqgY0GeTO5luS{x1|ogXd-EULpcAp+_pQWHnFk-cuj3Lv4DBU+V#GOeC2WOk4-N76fXG}kRCd4 zh_I=2)giylj=pr@x-uIUJSLHo7yh#52#9oU!idO0M+a#vDxYNER5|?K+mY&PzwWG- zH8jc;s*@ZURWLgIB$!dh)c?g=q&~+ZDl3>Bj1ZQ|<+j>0g*Zf!U|<>cjiODvg9+Jo z1VbK|Yni6-&xVR;;Akr-e4Ulh0zNEw6b@8sw@l(@`yF=Y*6Lt9q{j_^@IFblogAH& z2u=);0!R1v_s2B!bG@B~9hhQ(kjR%`{vtV)CVOj`e@t=;lb2t1^l|n@5JwXpzU(Ph zRU)kSY;lo_)td-@Jka1F^i&VmURK~K$s-~@{f+1{wcFVv(dN8DAGI&m*1zBeOs$Hb zHKa#EC3;+O>^kGnVu4AdbTNe}3ehn!>2+_94OX}!B5J(hE6TX3LN4z%-TsZ@iv=L{ z9Vif@!)AGn>{t=?z_9K|jmRv@?^?WDV$xVc7xa^D;bjjv1L!M+rk_uhEzPNXKt?&X zH&=^{-M3u$5hdXcIA>~OB15~_zjIK&$K5=C?!UQ-XC7u}TXuQ8nVz5S%&={Z=fu47 z3TR!0ReZ(MinlnA$GnMf5?Bpxi|e>KqM}~IKcG=C5~a_nw4yy6jYEVim(Q!<1|_W* z1VA6#4lk!SwWp54d)h}leBsp3S#&jY>OTjI;a{-kcfeT% zS-K{fZvZ5M8hN&@|GdaAE6H3>0UvE7I2%w*bD z4=(`K5JqetmQxN9PYYKpgNU&uB!Fv^wZvfY^Ap=)P0<8J0M!-@9{Hx@+ecVDA}&7a z`gOtfQ1Y68^?ro0p)6i$)l^Vsw+FiBW%I;i9!(P~T_Kp2t zvFvvzEzG}6mbk1%PXd2;p>AaBwcUoLr2M(knZCB6v5b@&2}G`d*0m!9%&CSv_Cn5B zx2xZ;UvF}BeEIh?*yWCo)z$EBG#*%n?*N77G>}%5m&2#4J6BT`H!mRT!$T^m_!^*o zd@EBSW926ki>g(u-5TgL_;B_^~gFB2VJxMT`{G z?1fLsz))jnH)H#lT~B!m9i<>?aCa1IWdIh{@6D2{e$S~F@nfS!H(XqshS?n~E1;eL zqkK8v()cEV(E^*LXP=xM4)|U<+g-HYU_MvTP&5ML-Mp1)+V(B&bvAlCENETZV4&6Q zv>4^ew;W5l{41EEsZP^E=fLmZjjEuXX&vU_n;U9L&nz_xH#}%ud3F4H=?YA-LwMw+ z?9 zZsIui0mJXPzrDE!G@!3cL(i%!%c?3Ogeu>CHlKsd7dCnQ4SqTPc7B}qYZtz2@|mqc z)zD^IF*e>3J>3Hi7r@1>=Da3<*7~zRd`IF?ECDXfLZbFv!*8v6LbSB(+;u&JTj_+r zQ*aUy8k?ljWLvmSpbZ4brl| zBJGZ^LLybpamK~7YptyrSgtFKWo1!2*VGd3cs@E+YLzX@LgtbpM+3IV!Y%1&dtqV9 zHjX@Gyi!~qA}O*q&pUG^PgLjX%Gpt%%gN0r)wnX6shcKuE(2Y?wBYz94{rRdMf-++ zY~=6a(e>zirG6?VR`Qj%bK42lUdHTCza3X!wCWZ+BPJG8PZG4Wz`r}9=Qh-1Q(LL9 zNRA1UL#+wuPxy~SK*GT%YRMiT#B``}xC+jQATx|#A1zYTR}BA5_XK+GS!_9byfH*6 zoltkaIWh$#3^d^&d;%y4$PgXyIdQ99N1gy*kzlcQJ?1!R2`T469pJ0{_4llxFUbUO zXo-^KvoTJHF@e3`+NeoA7xEQ`_x?>^uFduj;jpr?0ZAJXkL}{-iaanj1_LJ10DMer z_p;1Py^enq7_Gkz>17xqIc!ctG7b7(BYOo0|Me>CqNkHYm>*2T>rytGKXUSVa_Qn= zLEc*1-rcQoFxC1qRoUx_vp-Jv;mO8$p|0Ht%U61*YnWV|E<#8|owa`~j?E#<2GRQ? zhRB1)N?(?%(+ws^Z7t~YQA1CXL6c%wxa6+@K=~u?)A4Ot%o@Tb&q&S5%CX(phA$=0 zJzOH8c|dMPip&j3VM&$S0A%(fIC^xld{PC=#`@^`;nlzfD|3{ozWzbOhy>UIpvI=0 ztH1EWsU5RCC!YF9c>nT_es6%jumwNc#5kkxb68ji4Yr?1ApZ4H@&shLy*!Z+nV(c^ zzN&3tV#j&ycw{%_=y=@Jg}q8yEaWgZdvj?U!}BFI&t}aBF9TSqLfYeh zHmbRRRvg54Y;o+N;IY(Izmp|Lmx?<%f&nTFl--f<=c>8v*WMFx<8>vaWOP{D*jd%u zoTR=dj%7F4NTaRz`9T(us^%el^F>GRlY;uBBgT{ictXdv;KGgs<^c*cE0z~vvVBU| zy>R%-mTQ1&tF_L6t!$gb?I8j&C-0fU`3%-kt3XMx00sJ+C9}{+66AxE&gF1%^1rK@ zM;x;`Z~@N=zOd6*JSj(2ZcBFWvED($wRqPAFiH0iFv-jKC`GR(5I>QcSjkh5?=c&% zq`Z@>Z05!^VuQJ&62L)`^MdN1xk+};OWjT}ayf=QH$H-$0`JVSD-oL}?A>X0v&_9w zkAb9zQrI(3x%&v1LRQw#BZ%NsmP6~g6Q%td6J?1C-u+eLlzQ`Wa5fd=yhUfRL6YFa zcNaCFr4Sx1^I7w7xnRUAv*5M4ND2TR>55GxdaIcH?!i2@S{ce4POm3~NoMNe>m}*w zvbN`DLWM|YoL}Y;zg^of#j?LK;`QDFWDY}JR{*O>$D_7hMhEwWz{N-6dcjEg!b%P1 z@la4ma6(WtH}$wEJ7wmN+So|{6E%*Wm1qAfcop@SE*>m=i=V}3xZ55P6|(&4=(D@K zmzaWP}@$J5bvWr#ShZ_Ue2$4e*(6Yn(PZlB6Z z>D{MS#MnV)+?{sZv+$<$CpJDi3PgyO3Yq&Lm&-vs=!=Tlv0csNk1IShDD%EJ*ohZ2LTh~$+HSL1vp^etKu6({I zPYh#jMlH{gy`H4L-OLLz7u}-70*xi`>ySRgwZ$R7K^>YKu=d{4tR*G&n?oCn7#+ z=O^X9XEpG_@LW@G^CvZIaj_m6NwMCInHCR$40HrkL5+ZZiD0F#mr7rqp--RXPL72; z8?`N*($!560xQgMfwc}&0*{QWb_ej>j00EVVd71#!Lh=yWnorQmKf=3xg7QQ>_nN8 zV$*cqV}|%+j=NDniGA&-10ve*rr-GBN?sMqr&%qdub3Q&>uA3ZFI>DqM-ncw-UPC*vr`)uHz6$6Gu}AMH zqgwP{l6XIBRP1z?=UEg{JHgaD$GT-K!2UtJDodrfg1 z2ac-?{hQ7 zLL%ELc`k8$vmQ&*!*qy^fI;l@XCkI0@z7Jpv<-p&rm!zjHghMQ5<)tP;lICRzroAt zP%Dlf@Y0ilkJYt2M#rzPrIkFuI(_-Uj5lKGAt5&9J-N63NxP*Zxoco(=AYlA`t;{^2<1DfT?wzRL6pH zJh~@kd9qVtwu#gTzLy=IOoT&ZiDYdHa{s+52UzzY3ijSN+uk)QT@tUX9-2Qe4G{1k%69Tvrb>_qpW8RYm9 zt8ewt`H^F6{i`ouvWZ?}6(pxJ+FPEL=3WfRmzj3%9S%)^98ca~R%GjbgKMF$qG%GUPPXkS9_+?f6WMGZ3zA9um{ zIL=J}I!1Fvzlq+@vB_|1?5wp;hdu{?2Bw<2kWZkLuX7a7nfG6LkrTIbx&;6h zL-@QdHrj=EgA*w_p@Sty{`xM-8F@^J83}-#cYHtss2%@%E{t7P4&wn#VT>%kC;FY` zaie+0zr6_MQRqG3gXm+805cMNw!$eu#FPr;YV4Yr`1`MG#QgI7B?0{i_6rqC+6wCH z))W;CM20BNMOj-NIb&(?6nN6&yysNEzoc+I??&N&;SHw0o5nf77FU2S!lz~N=W;IK zK`(iqD#$8jX2H5+B~^}!0&`fp8j8<_<&;$ZE?Cc{h{lM~ty)&4g=2vo{j)Mw7Y5Ke z-1Fdx{Qf379G;}gWqnBU5t}HrD=^4#FYk?8>(=_a!u~7f&pC}9C^sobXJ?#$OG=7U zpm%lB@^GKHU}H>K>^Hx*fggYS)g23ljZx$0wtK+P>|YvQao%(-!GyuQBMbK&Q98Zz zEoprR-%qXj4ZuWDw02%<2AMoX&O7B;Id_aDM<@GRC0~xrNpCKDT!0X@#_jC8^7{tC zw%%=iSL45fY!IXIbuNJmDtg!c#Sdu>L=b#K9WGw6JHEC(G1T4b03vum>KC9efDkc# zcx|~ry`(Ayo=aV3g&f0U`CPY=G4K)q+B#-2dv$FfK#W;j1z26ofbF8?fC$}li;2hQ zKFP?-Yv?<3f|4ke(!OU)A_TR+p2NhX&Ky_y!(|{Z=7e@eJ3@iXZJ1|4rYS@frjmx6$;1iutv zZbn`bai6tSVR!o*!vpH*jMAg~1*-DQ!L~?IDTL@1ybWmIM}FeI#_UEy7TmN;t!_@B zsjj@4=R6oYRS{gD^06|^W}cY7{4u!rt9IJql9rnOtIbxK!sl1O^6|gJm*n`n&Qd5U z5x1JM77Per5L^HOLz(f~ojn*ecD&jO7_Q&C-6RaH((#^;trj2pk&wZqVCytE^Mbcy zuZ1OGD(jcN&2O?^hq|kSG`6+;xEl}>a`_@|d0E@#Jb_*&q3+M|(ub8LzwdFi34AV0 z#{Y6BhNu`+7?;`)N&x-D->;UOs*RZ0>2kXz?6rS|nX0~t?ttT&xOiuvx8~FRvrCt? z%i~|MD>)ppZ-$+0D91)ecpZ=FSYTQQZLz|doS}(AT29UjsQ+)rZvOxa3yl8)5J~vN z`nnIc*R3z7SHLS+Z!)z9T1Xq5{Md@~3SRiuVxrF`z4tTvU`0(sK}LMOJ)rO>qTL?r zO#|;{=%bK;g1qwyGMCGBTZ{u~+b!eSWs7dFw0**n`tjZduqG;V%7N`CR9~TN;iMAx zb-$%S+L-N^{Q&sifVmsMDRo>r;*0aR1x$lfQIcr6@>2ZiA>bPZNBzl9ZGQj-{fG~I z0!hBYcHO?tvr#7Hjm<+mK{aHW`k(nJ){1`3!0Ef_$%3T^Ky77bDy=9*;3+99YrL*( zk(n`JPg3gG4wK6XzBLzqyn2yyCeLzY#0u!~XI2#!|L0wqVtA>N^#Bmal>}s~s*2*X z{Yd5WjaarjH&sz1Wojb~Iu`7nxE(2ke@>`!c=q8w-h|}mC;2Fqs)}8qV$SK(IVSsFhKaZ!iL+ zr?;9rS8CGn<26V~GpqN0{ydlLs+>8>8Vo~6N+zyeBt&x_9c4M%bKM0D&wl7Lzh_TN)D@PVYEC zkAA^+AGw0?-z?%MUlziRGl-4>DF$_YL|Qi{cL!u`eIp|!Hb>75`n1ef#ydKThK8fS zOh;vc^WtN{plL3>4~TuKtl?to6+N|3zow;?VBxC!lFcuQ7*lz!484pDn*KWwA(lF1 z6iO9Ho{R^lsdamPpMxh+|}IP zo?2@M=VRv66r_~dG@W--g-z{)LoGRLUi|ioies#E;vaOxHQj^DC(ncn z_3QGLPddis5BxWF^@NdEw9U+4-DCcSOaEd1un3fxk`@sZ`xsIu zFCw?oRorUPLu1Z82Wn%*S+4}M>FM2~;i@Wqp>+$$P5A1_)u^=YO-~yDii^<)ek2}PTrq>iGjr4@D~gDR?TrgEpZ4Km}}OZ_*7@h5rFtaQ!x{6b|-~|8E*z2 z*N8@(r=UEpQ{R~^!Mn@nEAHzR{PH4!;_1(SPys67=}KW+S`|*$-%bA;al!6;HLyt1 zWqW7~PnPeQ0+mr@+n%-oz%>uMDgRFewdfa6#ig1zb_OmOtgYNl)d z{Yyp%|G+8o6^aMJ!(5d4coo}UN;n-z2{->#67t!DpN;2p_&7CAarh+L}-12ZlZ*?Jq1Df)qK2J>E+hX>kDC(M7OIqdoQHsZZk}^{DAgM48slu_Hd4%l*=xTQU z&qB$=YM&)rkV&BWm^KI)OPXAu#lCWS=N$1zUcPO0|53u-n`bqd_oeFI*Qwr{^m0B_ za}A(*C_fx?5`1!s@J-4jGU^qc{rdP!^CUMtOt#g>@BR?7VOav;CYt?0wJ&h7{k{ap z@>I7V_ecf=5}Y5cAJ{m5-Nk^_87)qinaB_yG|nT`MKVOQnIFnTd-Vbu@oYViE44P1 zC>R=M5^z^8nU0Up!?!c!O%Q)UvvSsbIeZmp?O-=q>+Uoqnwp+INZ-!SK%&A9C$}YE z4CyX~BGYj_Ieo=!Kioj@1^b$n4LnYpHbRvNCjjdr-c4S&jn;8dnm_cGiD$7vAGlmP zl9$s9?yxA8Op?t)b{_Jg_j_*fy6?Bp1MJWNa$p?L!8H2{EmV?{4Y}@u9i#?bIAVYU zLL{e)E#4s2jGnOgS8)iB=LgvQidvN?{}lgL4M|8K-ggWI+_?mVtboSI)OwD?gyxl~xVvSDTp+lDY{ zxHv6s&dA6VH^Drh4~utp$`H<~$g7EF4Cr}SHP%!d(9zKhd{Wkh8Q0C;s;DaE=ckJ& zeJXsA*t*N(`b8(v>}#&KFqrtwjWnS_pI;mG8v^kBm+pT(h!&{Syi9S&T5U_&rb?>Q zy|_yIbH5GWu0N?gNU2-&#z*oM8XPkj3km`dqvNKm4d4|1r;h&5@f^Sx{F}Jh^nv8} zF6y`>kN&4<=^xX%=(8z$d5@PI6Z{hpL5nQncz_wI+=C6*zoA%B1bAml1wctaG@$=I z2m-Xa_ix#H4QLxxk+5B5!S{;CV$R~F`)CZUib|AsL3)Ex{k>iM|Nj!Ze^U%LUQguJ z#l!~_Trh6d(8q$QQfJTGi^DUUiB`Abv8@Q{@*+lKtD~G>)^njS~;kVDE&rlj%_K(XlaXJp^(&NjyAk%TX4;qS2ZQqZScX^VA3@N?1 z@+d&RdoS~H9N#I;bp_#H*z%|lxRrpo&Fg+^FYWGI4twE(607b+421UBnu=@6svvS7 z&3HGV9J3xh@5-MI*wi+V-kx1;kXDO&J?nz6rm2#WojmRsUi)wG$KrE&K?0o);4mep ztSBd|)F=a~z0_ zS5+2IE~RSNO=nL~!XW=Qq9B}{`3UF_!})$m7cves*zu=V=31{@ACO%-a9VECM79wP zH29aNZ#HV*Wu;spG-e?=e1vjVWuER%AIxW&gpb$-9PzkZXo4U@fEZkz9rN4YVhReFlWE@{1DH_mukUb0a52(;= zdgJ>2CG`A0NpEvlG2D1_9Auq@Dw@*$+67PnzOa##osxNQ(RX%tSn~fZ3O|{Y@A0iq zIeqg`8>8qNjR=dt@Wn@U*!>X>KmhK`vzbDtv#nRnbql%%vAl3gQ^9XAhq8;o{rB8M z^!63DyIXfNC)f>nF9UnqyGaJOHYZr%%aL@!M9{*Uai4XSI|AT8;rmk0wkyaAU%&8o zgvMdeNNOpWcE6?DU7tJ45YB?kcR-`ntw; z=1PG5hfGvtTxf&cQfKsJwI_c8IH4u5fkSnUf8`zgr)}x3$XsQ)Dbp^-zPg6X9_6sF zyECfBaHPQBAOM$7yQi8zqg&nes`DfCirXmv6E)BN*y{1GZ7h>pz@L-C<-gu2!AYU) zj^=e+40+5Fh|kaM-dUU3F2P%ksJF7LSz~2!F$e}in@~`UvbJ_&PI59Z1txSpO|HnG zh2U6DSVd4nN>Q;Yx0aNOiU>--X3S14jcw79j$-W`o%}$JnWtWI0j?2G$N&{y6*Msr zYy;28F>5YR5{~ZiF!7MD1Jbw)A|9m8{2HX($|NIyB ztM;OSt+^ajF)I2}8oZ)f%1d)8mZcA%@1KTMU#@{G`+KbT|2%%yrNO5XbC`@ z7GEc+$z_7+t_o!2_o3Nf56YW#*dPAq#2<)13gWBiyUnMo+ty$tpiZ@zu7<(=fBhx8w$1Xu#~#1q zq-%db66|rAf9-aZUe*xOv0Ugs25Y`6IjBK!*Mv=ol$Df1^2R&*Y(S9(0>&MOcVE2IU!-iy!YgTLj#5>thF;c$`+iaX6A-pQ*$yK|H;sTqqvcQCL!TH zHJ~!>8;R=uEYNX(2X4Dou`@drE%(?&N8tI`xEKs_j**}6GTdT8@5a?I;Eh03c92Aq zroRF;>UF-x+rZdhAH`17$0{CcMp83D3KmmP)Cdjw10MK{w<@Q7vGum?`g&CIq8#KS zA+|ejC_x7h3}9Aaq@&m0Dt)>&lvf{rvu|}gWB^j4vIQ^gEv^#NC2_Ir51jS&PwEA! z9^TaD=5;sZhc3?kU4=V$sDRmsP?vu+S9vx70ip!t^Re6YkW{Mtmv@R&8!9%uP?2)v zM+1GM5ak#gdb(e#YjZC8R_JtV(L8gC@!NG=+cQPBZ2?|hU38YvAtVvc^M{ZYarG5B zNkQg^|ID@Q3)z?k#vVZ`UO#VVc#g|P3O|4o-`L{^kA$FLUSXyX`>u$wb3|M~nr{&T zw2Xrp74!PxdvndCkmMg;)i7@Dg^T-=(nG-E|CsDsL;}@1T1!do1UT_Z{zCB)LnL7! znfRoo4ECooH0&@;ENA-{JVfpR(itb)*qOP*w&h`zv`-vf0F~2t&E9y{&;q=pdN&e> z$sw8(ievs8Sc{xjCOd#@zo<|v%|1W-3V_3?=_dy9; zAP(8NdK~q|Gh_7Ti>>vRp!oV8Y5gHZASfq*`QfR~Ziqh*l)a3N2T3BQN1-W0=!1uZ zt*L+TjA|xgDAHHbzT!;$*=VWnlvU7HjoM(-yfrfA0=BlywI<-f_jp@ji*Rjb`$37h z?YQXM6jz*{j$ib%x0Z}GR5aivfm~Ph^hp1-@@i{mX(qJ!AhFaaCki1SAraDWO}HA5 z4Bhw2)?UApNwdDQ`h?Nl7KS;wP$1LpCtJw_g%zmapsU!zn6}#rbgQ2w0UFE5DX-W!!1>>L~(ZZ=%miy6z;l+)1Q z1_QwQy6T%^MfQ2tIFQQ8xnqj zH|;Q5y8`S#exG#3ShT;_;vhY=vKIGBO3LT)7f$*_8Gv^?HEHJcq?)(-iL0G~kjlr~ z0u&_N-<=DK+A3;&N=gbr!q!0g3&KP7>r~z2+5DPTnAUAo{%p*_`#}#(4t}8lC*VMV zNMYdfyAs)r56bn|$kB8)|p4*m~(To#hXlb$RXhDbKPOi zXQ<%E6Z$1HCqFM=T?1r*(X!NaPlH&f=a7@|%7diwe?l2nx8WlvE&3xfH{76G$fhp3 z<~5xm=-Hg$nJ6$Q&I__iwF3L{PT|5?S}!bZuZeK;E0?Fl=CIsc{Ud2Gkmy{<--U&R ztGqjRLG*gZHEudpx*2zWJ{={&Z4~4&pRe9kJCu}^MT2e`LMH5Y0od~r`(k-hadPh?{6jy5S(>~^++TacrxKn3yLDqb|BJ@qrO+3zH9k^uu- z>MuOtu6Eb-^Z%jhEugAc`*`6^C!p~zT^A(~uB~dG(vq)TAAV#pwv*wB zLWm#p>eBy6S>+wqViw>vV*~%76k)|9w~Ed|Ixs%>pKcjH@_Xf?%r-LmB1*agXpmr; zF}ne`gg-~vsm&$X89>lX^7Po+sa{E4%lmXeE=Ba6DU`8oWS(Exh3x;mz3=;lys_^a zBSHfn>wDjHFLo_3;&+V9wbiw*E=;Xxuyq75QJ57SmUiZwUhRFXgIAMvI0OFMD?4#4 zae~+%C)dGjbTPrMmQ8J7QMHEiYQuZPHz~Vjk*ra?M27$Bb|F$dGXb3MKV7!^Z6 zy+C1(_o7{EhY9Dmxy5;=J>9-bjFjW!TrT{{9Y(E00WvcGWcz9&9e;Ei9o?75?v>~- zs41(r#$28DbTRk!Fu>vaAOGg_n<75E$p2!E&MqO|%dQ*thpuCmoEXws-Go7B-#)rL zkL@s-(joj!wc&E=Xme})DH}={>GJcVi@#Ua&6hVV@!HF)fW8+62G%n%?C|Ik)LD)vVwwuB$!YB)?w0kh>``Z0+in49>{II=Li-B|kW% z>9nW`;N%%e;jO92FBgoXvG^&`*w-*pc&!p5Ze*4_PYGC%rs>kU`f5_w4Bw>nDNSS5 zCUEYoa_Mmr9e)0X$XY;z=$lhs?u>~cm#y$T=(7xv7J+n@N;Wad z0`X>j?ds2&j~^~;8Qq*v{-LRArXS7m9#!mk<<6CIi4jgY=+QraeiPb(Gp$aU>XD-TH&gC4 zu`)VY?pD(w!eqn%zd%PC$RKxK9(fH@de>bmkU+HA;5#usppP|4*1m_?2(*J3!(EHy ziDuL$CY;ZM7T!yawu@y-k^}5&lXMS!)esZL`MhIHltCz`#`6vr_~)i+r1kDfJ~2b$>LuMNHAeY=uJ9M51L{JlVDu;RJIg5O{|Yw2!Mia!yI#}$9>Y@f3_4KMe(zs*_|zVzVRyR2^Sk}GdHYm6sOKKk$@MCR zsZZCtfuisb+3YP&SjT}`a2$xjnY60#!=C@m3H~wp1K&S}z!|YFNZCGke01=+^Wg=Aoz{@pKs{hKM4?G6F!|( zxT9-MBd}~>OmWlwRH|p8vbvI7e@ZicG0X=U_8^3gWhJ_J{?m&QLKiP}w-hB>WSA5h zL_|JZkZHYgjZKV|%f8PQ_rgH?UF-RCs~`!g_GV%%9xkEYf#1;=abj7IS)?g( z4qMx&N;89dKQ6{`4^UEZp}<1rdOklqg{A#0Y{uzZ=QR;KzI9FGRoVf_2 zL*Om&RP9uAZ9;-Ub`X!l*52ONXx5g!0YZ-K0bBm$?OOHfyxFnT#G(q6G9n3ySCpuz zKk8SU1RzMaft+eRNq7+(YN_35*!NyIcG~9~^!=LxA}0m>{mYB+BNn`QZ?LF?Y7Hmk zq@qOK_vkVbS2k`D|KaBdK?hpy%RQlZ`LpKc^QoFZPHu=>fPadAYS!m;m&NCOX>qY( z>(8Lzh~zQik!Jg;jnoDa3^ztcg?UkG5Y(9`1#Pq9;(5Sw9XpZ>^ZvDd`y z*KsXcAgoKHHo&(nq?g=$tJ|?=g(BMbi-}`{xzZ5}umgv0D1>j{>Ca{g z>v9S}6hO>k?3_7y+TOz7SnZ!#=M@ON7E19Sdy%@A%L)?r={si2W~oretbH3p@^3Dn z(!Up|&z7f3jT2T`$t!dnT$ESD!_96{-55XFnl=i=$tGz24vmHH!4xoupJO>nwBqDX zy#J}yl?c$sjvTiD!|9!8^DuwX-xyN=-170julI591Chx8&S=7aG&G?ToG1e;__)!p z@Vd}~@vM7d3s2pvOsyoIX$8U)pATz!7%J&F1*xQ~(tV{5Qpr;hGBig<0+ud7UG&KV z6P%9+|6cj;JUra_Nex+}crjKDLV+X7LKj(lO|D+ec9*qqGN-KrtMuQWcMi@B^Vf5lY4TAO@dAfAb zJqFS$f@~a@HuCICO#gybP>$CnCxt4jYAbXeS zoT`0$IN;;W@;vIqP*%57JX@>2Y3Gbfc;e2VYT<~DuYb7}3E^T;!5)7? zHAc|`7WQQB!8!Esb)hm`cF#YbqXwY~>pNi+vqBN$Yf&4uL7B#PvNS>rJTq0N-U*p0ajkhj|C9}Ax zyT3cz-X1zl{VnO05a)C(JF>sw-h37zmPh$S2GVT%_ge(J4O%BhT8y+jPOWacqE&9j zQ=QlJUYvEoRVm;Q4rf-TP2qE7a9+`082Ix(CCof>V!{X%9abc6O5W1eB{5|dr%(6H z)ue}L%nq5P<-E?Rj9`kEHbFCH!4AQA=|c2pliKv3?dsndUdJ}lm+}fCe~Ql9`}fdVXuWW32?CiKgik*haFMZx`itfZFUE|<{timmX{4^=UWszX9 zvUuLNX0pFgnnYLkY({yYvB{CXQd_>~i8{B{3=`7}PGf1THim81}2FZ-~%H{b`~gV8YSPEHuzyR0J<@?4u%0VI?^m>j(+X78uaf=p47U(v^yLhHCuGOL@PV1HS2TGeX~ zi%N^i0j)=&^jN8N7%<=0zT!q(C5hNL4+7~jGiY&-YHQjXTAi?gRO(VCIxq(elPy5@ z)te(OqQaR@xFbpXBEA2aj5dw|t6g8Kd9ADboElJ@lY<98ZJ+&Tj#ec3D{A z82t>4at(=>f966^TRF0?4cuuk_x%G`) zM~Qu|qMN>>+MBjWh6S#nQ6!j@&T$q4PirQg8s#FRuat%qCTwJ%Kvi|T2;ozVP~?s| zJpR~d8Vi{8{5<<6eMzh}an&3!&3Gc3EHj>J^hYPaUF8MtU4vmsddh(JsMHr3UTCrn zQ!)!!<+!9E+$m7>yotifd$dDT-Igw>?0JBuu*&36p~|Z;QA*s9_=kwuw;Z>{-=+lr zTZazZpi9I^aPAIEclYx6mBXXwSF}c$= zZdTAn2-JMlJ4}YSAnosj$fAx~mC}rAd7>QDL6TV~d#4sja&Gz|n&iox87%RihrVa6A9 z7>q8wl5_?!%@hs}Sj&rOV&1uK^&)FeZT8BDxQ)uLABsft7Ga_;)N%P{@&B6xm{9Q9M6(t`@CTxm5f8rb+iqRqH?-Rju-o zQ!ROQ8YA19pFbE&Cr56#w#Vt1lY4>pYvR66+RWh1iuAc_s(u2pGgbK3$9q$UZC6Tk zU!M}#VMrtgt0wI-x&EBeIZsXD%_xzlUi927%!^9Ns(lh7ed18X=L5m%H4-yB$N9af z4$Yj_-FwX}v548y+-+YUBbb6U7!wM&=s%=jgouA}ubO-CUi3SkWtWK5V9C`skQ72c za>hP!rNMbX%IpRw2^3?4X?}m6SMTAHz^=~n->htmLeGz5-Cr)f_zqf?MBnMu^0!^_ z?6kd}++R1($AB>JHB<^m$vjfaet5P92c!3Q?U_D(td+B$*DS0vq%>;YoD=G>$B@{r zd-f5*zo)>x@=+q6rde9PU)T$w?Mo3UPW}%jBMXlU_IPt8Lp2Y$ zDYOz&V5in4B&A%9<~VbPXpD2)%zM|>G=xgO;GaqugyIEN!`e_`d8$>rE%Dyxm?loO zjg`|ww=at$)L{p0``*BP*!-Ur&F^aa-P6csqd&N(FE{f(nPTM058r6wJ^T=CDv z#Yq=bcx+9_}8u7xUx~=x9lorLtVHyPyT<8b$ea^fNQIA!{{zG zqd)Qawd=dJh4K7X=PF3q{>O`Sss9yD-MbTlihOLo8)|&_@5p#ahF=3d?}G!r0oLsmr22 zQ8YIuRFxhtUK%wk!JM|DFKsNit=Iev^FkBqK z@T(xi#ZUf#^7ikE(BIP?KJ`@O$WfA_6RI%b&*c`>XzOVYnaM^JPq9~$e`XXreG|UP z*uaWTni?G-P5n;l;eYoOJ1Aj%YAtRa&h7pze4g#!4+1WVdN&O+^37994O%MpAhEpG ze1ELtsv%lR_K;7pA#u;Z$My1j?%6sc*#t=go3d29c~Ok`_B7>(wZtS$_ZMC_DOZ!x z)6oJqI9S7HI2G(YsyOxI+`mweUqtxxk7ZXiv6EG3)x<)QWGK!Lke)Fdhc~x_w=jgM zp*l?)lcy<!2IRO*$5x{78mQv(C6E< zD-QAi@n||9i69SC!hZ-e2ccqJnh#j=Lrd8Yn_-O-JlQH*dasY2smbGj{?E37v}Yi> zjO|TDTrkUHF3!p&Q|M-r>lhU|{lb9dqwKv{uG5kxlBS^N9%AtyTE-{*ZhyE`R+_S_ zp(y&Nrr5Xc2E*0vMXF-_3vMZ4Nmu%z)KI6mjX?a)htGhcuI^)wP*q;M`_jRKbfuFd zQ(oUaCj~n{jglkn3$^h|l4=002I+N&b60qvfK0a~q}ND~6M{`FJUn&5A~Llj?Bh58 ztt~QzI6?cH?|Cy=;*)L+q<|LNV7Tz@^uqG5k!bUHEUcYC!N?-83X z75RADlL}2y*K<9ZGG`;D?z_MJi)2aSb;c{I<{GgI)6QQNht;Ehg6{XW=h8pQbA%4~X8-8qRz(f|7&TC}lIPE?QuePzNGdft68>$$p6ovf zqe}HV42VtMR}?9+uJ;`j2~L{(5FDN`;bv^4A}c-hPELmmupDoG1G8RWI;1s&&;>#+ zh>cTfKF_1;0llkPJI}ke!797OE2|@T`Z5%)0?zQ>(AU5971lr<-E32vmvmvqkZ z2o}H`$yCvwdWfz{uf`Z=DTm)teX&BsXm*5s{b7#U_R|=Zri+uz04W6v zZv8sqyR}IX-@9FN4zuRP8!*-qqB0k?e!lxA&FFb^?A3-F`}JF_TGOrPmP6%e%!>BK zhwp_@`E!(iKzy z#sm5WXA7vsSmp+O(AroZ8i<$MGGBun0%_@$;dIk?xzlhav8bsjCHKB12mWxcbN#(l z-e6F7nsX%|e8Z|%Y`9GIG`!)alVt<{tCkM*?6O86Hqwrx$ z1im+7YEwb6A)aQ6$eFD=tqVJX(3RFa7(jo6clyI`!A73He|#8W zAK+)|-*=m5N$lVE5z}eKwtNo#t*H_iw6B2&TTcnkE!!H(E zL>Fo7C?BH>RNWm8oP^wkH0Y=G;M(84piR;nlPr$@dgL=%nixE{23g#1q^49t#g)gU&e4$IB{i4Ah!iWG*mf& zkZ1iT*Z?N#_v&!feWBV7D}&~?!t{TL5buE*2s>-UhDWPifk=`;LoWD{q-BEn|tbaRdi|R zN(B4Di`S)9yP_dab6Bv5h5Kh9K9i9XiOYK(CF8Sk_=$Lg%OuWcWuy#Xiu8LMWwzd^ z`w0Rqdz*Q8L|Lb55IIHt!CvDW;R+huq5_+^Sq!FG>$09E+z13CXNSfzRDNaam1W-l z=zDc2uScR_Qd%8cQ6$Z%tf(E85bu5_yIda=%p5Pk4Akd^ngGxw32ONM&fF9+F0~IV zyV`P!ky|>fyFu2o$e7G#Y0|ulHt;j7#j0yH6tFzU`WjHmG%k>%a>7VpE{w5ad2=-! zzq|aeb~`z|(L9KS=Dm8tfhdP!yC-PYe?s3pX^)j1PZfxWPkiQ6ZSyTGVEhcloO80O zIQ?=TQV1u-o#2LGC+!GNB4PaCGt4@W^Ursa3VT+9E%CVHEzRf6dY*M7!*1iU`PS&3 zsbikSR4%WM3>lEzo2}uav_!qt*nXZMq9f?K+ENNd=-I44Apg+NIKLa#VIvX|_W+j1d7^4sdT5dN-45H0@>KHj^DQ^K$M^F| z$WM}fuwUwYKRte$Oi0JV7rBcDqW|d}7G(^A}a!xnt zmcbKh6eZ%et*)$WB80r!KfPM?z1wa>oB0U9^~PxK@(H|%#Qg~uXAjpmyV-AMt8OZ9 z2X@2G&Z-V4abTj%af2zxzuF&U4x|XTtd}-xURHPk`5&*#wh}ulYim3VQwwRJcv7v9 zz*`61eF8s`^3{xY)Se3b9{bt%2)e#LhYYNtOWW6adP1-tIp)QS2j>H}P>N8a2osa@ z;%z3pq3OR)YRZ?Nb_$(qiuj=z?zU7pxo z1)!mua<|bRhsHCF2~n{zQBk|w+vBGsA)h5PO&1393JT1JEZMcJdFF4>jNw+$_Cg|0 zW@+hp-222Lr;VRV(>|5HfL++$Eb3J4>s)q3pEeiDzZvw|4;UPK z|JgBSLoTbFDN$YVnSjluxkyV}JT;IqF(15}n(p>%AKC;#VbqHGQ}j~n-Wjk{R&20@ z)qjJ*s$*2L`+P)l}j(4^e(!uFwN?CtM>_7jMxbJl5a=h zkKivl6s>QQIPC)C z8WXqkQLY~dBX>Vwg3`>{kH0xEF8d{z@F5geJ% zX?krT^!f*H&^qiFIsx#Wkc-vEpf9V6=xH=ZP9zc3GQQ3`_5Bq4SkcSJ1~;+e+G0TS zErl<4*w)J47Xw`^7|))GJeh!hLBCrmTcU_>W|F&eUaEw%8l6R7u|76> z)OW%=qJxX`c>Kylh*rq$Z1}T8hbdQmq`u4`^N5XQ;*#70!*=mc3RuW6yb`6F$+fbp z+ywF1+;28Q(l|%oQ z%X|p+=hmy^m3&ukH#?AD>$vZXkFNQh{AwWZ4gnwqX8j1@$$))?VJ;65No6V{z3WT~ zNM(YW6~)nEAg7_@AixZ4#f)3N^!b&tyR9Wp4YWrxN}8|KVg|1HM)CWSv0%XwDXWJU zvv-Ja*{r~GtiGBfBv6ORLttH_{pEQC>q5o~j9ztMRxJwHL)TFx2P#X_rp+WQ-i zj3tTHO*1DbNx-{@3?iyd<@Ft&8@p)Dx>!xjQNNquzgllX>1^{x^S#_cgFPnR+=h?t z1Dq^JcKBl1#!`9Y`k=Qv1}qTuvL10}+sG#5;&bsO*D|IP)&eIJK7RN~L0;C;(Jvg4 z^)w_|M&&hD%=fn(cL187UB}vdLavV@8T~l*Cn=ng&Uf1vwpMLrF+e|o;<$5)E zV)j**N>)ihQNLj?Ug*iyJ^bvC0G)f&c0FUJp{^xBUgxS59be|>sg}(D#l)mV&7PBc z%=QU7lK-zX+Xd&0rm}c3>SJwGu_(>3{=k9z;(ZCc(v8s_h@#+<1=(Y_ihWIb_IMLJ zqcp;_cZOD9pm++8XF9{%>+Rb_o@UgDgq>?aZImd>^W!!4pb{yXxbiE6GA*7h!Ph@7 zZYuUL;J;#BJ)**)<1Ni~c!B!D!dWvxZqd$32`kZYr>}DE13N|#Bd(0t^?ZVd4=}pw zuq;ZgVk*rno{24cU!1L%Wm=i4r|G=aTL5=Dl8f_$>JJThh)r!@JA)_6%1bvhKjwZN zQ#btIYM>A&_c;cs-)_Qm}Uw&rryHKno}Nq=Cr298D6DKWjJR?Zf+JXK-Z{JsGOq6rZgEcdI_(|(tjO4%$~=>gKY&XV0U z*2>lqtLL#Qn%cWtHa9)=Z^u7ONs|BQ$ba8j7CbZ+PhGK-iV3-_LH5MxQ*UoJABzzJd2tHYl# zuR(Ovvy+QAwnd5*HR8JKr7KCdtMn60I-4n8dG_x&ilNO+Yd7-PujfKh0rfq(qsMUE z#I~8cK?C6H;CmkpHYH9^C&Sf3vYC6r6D- z;Z?(T?m!o6&T4hh0`g>3e*{9({qEMSY9dqeAtPOpX2VGVi$?LVPn?db?l;%F_Z2aX z{B=mM+olxT(c$ZOKWM)xGl1#z&xs%D-T)d_D$E}c1N^Yf&(l=soXy@$5ZCW7IhJX% z8^foHG4hH!;yJ932CccD5fMd@a81qhh#jkF|Gp8%F5!xocXO>$taon?Vxgrg8o~|v zl~!M0br#yw)hF|2kl$Na;f5w$mWh$xw+NXS_Riea$}EG-9pb1weefm`q|w&;w#$dE zuDrJAG(t(BXK%(z_|u@tr(|BQFeH7CY&HUJQHJ8HhulEA{o?odI_Dv3_HP9IYwZm2 zY1t2~r%lA48*x@wMrg*+V15_AgHH!Ph{8a$uw0&BDjFG))zi&lYxSpEZzpqQ%f)LM zsG;tP{cs9`#2O)BH6%?g^vv570NHkBkJ=IOtPO*+2Y$kqs?Celq-C5ODk9c0KiKo+ z6|%kv*s5wg9Z`i@Hzg^)cnq49`AW3Yj34EhHR#pE$zKTtN#*RW%It;?y?HRJ>lINS z(~q_edcX#8N*@z z{XZDg6b?h;{YcMXqLi>01>+IRb!xA8z9JN-X?aO~!=T_8ykyCKhQc3Tq;bAf#uF6w zNT))*hHMye1%>^O=uB{6ApjPDKIDisZ&z-{ZlRKQeH*|Ix{Mw^4}KiM5swYxw%yC& ziP|Tm&{Gdj>Fma}pw4c$6;f<_^fif`E#GPjZrXf1<+%;H{cD&k;bS^p@xKP3f_Kqb zi+4ZI_U~?IU-RMjM-uIJT_m8Oo1{gw=zqp)BDI3Uj`7N4ICQYtdcD$Rw6Y#dI!O~Kbzu!J zmg#ze$kh00TY5m|iA$}Nv4U$1b%4TC^dSBjZ4-8_76KJZPS}@T6EtkH>hj~t^5gl+ zs}{M&IWI3=8man|&sW6Ua*C1l*4uTk!)^UyA5P6L|+u?C^#TM^;Bt-uUr&|riTu1`nYe`AGM zxPOXCme3W;=l6G8lMJnBG}Vx>vU~Dua~meAY^mm`H6F7lD!vTV3ce>kbJ3=k<7k7= z{Jze>08NGtkdV5`r;k3Z=H#F+C}b+hNAbsRI@mU-vi_#$VLs=-b3H;NLpU#QI8{bz zKd4g|B|N#<3*vfRS4a&+skxJ3vAuYpJUpw1SjT@4x}onyABVQff$?3iHtX;dQ^&h|cJ~%9?wJ>2z!Pq@%+yLK(m@ z?#M}jGXFVA>@T_?udo=(FIbFm`;_u(4o~LYW7mEbZ3v$FMTs6pN!=4c`XoHHrL=5;Y3d#&~Z)6s7t>xjjSI`kS9Moa+Iz& z7$Wz8Y)q77B$&cwE2~)9hep-0e|t(GVI5m|9(KDiH1x;~;B4w1HL4zM+ibEGJcF+If0@X4RdonDp_|n5$x7ksL78gXJF0rkReLECV z#?99@dGUE6nVF5EFHiv>uf7iP@q(!O^#|xWvNOra-Jax_7!S|!Xw1`HBZtGB+0(0L zYpdGtnuw6FJ%x9+mB3-D&`x&y&t8M`q@O+}DCsSfIwmGJ_P1;b_Y0CnNh_UG*Z8ar z`{Wk*U1qvVzq62L0kC}fAbb$<%5A7%M`k8b>SQ%C+ zq{YDd4r8CBZ{?6#x9+SHL5B41viv;G=cj06ThBh^$=6FCMnsetL_S=LsR67Y2nG_d zU;!BvkX|((YfEsq38U7nt%T`#p0U7{c%V<2Q@_UIZTV_IEx_lAxR!kl@v1hMu+?XE zN9_Li3RH=TZvQyLp7G}{W7CCU}^^+DJ%LGT&YgA4DgrqG`JTi@2PS&h4@?%C1t zi3#}mqgh!p<_Hc}{-c;dD2dhVdrt821PPk@P1WIEKS#+Qh%C6Dm=q%MLX0p00A1xK z5&Y@~AtZnQO`fVBtG5jg+CV(J%jm#LT=C*sCA!!75y(>9%N|}@tU@}+V*z?DAHDctOKVn({k~^$1=V?1>K=7d zXAcgyeyYM)p_zjs=t^AA6Hs)L zzuy?&nJQRL79#BeUJAkb)%=W}4Ss-RmPdUxcPm>!>+OO!TvwM|BXMQR>Rk1XM94CD zlkgxxjeo9FcxP-lobGKrDXEFD0oSW@k+Xiz_po2W13AT%)0)p(je8}AyG)|ZqCHMM z9`_f>#$rIE5&BPLD7(*(z`o|<%KJ+g+uZx5e`2PZkv4OLk~L z4kNj@DD>fC>0iQntx0U<>zVc4wNU)yqW}>7w&<%aN2Zj$mqZrVH?#Yw$eQtlWhG67Y87!*52)3 zVM9903hE)j0n-cvs(GqCCgpR{{ICOe-#Qjg4>8NmaKFZk=g*1oFz&$s7spf%pV7m9 z;zLJj5}&h7o@%}-Xz7g!a9W&4h`8_bU5xjP)5pr@se-73J~lehwO};7w)P&%$Ilvy z-H^hI$DhQP|DfpH_%!MdHq5Af!jD1p#n$ef_oHEx@URYHV`DCqIWNY)MeFOANB)qJ zBTxGDsdsjHxmQPd2Zy;loc;}PMzlB#ZU0fv`MiH*#OGAeATJL2Z@*20K|_wx2-CTu zKXD>=qk)!|_7*YAMW}Vo)b~c@^5SOb3#4Ck&-xFG4@SKkuqjWde@o;pG-Hd$2r^pmCNtky-GXnOY(I6| zbl5p9pg~${%_`_sFZ}V=56o{r1^1?qLYtLYk@Bgr;D&wbi1rLqPpbD&10b>*0sHx%lJl4=eU}WW zKDWj)mO=QzjXqo6f182}P;!_Fdv`~@;@suyg_I&}>9`fUzl)i&3}IYBiHetE6ugdY#PceD2PP`N@lunjr@qG0h!}2y)5OoAxl*;?B}nrXVu)v zni2EkETeMVBT|8jty>uue`T9l|DrEZ1+5E!<|Eua4dQi0fLWDN) z`gBdbFm=?nv^zEz3jY{2{2mqg z&+;iJcNppB?lb2-ZUfpQx5`t8su|xCS&y{(*!WjID(cFXmDEn@{f1bP7^uMgx%~57 zG+Tfe#OeH@TZ#M5ij}q`#QTsrDEPG z!b^K+u|4&8Vm^<2(4b2!$5X4uTXXE|K1UMmV0qdR$RXMOgturdZtg-_`57kVbJ`!` znffQWje7VW3h&B^_+Wrj^p+Nk{!c(|6d;!&7F6CLOaSpAX3h9fspZD@g4S!}OoU{| zR+T>OY-vD^5(m^lB7DgM#h%1;Z`N=Gyn@zaV!HuMDMJqfs0;$Z!3JmBTzeqC)1dDD z)93vcg-qey9^OIXC4U;1y)WoNzrr@GZC!tzykdrRyoet8O=6BTI#g6XM+3 zax}PTgY+z z!8ml@<7|nF)k%ns1zw0IHZ4Vv_0qgTcUd*};c@9;7n8aaq4q`V_v7j|WZfb#GSUO* zT0=kYEWf-#woonSZ!t8?fDTL=GK=Cfi|Amgsyqt{-GoB4-#gOW@s>P{CSV6?xyuvt z#N08$R_`3t?Y8Fo8lDWlf-7!e9$Hd=oCDu;*yO0@Lv5D*iOa-#Y*a|Z**_rHmgaN# z{aQ_ur7u}`#kqB_BK4xHiqBJq=7>f4kVBT@Q45F}%P=RIcZ!xaW!tcm&SEE$i`iPazcl;Y3q@1s zyG3KV+(HALcC$xSIr(66XL&g}lD}$por69Oj#!q;T}-m6G^J5m^-9OKp2CAaa0`If z2X$T=N^=fEPS;OJq-1^;miehsZ*6Q1e@t&$7|+;U$Vj*b=tAiZuBB`dE_?Vnm&SIO=JgAjl(??!g}&aZ2Nf&CnBZI1&&X4GW7K$U|%$J<2B~^i=9V4 zIk0b0^~HuH9A7MY>gvTa-?hA?2h=Q5 z;>}ub2NzXURmjN5Xs${T4WX#}j~?(iw(_vWpMs{F?6qxsUK{Q|r~AJS1u0dgj~@;o zN=$AZ3i0xLKF*cFHAwhH9G9#0;%w_3Hdf$JVxTxB?bm11K4N%{2R%Qls@g+uSoHs1 z61@@mPTgf?u^%!0n0MmytIkxmI;5IV46)5eSJ!FKmp~l8iPz_9f&T+WnSOpFGkv~h zqkdIV-`k5vjP<^wwMNh@u!R-%>4ZX$)DqA(ob=z}9Ij!a17z3-#tO&%lptqXT55{3WDC{+@A zdD^h{&a~<9UsTq;`;UI;g~TL@u-H{6caX~`|8DQFdW?ueA(oA`Qgob1A3+lm`61fH zK-)K`|DA83)i6Jn;mKX3vb7F!l=#GPj#MnhDn^#>FoLozO}Ui8D<^X8!aq1R1iXjz z$-oq0#~sc46DVSXTc-10?FSSgD1TE@Cs>xuW+$8NGXNKSl1sM~d7R6Tkn3PDVbjr@mpz)U_(BR3HG-0T1IB!l-BVwPp`R-G z`cfFYxSkA)iZj54D4wu%T4&W1_Kfs7EQ}dKxJPmZS$jv}Um18*^ba2lBms?Of2GrX zgW~B>4dQh3cWJ#ip$1dIpF|niSIZ3!#ZSS|Ny*#4A0xSEH^GgJC#@~|qWR}bO4Ju$ z-v79VO20&zsd$65XxRVN-Bw85jJm;kJN=d;CrkNwWVl?=`Tmt$b(-R6iF>Maj$>c| zM6*&(_O)x($=kXDAcrlS^`|fx0fb!uE9um!f(Re)XsXDT!XBhSXWV8_rA~I?Q&X5c zz{DLwxM1CKv{eiw505tx9agIhcFg04P(HlR#81vDI7I~8n;#T$SuPiSVZ=t587%Hq zFW?eO-9$kVm@@iZ#u-gq!mrNe4+As+wxO&n^V&LIl{{RS=2ho6>q-0hdgmt#2!*FQ zXDN&&`Ns}b$%6T00SYMo1=Sdz}4u1LA z!8S+ucUt844rj6%5!|zF9c~~IBriKD-~#>_ec6%WcIyvr`P=|nX{=|?Vs1#<`Dwrm z;{SzPp$L)qY>P^V_Zl8uME_nlE3P_orXGie=HxRU*J#Tp>D)Yem4+M=Iu0w@pv>I; z8g`+Qg#){;m86a=L9Xvw@UDp`Nj_mr|HgEskYlzU{%p#7Zm8=+bPpE^zk@J#h^o4- zzAxfv*DaY<(V$6BS6}b#l1`cIj^>EzA{W@N{Rj!tD$<9 zTb-8|b({OXG5nG1Uu;KiiSxzk_zWU@kU%k+HDiC_dsq-vtR7xwUDctk?#NYzq#_B4 z>x(m4z1JKtVnN5OswT^h*6z2GQY1noi+hC>{{lsz{~<+oPrm+9K9}qcIpzVBDq#b` z%JS?#pn`W*BjD5IVdbi4Jl8)~Y*koRyEfEa11LJ*1`@yMD7kIh;ln`3_5%4yj6$k_ z>9Y`VT~_1v(%g4hDyJJ~#%8|}i!7sj$^Q=dDH z2?c98i}JWjvZ53yg?5v4w6H?~G3vet-=#NSILUKmy-7{A*#jd?mN|+{{1-mx(R2sA%dJi80 zMjF_9?u!)PI-lAns^8WO3{#M^`doB#07IGTQ)n>ZuFNbIpm`9zb^Wj}21&AM zuQP%b`23C<%z{A^6?94sx1S^SynFYvfBH4y;(q%~d{-RgTe9E_noGiN7_jAHs)x^o zAHhCGCgVNf!iQDu@*f*$ov%mrm>~Z}+rJ^47a3b5fq`m@)FX@vRxZ|| z(Rkhrdod?7p5QBQK8gF@M1&4ND7ayMr*VF#lCSWvjog;$4Q$D+=cep6`H5>~QC~PB z_>wATBj0%yQ(W5yngGbs=R|@DQlDjC5)r`(i8h}TZK`yw2Cnvj_|Kt|4~yFjbU$N8 zoa*Q#T>_g)HF`(K2WDDxe>6z?;&aeE1XatjN>0M(cyo3T6IM*e4`pqGOO?l+*z<+`zDK$#Vwb^?W`DEW;-TE+FPNqmc`z@+!JNmU}?%{gboix zL6vLG%9-98-hs3A2`SwMpF(hGw97wHN9jK7|DZxj-nC$f-E}+*Mv8m+_^{VH|42?Q z1)kH8E&F1b2+qm|C;|-$FX?SB9UuADO4c%kW9~F0tm0tBdsXEt6{DL|4J@LAb1=dpRKwXY{oL zzmW)bCurTGojy{<_T%%t#1BvaTH(+TZf5C^qoM8sz#7rDRrpfUyX5z3m%MQHEEV92 zoO2##sn7vkjvSWx9+qO(v6cH*^{0x2*df&8o({S4vn+iIfW0O3j{9eEnzUcHc9B2%mxwubPn(l&1>hy7( z<^G!ZN3=x+*?9Kjn+{B~q6?2ddyP_NeR|Q)plF4h@OaL_j_%v3UrdwslmmJ-t!@3& z0G_m0|5o_QYJ52essKE0q_nEyrka|EusYd>(dDg8i)KR&!_}6BS?naea;MC&#w&NCi0eI0TzveiN58*(l1x3@zVg&RjgZ^g3@ThK){qd8#73d|{n3jF+0fV- zGeml1*lPCzwC7=p&sAp+zdi_*dJQW6uB5lETw^O%euI5*#KD(>mP$_aEE6uJJ#V!aW&d~8iIAGK%HNZg#@Etr_;eehTDMocxa-+bZduc zVEqe3hev)pkkMzUUi{I;Oy%`>2mJrz?X9D#df#^61qO-;N{WPlNQZQHNH@|T-7Osx z6a+*-q#H!KLAtxUyJXSbeIES&_Ph5!`yKm?{r=85W2}E*C~K~{=A6&{-1l{Tt{;d3 zhZi&99A$(LuHZ&7zl{-4Uoa4T>>mu&$(zLfv-Rt5^7P}PfW_`NR|GY@vZSy-5HII`B6 z?sh__=^=9DSXhfmVLGmKbf#B@9c}PPya3!(B)=8xaNrh#fk})xE5Y93$9V9l0bfDB z(CY8f381RlD-7w>ag&LBKSHDPHdG=lJbXNN+OEPnb2n2!*F^-&Pgd)J7tmeRU<;_f z_XIy59o7-jf zov*f`Ytb}?CO0G_1NhdQ6Eh?CS<-bo_}QZfXta(FPUk9D<&>rKic%W8Ao?gD-=m+y zrZT~fn`~Cq5#a}Y;YEwJ_YjhG46MOhlo?jIAB$!LIH_|xkXWN@5#*&EwjKKZWQxLY zBH%6mIOm+tnh`)Qhx8fBj4MI`(zHk3Amzz_DH&l8QN?kA^byUcYQ${G4DX>Bl~Q2_aH~D8UH*o|zz32tBv`o6u$>Fn;iU zCqx+j#OPZzD@67cDBJ9Rv$8Q%+$O6YQq;M~TG*-`w;z&&wFd@@R@3Ah41%5hQTTnZ zy1TGz%GPA4A?&19>ieCbSvleOPE|V96H%9&3~t%J>P@OJ8JhqCLATRGmd)%fZs)ER zxdQ8GzW11dYoj)HzZGxwOm({q7|qN#AK!197!-o^Wa966MK2q-2NMbsJsaAcb^2JS zEQ^W^1A2({)17<#uA*g8eu1v9fuoMeytp)tBSD6mx&URHt80>ah}`6Zy}hKqzCD}a z8r9#mTI-Yb_)bp`tsWEZO=7USH>kk3XqM0wMxSqk9Tu=dA^>wJ+v{q%YwtME`Y@>P zk&I(x`HoQ*j&^Sk?Nr5U(OP+)0wfsdq5k+D5Bzq#R~NE%{Gi*pyzwEe?>T3TPl$oJ zAv(lG00S1{tL-B~?9}bWsDg}4p~Hlen}xpvQa|6_KjBF~arv$nF+mt632XTySVPlD zW>vmC&lgY%a)9KQxha%+dq~ZNr4zye*!>bvZAV>-_kXWr^<#0hIm;AS9Jk5<`l`mcDX^fcWhvd1t{T_}dNu2T z9bGTtPde21wrq+VG)6)g1r@oj;E@iKQDWDY8kk-h_H{GEG$gBKqWl{Fa>Td%g#IX+3LrB7Gysdl& zs0Gaqzob4MfMj1VS#0lWFc#b8&x&2GSIZ(aOm!^{3@XO*07}fZMIH?N3{?Mc`Am}6 zpjP~qUbX{x9|W_v;85f$HLX@&P%<$F|3o%}O8n#NH$l^!_s_Wc$HLs*shG zq4>SPT=wh!+Fqv++t#rkU)HGQ4|%yU0VlM<%P?8cLv3`4aD!MVEpNFHwj5} zN*z(`=Mj&bKTBH%N3NKjaA>J5v1Qtpt>!mb{y=Hk2LynA5r+e z3jz0Y6?rW*7^rZH$|2S`7TdSpuyVy6>&a=?Rb#VUh->90OY$*3t9{=e;*EVGur3>* zuV1c|jD|k(6{HO7US~G*w0*#R6{}~W)UngN8gx`ij0Rlgv*O*Aj?~-Jh9x7*O7*J8 zCeqFxTH9Hvsh;zWEqz_TK?Qnz$_m@tzk0ku02)>WRDD3mx!IuXF0iN6L4s5 zdU{(2TPF!&7yk^Ofe@NLn(Nw8p$njb-rw$Vz)%QAtOwue$RxgHB<NJEJ^@ zueU+zMz9Y>(GqEPy;Hr2DRK$9F!KZOWnZC_%yswA!~vn;s+lXw%F&7T7m z^s&DPN$6Yir4PVsu9R(p##Q!W&GhzYJs!L6`!IZ1cV}7l0B{p7e9rt^(8)fh<4!Vw zeSelxx>DBK@3D1KQ2&Dpa^;C|YymSfu`FR0{{!m=Hn$1B9>0wt86NPzGGwgz@;tCD2{d~GYO~0bknDkAs|Rg z?X7bmSEP!lWLE_(X)=s}H;gg4`6+6(Lx6uoLBr=rHaFcnH{adKucA@=5D8W>p}`pQ z8xSFaaM9_oA<6O`KIv4D6!)lf0Cu`mY^LMn=Xej0a4IDp(7K1_mu+2@aE76QIm{IUd&mY)Yc?G)9!0crCgvIdb7e3=h%9JcGyZOk`g$o@FyY9S% zley|N&0IXHfShSm{Y@E}gZ35vQ^wVcW&Ahj+ z$4)x*<{rDnMOVg`yONQ2G4S>Fl~a<~{V}XA%&>0+EWdsh!xK1OvHYC~-l$$C0ER$t z@L06`XQZHLnN;~pkuRc0RteSW?=&`>MM{84P8U4o>~^(0j@l+fmaHR!i@wOH>?}Zq zF|u3H$pKa-a$G(r{=$Oo_*|n5rHPoSy^BYQDoyru?+>ob6HI>M-PvpFeUn`uAJU-) zhL~O&S9r%Lq*ZCFFpP|R5&4Nv(ff3O<)If?EyV5}9>J>~X0h{+N6V13jz^aB>@a2LSx*(8D#@!wC}a(d=>_2rXh5?nBY!S{??(J2!|6M*urPiPgiA4a=o&PtMQ z^UX~h9SW)Pat*AEG zaYn)`X&Ko{%_taUI{?!RAYwRM^ynZ}m`(_dRZaiig*huF(6#zx(t>P}av4hrIY7o` zKf!RvAi|lwW@EqYf1)Rq;riTQm~CzxAAg*F$_ngvPoGM=x`yPPj5p!<3zG=lyIz&T z2W@Rga80=?Oc@ad(0-W6zGq$J@t#-+sM74s(vtLHDg|@sx+dDMu{mukVrnjGTPI^Z z5~&&x&@wo20!XLSb5BkKrD@gi)8Tjlz@60VCUbRijQB7iU7@jVIclin0J^crhd=X{ zlOlP};vwfILkiMe7<=ukWJg+-OVm)}si2>DjJ^t_q4j$PxXg^c!YzMMYIkFcMm(Ga zqPib%_>@uc31A(6MoYvnjZtx6`D5YRR9&1J%D)mnHhZTY_M~7_`OeS*Q7It0gyf8t z)xYtTdQXA5A;33;Wf;!UCj-M>&j-r8xxIJ zV`fx6GK#9SNa)Ly`cNZl-CS<2R<%*%D6v5{k?IrUZ!Oq+Q+h+4?x9<)Wd5c916nBY zaE!Hrhz>HXUeR+9cek80ppF`8i@j-kPXZM9b489AU51$Gwpv!j!dY9<9f7o10b=pI ztgfKv7<(a#8km*S+}M4~34jD2sl;iNYrc=HDWN}aPkViL?!c!2etc7uw?%bwT0>T; z!dYNiVk%{Pu)!$|nC1hutqaav@*- z&%gloOKT@=8}4JxR7G+GfUJdGnVYjFsw4D7G7?*xQ1}f72MPcZIFDIz-ADcWb?`1N z;_g`PXj5@un1PacWXv_@C2`v@h*R+N)7ZJ5Hzbl#h>Q6!LTbH{9|I8qd?lYHjF>2B zI3FOT6Zs5GXT^{MeIG%2l=2uAC(5_c%zSh3=q;%GO@*a2Ho`YuWaqMpzj6B>;qINB zOYY$dBkF1_G|(c*Gg;19#PDnc>UNLBnl6{UAu`ig;E$(6a43F=9Mh2;%7K!NT~ZCb zLjBy897<_GQU>6}u5kn$9>;p_jNB-WCS?WJo6nNyH#RbX^skGW24Z=mL=oXGU@mU9 z83!c3A;K3lCFbKS%+@o{5957Z5)tn_`+E=j8&h=uVG>yGcwqrx-deAm&b(Oa@B|G! zQ2OMemsJ1tJvXk+RoU$1LdXZ`N^v*L%i?*RCi~jDItO=RhA{(LiZbYgPoJ#XmEKaT zn1Kd@k6-8x{kX;Tb#*Hb@bUJ;pJ^+**Hq+kp3DTHt$up|1HCQ2It{6_Q^CVq*MH7N z?_d1I0G?6LugZHrN%*wN_FBoR_nP~KK3%b0-z*=J78^m^w~kx9N{Sin^E3C8tI zwo`uwVSBA?=0>$li!O-x(!Di6Owy9TcclJ+-PwH+?6?7H1`&qO=agDhY1nq=4J&k* zU-#6lJGBpV_&rHTR|d*!jDR#yaavjHvwB!C!!RS?wpsS18M z5+?11_QqXZRg4dhJ7cIpD!P(MZbjcYs;U{>EmqTX#lo6;Fd&d$W>kLxzx#B zfkDP~^R=rB*KO7L!fId!BEOY@S`Re237`jns-h@*nlYSNdfZFUJ#3ork^6m?(zX3j z)2tiXnc#C+1*fV9vy-NM;D_nDVG%=R!BAn1K&+Pw44Ja@4hTOKO5&Wax?;anpW4w% zJzbS1XftAfEp!Ei+pC0a;JLs)=w+50%&`;DveprUi{w+euK!)~hmY$Hv~e!9Ip%)I zP3eAfyde$k-dvAIq@h{i7|q8sIBfZK*NNA;?LN(Cre!Uu3mu>6LGl7`vO7x;+zZHQ zjMtuZS)ra_$3y>&Vg0C5@k^*!%L67+ltAS7ubdfp&uiCT8wJ1mxMkt)p!J%YS3!sj zh%df^M|IcKmwvuz_%5{a+i;!|24)I%5%F1bv@A^h6LKoxvsYe6#}wV1b{k*1a9U10 ze~m5~{=a%jm8igBKo(q_zjXFwlj?GmC}hEWqMQ|Ph;L$O#HR7vbI`v85}fRG1Q<9E zai=Y!zL$Ad&SVi1lU2LSu#f6cVlXGqiJ738kYab2AyYT#L`smElgUUx??U_=_7=(eH5JI;U`t}V z?^WiRX9gF=1s7?2INJjmuhOD=MFxjs5NrNricZqpM^5R$=0pa|t3FzDjWc&=_BMkP zx9;2op^K+bVst`S!Q4a>4$Z~d6M$v_ti??>i{W36iwajDYS2PUXx_v6d^Y@q_=k1f zt>uUhhr9QlL#B(dTX#)Uu~DLzXexjXfNW*Z1_R1yIm$c_r2yeip$Jj1J2GBA>$_T8 zxq1G3JeF+a=3J7)LkF=kijiFgz@G=aJA=@31nFLPZ@Dc4V>PXDa2SaEW^JEg^s8O5 zu0_I}di%=XTqcAzFBix)M<6|>=Fi*$ zX+OV<-)+q?UM@814PE-4mp&4X-B4g+8A1c|$kD~4r^l33d5CvxE+F~>fB%W15U>rx zu@Qm|@6a`Wvy0cBGVAaBh${~p&pU@Nqpez=&G#iilbNU(xi^->*{^t~s}E&iFBl7V zD;R|0VqLTudav2za-UPV!}K%D`!SqXZpueEwcce69;#0%2;>y z6_7P@-^>+C5UccPRRH?&#THuN*Y2|0=!GA4Fm1>Fp^uU#dFlA2qzTKKs;d=#D3G)`sZTQ?LKLOjRx z03nAhu!<49v0)=UAK@t|BM;`l(qMEk*@cpHAEk39@Do0(DXMNDHP!M z$}xKhXlnqOH=W1=o__#&2;JeKj*K#MvpJysskGtC(S2XI(Hz*p7MwW?n7JC!^A#Y- zKL@F;E&QRXxvje7Gj)7& z?h-`DMzYwQd1>Fw)n3&?TDMVhq`>N7*$oU=6`Wc!-x&<#p!o;(8TViz`X=wj6MU5 z;6bAZ>K+Z|C$hO~q1M4i$q46Xgp+c5t)^=Q^X0z#w}4p{7=%T<>i;lcdRqJ>Bq3mz zYChO>W5ec`f(y8lI*X(pdh8Yj&gai&7345Eb-g{73@*dI)T3*imnko2jpNW=!06Y~ zQK<%V)77VL92W3jp&qs;ca_;4&Is_A=J@a0j9%4oVHdJ!POBTSRUqR91e58E-#Toa zsl7~i=|rpB8Z%7gk3Z1bQu!BeBz^$WqJ72w_*(+-R@3 zR(4k%_$~$X6#-_*d|C*!D6o)4v^|ST6jzx7%&OejIVLG1y1ulff9t`AVE*3-3nu-V zb?-Wzj`baK$JkU6jK*UI4zLF>*6Y$hfehdK=Z%}pPyHm)fXOeGF`F+&3OyhVge2Lg zqgYm>`AU(6`uEZzTB2@pl-PsOfbCwcLKgl65WxUPvhp|!cEo!%jThr%Y{sitA^6X_ zbeS|RZC`Ab@A>jsLlc*+NW*a&_wfOoJp*W$!H7(qI=(g2dMQgO#8(Y8PaW~Oxri9O zI+HUDxbN;Mkd`{hkeE5F&v(7P>rYgG5Q+ePM~eO&b_XMA)r{paEeuOY1NsN@&(f&z z{w2&z@hrB5z*UkbZSWM7!$3oKchSRv2L}oADn5|7GvwTP)|Lvvc8!3*qE)XGEc^_t zteVVF+l0Ij47|Cy?F8R#apO=EGY#{epLLXz)OTSLQ%`dK&0%Ak z#&0eH2liAJ_pne)U8A2j9-FtG=L^dPkm|8t71VCt)YkNR_mcgZ2$EzdoY$mvN!7j`VdVnbIy=%d0=I2{_fUYBig0dc(#$$q%J{6k;{ zD70zosK4Rp)EkJ9SeYP(o}+M%f;$HEFsPyF$FM}YvW-$P;1)Xi_?!2}aoOj&$83TH zGebCNP0kn0HyaFuORON3wDT%or7ahMwoeA#teJ@wWkGI9*;@r9N-%IcC9F0uHBwa^ z$9%cKtH*D0N_pwVsa+l6_~)o}>VoVgxVjGHdf#G$TVRa^`YHH`C+Sy@9^l)4g?#i( z?E{G@OV}w(UeF^57AOdhOze89(}#+U@-fCpWhq_wq9ihV$a{F`dkPd;?|Q* zqwgX&S$Gv!mgCgj(KX0wM_Z7oK!G{ueQ#dp;EfIu1sDvVygC8hnjEEU;4^utcHS~C zrbL11hSs9Wd4FtdOhxIvIbLP@FT=T-h+ONPQs|T)rOc-ch)#p?&JpD=XYUIZsZNF6 zkB~3~7U<0FBG4J!kE#bcYmg|Xl>Od%#_3esO5SwT$=oT+>DgD(Cww~O&v=OofKgGr zyGQYs(Ej8C5R9A$0h7+**d{z&ZDxk#+1Ip!8_LJzxS(t4lh_BI?s)31InbO|Ar#L~ zgwIu&R#gUKzi8O)eEg~pFLd4`HjH$p0-w33>T&x-=OGON;whm&g4cekA7TU2E9h_z zDM^jBK*oIXO&ksg{;j&RFU#kvG|sA#L;{HTq{V)?$oR=WTeU+-Ih0mwTj0bBAet9r?a5^7z80zhN+SXhB zuih3sbAf-Jh0n9hd3~G>edmMZ01${1u$5`yr8%&XeHPsuJVQnF9@yU_G;^cz<{y9; zVknllxa-=gDGMnE0ue$mYjs^{RD#M-6V4nY*JH%^;^P#CdNLF|Hv0|fsWdIvc|3T7 z#okGACsf1$CU9L^q9g9V&7J7lB`I+BrO3Kzv+ltl70DXpN42Q2u`Vc_38Jalw?{iH zA0~gCE0P5xdI6RGb?I?ZPjwWw#}T*`XO1pIU^Z+k+VcV!iq=WWA=vApzyV;)ucW@@ z0`hkuUqJ>#xSl1L1@l2WAC0x2BuS(UBpr2JWKKx;Dp3KY_3zDv$$^1i8Gg;rZVq3@ zs`qKuX(>-Pj2ii!Rp&%ScT!V@RL4xski2CW2?~BRFh07&`#ej^la8(^x#EW)F`(G` zJaE-(1>5V5jm1Z>|Hgo9;kbj0Ln*hU1eSU2HzR{pj@OR2b-KbN#IKp!yM|C;z<*QF zHs9qT_rbv6dw9G|#xM%XQDSs4wx0-DSihD(9-pJCmX?sX`1wHNb@kl&`umE3b&G8* zL~pObAhyqduhq47lGi#n)iZZNDR`)a?4qjl=snrp3C6z@F%$b}e>H!)34!8cebmi_ ze^<9AGP0g6|Do5Lz}1Rsj;DA`!;{np1A}4jPOe+^7*miK{K0Iu%D!J06zZYN^G{I^ zG%gx7b9MjrIqsyr2><+D@WE2pO#G2g{w7}k(*#*~76thr@Iv)pt`rmtu%B3sC~M}? z(LOs!tSF&Xq;BdUQJNp|?`wMUc`B4T{I7nNGQ4Xiik0k{moVuM|NH2n{A9Y1(7*z6 zw{-+G)qa^Qg>A|{PNj?FRX@x}E)RTTrk^mitFcR!+Py)4Ha#x zABCi8BKXYdpZ)VOK|>|7uhF);E_*u(pV6?Ylo~{hn3`6oYUR#VG|X*|Emu288N`-S zYp0Y)ijiz?ys6Yok)twILgr>Y{sR0PjJUt8&hkoLRyZ486wBfsYRUQbjo3N&RS#SAqq^Rkv70{J>nem*wF zzkB$BhAYs26I1m|-NJx1QuHw4 zzGb$A0xDL+!gbOg@HFqXF(E07Qpyn)?ZvDhmYmuqmi^#F0J=dru@CE9abhB@`E~#p zjm-Omz0R($DVL}6eotZ`$r4~-{n_MnQMv`7EHJs75v%gseypwfDyEMd>Unfze`&DK zjHChdZyqoh7R)Ok^v3v=)GooAp-F?`07bIvhQWU$nt~f@eGU+V9|lMfHPGO(Whr!$ zDE29r(iQ3n>njENenby|`OMq>fKIk*Sx>D}yiS$YS8-HEMp$~2SmWt2-;f$VJg+Ky z>Kl>GxBMuWA$Jo`9tpVdeYfD}3LRosyrH7rF_dj;SJFNNw zZyCA7WaQu;um>CHO3flbkORLw$exP78v39!-gx~9$g!N+r-7f)gz>=EDH>FH!Pt_+ zsibtor9ZRhx@IV-disY)QDI>831nKjJ0mGbkX`|(>p{!T68;!9@mqH%eTqEgU#hR@ zk4{pHP_qNNDs_`0HJHtkrn|ZkZ-ig~%JBn`oz#{*jILO0H6v4CX%f$9v@lHeA0a3A z@Mi-U%UlPB#K_QxW6gL~OmTbI zDAb00ctotfY29hm!mW*X}Ml5!rveAA$aJC+I7>xq8l;d=em6#LgmCxmRwj4N}WpK|GA_u_9aTD*?z0Qx(& z9qyfFBWq(zGIU93(!D`0sd^zHG)S5j+yHFbJm+&q&nHMy9NGqUw6Pww0#bMu=_4N! zkJ+&REr15o%z|OH@+%0DpI3pU%`F zASC#?qyHl|Mn!qJ&|rrhImRM01E^E#SJxh-i1io@6v^`rw#dsPryUe%F|_x$(R(_@ zyXrd^Iyo1fu1h{{muZ8}tGEVDtOq|)-htGq{`GYJ--6UfiqO!D93DPPlgLs)K;Sn0QN)hizKyzxY zn{I%#2?z2YsgHiSnFA3&4*-+(nn)Q=#P6M?K(PJeYphIns!}%S5PZ6xVb-AOLBUWg zW`U;EVzMF1yi5cyV6r#W20DvuOOrCjX4pF?M?!8(vtO^U1_Omj)noDI#cR=EVA6>b z^}a8j856dZD^0H@xwQY_Au~ZP-9J|V^z4qZE|^K!rx!bYMJM;*KLXsue z^2*c*MoZK)cL_t#C5C~T2ekX6-j9HNWpVUJUj>(a*J8jD zm})W@NuC4L3-oVK9o$^F&_I(cgDA9%*%n(b>WM%4)I)82iyojZ0g@pIZdUFnW@=%j zb~(Oyv*-z;9NHdMfh|>R0_cwP5VlDJ1d7ckWqlzY#(<;igUJmSHqhynq66LO2@)0$ zfD&~8t=^o+S!38_Acm4<+1odZ7-myCkx~2veP^bmysW~OD?uQ`v@P$W)PFqSAF?M- z`DQPL8bK#JoENT2u2aqDEEg};ZL&TFC=_L!-8@p{VhpV)UC_=GKKdO1_QpUb4a@_6 z4_up?Q8Byg=06_FzJ@$5ycuSuT3J5FC=?Mi zC-o=VwP+1%y#9b}7mZSQaC{$rQVx|;C#^W*!1DxHwt zET}~P)+FGZh)B6;S9q(%6t1{x`Q}7g=?HZzMm&fzm%y2D+c!|KL=F-r<-VI70$#=A z`=63B!i+$k=i18lk7!p2jN&ri)?cE1mDQG7Fe{OyHnYf+!s&n6YcSw<1PF3(pj&$h z3UsEm-=_Mh)gd4}?7OD`1UwxV+XX^G7Y~A7JnKqU z%Z}J#3{Dr1fZ9SX`^Cp>cvZ-Y7re|>AB@tUNTU25rF-Qw zz`~JTcsaiqXMY{R10UY9N7DYoW`}ZDe&iRP=d1@Y-Fw?pT01ghK$m%sAJ80)`7C2t zSvgzgw-?P`W|I+uWD6nZI_o36Sanqt*YO1LS}+M)=^q&0Dut>Naf3$o=ws87Mo6Szuv60Kyl z1P!;M@-LATPWz86)35g8s=iurlOx9{sSOi_b%U&19I9{$OH|22DsTP;Gd^qZr2#*E zLjITl5x?wDJXnL?5JS~qC$#eVd4LZNcf5}nQO&pi9`@y|=$EO=Q2Nz3qzQYn=3?$5 zy*vI|(wElJVw?6Hmq+T4OV?XRla|QZ3>;`5DNG#WQ43heGzs$dTyOo}t{c>eo#s}+wX#u9Wph}HzUdr>f0h#{lbEgaBhasRm#twgUBvxJtadfcdYB9&!z<4bR}E zi{PDWDjJSL$IEs_pN+QK?n)clKOmxt>ClxEZ!z9-2b3~)6e>}+|Dk-h0H1(K9MgI1 ztmB0}QVr`P!oG>F|KPiSNdC|G?sxC{KjGb>fAQUk+z%8e%cSxiy$+P~P<+k#gdXJ+ zs-oSq&ih+||H0SSHuMte_3wLWx%2jAwf^0B^`GnGrUW$n2R6m??s7O~J{}ES4uz zEQ-d@XN`~|;aLfa7o>_9V-1KsC!to<0)JWP?_b{2HhQj<{NwW{B+@)Kt~T#-r$@C8 zq>K;VH$j2fB)L*o^q}|ZlPDoC@>xM(WOaja{aZ#5NF0d~)?<8ep{Z5*LrH1UA0XE| zw*3^&z9R2;F@hmFkx}s$jrp7vHPOH91fm)`}Nu=5y+sZ(t$j<+@G-Q`7l24&dIyJ5??nn?>5MOm-?WVDo#{3aTr~vNRVZyWc?LAth=?>$eb$TimvIO~QiUyF5kqJzjV5|Hn z1qxE7IX?<~1?7V5_zM@U>20?gjz52}xh+P10~ltQf?(4_jj0R3qS#@JR8a~}c-uWR zwkk1mJkD3Z*4Y`h>a;U8@7R6$%CpSja!w^o1q~}ITz%?dg6s6)VE1rvh#sIFMyKz6 z`e{jUZ!5v=IN+tjnwW*t{-<YpIa8n<}=K z&z=ou9|wq2>bPGFHohij#-rB?zCGAXs=GZY!7Z8J_0(5(=i%RFV=3~XwdZ#U|d*g=A%}fPkdYPS6r(n%z>mCvpsHmsV^(*VJhI@v9z>fqQE;9Zy^QkzxWE><%gZ^>)w;kCG`Du5xS$xQTrz$Sh zp=WXvoW6$9ML=?hk3HwtQ89M@=nvchcbdIv9Q&-gA`uF7U`Pta#h1yD-<|6Q7EC^v zW^IJy`Gr=N6yeq?D>vtT*nc|u|AXA>y{rN@hbDI=&(`*~(foDgTilOe7<&zA0%0d- zWOiL>`R&;X;3b+rc@5aJ$MPUhYjQfem3$5a@7(Dg*8|uN?*ok?kUVfqYoPAn8R(iN zcOC&ie87{(Pv&q_vVJCx^v4B>XH;^k>wJ?XeD)j`;y|xL$obrfoadciGvNr^K>u*j ztT%9a8W)fPv*#XBe+qQ{8G%1biGbVo4F}J-oK6N5ofJ~t9PosVUPqSr+2hBZYGAC= z+d(%lXoPfG=`fW)f^!P&xkF!H0s~Q&{?AAEKap`cX}N@~j2b4`YXywAfj z`s!_&uP4`SWV9``PwQoD$Q#qo&8<-Va&w%xo=k@sxv?YpXyW=Fl(*H7Pt;7g^*eLSwX zzVMx|j(Py2^8InPv_nuWkSgCSbg$E(SZa(j?F#hRk-nfg?e82m4i&J>1~Trh%0!nn zOhJ_F04Ls)J7x_x-`u#@?Dt;>u$P~2O9u9SMcEJLxKxdbybzrO@q6-%p45Da;%N$H zJ6zWj`q_e^p<2!$z~I~dJs=K33WjuuVY!-|_Hs$uz+-J`VkV#UVK{$6{$6w4wR3tt zDmmlCbTbH(jm#v^`(M4SIz*TtURA2Fgze0j08*q$Z7^x-=N|8WI3kx9(Qn}70(JV9DOEV z;?}Z262AWz&A8D|&<;jWbsDVQt&L`v-b}FqZ$bJ9DCf8TZmndUDSm>h`oXF%YULY75$ z`Y1*ls>aPE+MZ2%XZ+07_b zX|Ml>T_CT?>TU7_Aaelj2kN>PYwJ?@gKWecinX&NVtmXES}K0SY$F+&zme};Mn*C( zT6CE#X{1q(E7Pz_weGY30WlxoMTv`MK@&9Ed>^cP(9diclF%Sr{FJ;_VNIp~7cu`KRaC!{% zX!Kh3Ip>wP$!ERhN?->$(ohH_V^daAVtw(vRxp5P`=CF@*Tc8IUnFmVeVEFjFCBC= zNdu*aR1109a=>OP!WcZZVEL@mjcpb;zZb#WGqBl!VI3d4d4fM`2;Q8TL3Bq8 zHo&Tv81HtfQXl8&uU&Cqw~`+8Ng5A&kn?`uX&bZl=D`g)S$^hk_3Q4^Y24WDOIgis z`uto=lR1y0ukh8b-Z6UC9YdV<_1|8P;q z%0JbMkBN?xzJAhgnjI_d>Gcv)0vobgiunS~lpDjViNz%7Tu9j=s3?>ehJuIQJ31P} zYKS3pfiTT=WM=aH|DM=c~#TM`ts^7BCn0vKyiVSfG6CTeaTXef!3t<&ov$Dbmf zA%hDT=0JUF+W1qpsw<(@pg5PNQj@@&-@wrD+}VJ9V5DUNyr#Ra;k~~Wn~})gWQh1Y z;9{RZYyhOTA3MKfVz?uv$dWkcUXHxra_#tGsN-?CVh3`={jad06jh278~eGMb(Q0L z{249|uG$0VN0&2$QFSI-bE2KS=a}7l9k9XW7*? z?{i{UvJzEBk0uTD44Gc@>+0bHx3U6&Y=;p&`&xIiqaw|DxGJUb)`=5_&*}Q3ecAeU zlZ`3@eU9rbh)zDOOATFY{7)4~d9=LDuGER|x_`s2M(4O8G%A&>+^Td=4?%=a*9q@FU`-$&D@cAbrP_ITajBdima zko3-+h;iGqPBVS)c+J3H;Pg0Ej%tdIqIrGm*Bq>l5EV4R(~QbazMC!WKfW8VGe_0U z{z=AXU7mSfNnG?y@aJYCca0_py~$o5w8UqiPOGv8ZR zO4G0$u+uNL%g{oQe+^S?^qa%P{?EDN(7(Xr|Nn5u|8C@u^zb>+tM$hby!l};u>MO8 zHw#L}-Gh;$2Xq=Bp9#W}zf<1a%nfiJr5}?i>*(wr_D8uN?T?q1mNxsLs#Y0z7lo$C zQH(4VjwTgzPEGZXQF}KpW(^H0!4*SO+?fu)9GwKqcmzM9|)8K zRI|^QT>G|6`3lZ!Ro3{qG;*L*crQMSos9}ExbqV9>{Tys&!52b^!w||OY1NQ#krSg@d;a_cZf0Q^w=UU7~X&6b_$eM zS!fxjhc-^UHfQ%?fMR&+#$F9>ggc`xe8K}MB(U`du44NV6d#*VniUh^3GD7;ELu=EHVJ_CG{=r@33H+XitiN-_Q!lRTj{VbOLNC-L zNg~7z?SLu9G_@-Bdpe@(;R-a?v6=~W}td?H@x(pEj@sLICe0;%r+@pUpI#xsDs6#lY^7G6Is5#9r zc}T;%J_vezKG;wew|UD_zre@(tw~OYoPlK=FaxjYQw7q#Pstd^CFsC6t;`{P)B7+B zGOaATud+QyhlNNm5`^fFFT((gVz9f%l;C@}5#s?eHFtdO8ncA6~h=H6N5k zFEmjD|e!(d_{N|N6z*nZ71j3rDUOk(BqRXErPH!MpMMW~GXomFYphbhmG z{5(C2Yv>kY+@_`HmMOzKb%vaUDCjw*cdJE81mqn8mw0ttSCQnpyu=#s$ZS3f=TS7* zHyNeS?d~`Lc-!LWuYH_KMQior`SV60t4f0rTpi51;TIWDy-jZ-kla)f;<%kR4PJa{ z+vYkcl?kIWjb9{AqXIRGRV3 zYN48|>x`DhI2N=zH*^I!qv{$lI8os|Rr^$QmTZ@`7dYnBfkVab%oV_)HVQEtj0~^!MmkEji6fy}>_FK~x=+qnL2D(7$}?JTV0`VzxlV zoGk`KocBBkU=&n&RCGD62YCKs?x%D2z-UlL(hw;6w5FqVln`JbtP-Bk6HE!VYLP~w zfYk+99I$~V9M9`+$KK*6yWjA>C+Gk%LTVf(3RmQxZBr$1=|J?Wz&A0ftP7bN{?w*_ zPp8r{FJtYr4wRoDtOhI?6zJq>@JzI#qPGFEQY!D*Jg42|c-nlL^~Tr^5-YVF0I#g@ zcX4`gIw353^QDUAM1~wy!Zxkd8{>Un5}>ch2QQ`e!EY!Zne31el7H2t7gyb6<$KCb z5xYLLRU!2j7-6Y5$$}t3!7SMKXbLV@VP;Rn=Dy&gB(B%*%oWMP9NAKnXHU4+T^@H% zf)}t&h!BDN_6ye#vJU2vVFlpf3*rW8&Pt=D(tu2ehD-dY&j1a&6UDQ`Yt9%j(cMnG?I{qrP!tLYyum7ErW&1U>fo2v;CZo% z^?`&?q;LW(Xk{)*M%K`?6NW$L)|~KE#IE z@FS31vp5k7xOf{&X*r5yK^~9)9qM=9I(I(<|WU~W)_kJN(d^C$2vBQ zeM%kJAg(>H3BkiyiHa|JR*NZ`$#5+_p&e|6y3L;-?X2ipBzNl#tbqRG1T|IKS9(n8 z7jqfgh!kMjxXbPg2fQ>$jPxg=iuv3K-Mhy?VelKU0)%)7V0(6@yKvsi?$PNH4{Fc~ zx%4>$kbPJ*pXJ%ub;de#wkpZvBisC3(^uvoR&Jen1LR8IUaXP^3aC&;==%wqypIPu z7SNU~GHd3=c+CSw!GvS|8l(ANj-J*;#E+IyS&?D*Y$AW&m9(Hx zlQhz~a;l7n6l^QglqxwUC)8pPy+BJ6L~hVs?f|_~{1M7_wjv7W_N=%N>kfCH!9bkL zRp;x=P=8^NaS4oP^LewaMhqrOU(4OhU*j`TZ0*)&^tHaRE9FScca%MzAG~AkBNV8m zHG6D9%`ybD(Tox6ivsXNWsHxv`twp4kDhHUyKhMR2=XQ7F4M#ek|HxD3s4C`8m!4y z%34@l!wMDt;Z9#rmnEX&hp`2Cd^m^|9O`e$STyc>Ox)VML?;Wx+z=O) zmB>OZMU&U5Hx*vJO0tW#;Ckq_S9mFkDBu62L+Xb-y@)d6V8iY9l?uu4+Dt&Du_4cC zX>Q!YG6uZuf99vKvufViC~oeQ-^-%)+VW3>f{=X?L7LN0@tY^uHEiaMOR{}Xd?lE- zDpO$v2yYO){O#7BRDFtnWwv5=r|+c-5C#!poxN3~>uobLpAdxFaxx5n0aKV{f6qJ5 zvrfCfSbLjFI8fXJ-lchZ3IFUD47#peb-!u-!5Atg|uv#n5${1SxptjwiyUX5`1&F;416*W?zsqG zBE^>c)bud#Vm}8#J~SbHV5CQ*(8lGxOuisl61U4%MmJ7#GcjwsY&=kVKVNK|&%63< z$rqbZ+d?2B8Ujg5_bbffad1w^yyRN~)_4Sdn#dlF-%B&CIgBwg;E}hP&a$EX0_4q} z|2cdmDM9_4eQQN>{&Fdf<#b1rG)$as&SRM@htqbad&TPjHBUA+%@!SFB7e<6S12Y&MXOIziPcf!AmLnd zG_w+MXzp0!2i5Yv>&rM1v?IrF98Picm@d^*uIw7yphLnvFx%Bb#7mh2IyV@V1Ms&X zg$j{h##2qysxw-EIF>_TlE(FW$S_6;c0gJYjN`Mlp*@r?oQVu(K`UUim|N0pL z0bJi8IaR!n++kv6+pi`+PF&QqF(+Jl@@w|=*8_I=pG#QsQdEE*c*-t4iXS_Wv~vGN z@$CWnQ%r@Q^7O7Fb97Gx#-Pa{{QoYe2Bwl13uicp_-hXyvJ;}dkRO_&sebVcv)2AH z3H5}P3QNw-W|ayZ3RpoFY3F?o(Ak{^A7^43llcxi0g#2>wN@Tjh3ep8T zE}qTi|3%kXM^)AR>wW_YC?E(3(n?Az-5}kKlz?=DbhA)O8l(gSq`SLCy1QGtyX#Kg z_jk@cXj~%53I| ze%gD64@evan@zO2R)cBiJkz_M8O;U<$d4Pl{pb#-6ndX*3Zypp!aXBQg&r^)OAXPp zU4rE_^1O$aAJX!?L^?J^*}2a#d<8evie;JMVRIAv?-Kg93?3ta&;-(36tb92dyOn2 z(clo*a_9H|LbQXe>h?UZYpKi#cT!4Kt6ruNMAooidRyxWPn)zzoZ{D14|egu++PcPwH zFt*{|0#S)#(N14_1O?OMvt=)+zi~24L41Xn5z8z3vRy|HOsqFvykrS?q>#0}tFNAO z#0h%qfRBZn_a6B{x3EXta|nk{i}j$?E_%Z2@prNWHQ&GL<$LCyot}XW89(;b|7fOs zV8+E)6ExumxrhUp;{QrGFa+g*dKM_tbapTuz=|Tj6gopIEH_FLXn3Tr2^jjRwZxj( zU)hV7seqWKK6`ZK>0@8%KY00zXg}bCFLGl(Q!+isVu1AJ%$feC_qvABwBj@q?5ed; z`3NeYpEr3jQ!_Rp!}exn!kQw!sjlk`{r@@C!>Smrkn>})e<2IDAk_dro_+6Iv#9Sp zk2IGGjfd`iy<$$3Y+C(am)T+xBp#&&G|G_KxnD;A3+9=S@Zq|Ls~vC8CKm2vVv;~M zxV?RO>XqN^&21LfvOx+dAYdWuzRj^M#7`6_<4Z9x{53k_z)FJA9*4wVSg9G}|;BBQ{(68#w+o*gkU zj|2PXJGl!%g$a!0<#jR;JdmoFWRhJXhKB4GqxE^Md+vKF4WsIewl16nB?7EatW89e z3gmP?gCkD#u7|zirM>^1W3E@iGT2e$H1XT-`wBL;^^_eVEGB=B*VKT~L#q#*mV_e1 z{PQF<$9?4r=KIRQteWUzK97kx-IQKopYE)X{M|={+1C6$m?Ajr8ekcnY^Z(2GPMmj zqYL!}a<4E`mldf{(b?aPy4b}Mv{I(4D38UcD0fh15^R}^*gvr^XGQP=r##<(ZhLT2 zA-mfE@9{Gs{Wlh}sx>D_qy#_3(o&bj3=&XtG3<*dV`sK|TF{H?f3}%kkn;>CLxTp3 zx5%Io8Xj548#qQfL51@Q;g+rDR`sdL{x#u`pK3P(=?l8+P(;}oJuqMFSDag$L zKW`*^^!Y9Kj7I$8Irm|KoD>D*kF1pAG=fF&g!7@9kQxf| zEx}6);f=gfmzlkYmaBmTR*}=Jx`dH9eeTF4o>i1bbd=027K^Eu%v?^W@Lt?bB>kGz zN6ou-u+O`qqenVyYb$GY95Y3ihACxfTIwz$&P^qdg<6T;7$v|^(i1?kF7YKdu_5UC ze=YOr8}YcyUw6Q@P=>vnKHoZpxWkC4+JqCKq(t^@|5cl?$X@A?rhCU5uSQ1MIWz%jvHb^7iZxgPld{C#4kW@(k@!!*2d@$v)Q6g@VDb`V_qj@?%HP`X_ z?wIV#spKsyhtuhuulbOWtCM@w58}x1vs-qA3;3ZVebsW-vAM*2^q=+PMPlK;InDdr zaGTGWO+14-__h^O!i~7)(3@#&+Xrix~KWilgCCE!43wCX7KmY zT!>V^iD;szID2Q{c0CaSDW$AqVTnyD9~5|@>0++N&jUlWGG|<^0}Z9Mq3^REU)Pw~ zjK$Bb`b9q$JiIhN=YHgx|AU)h+2w8liIMKdJ3%q2hV=Zc*0vd5?&}$~mrZek9RdRZ zEp7!j9`~c~8cdY~KNe2bo?H0C&fj_0iSUX~*Picuk4u}+FMrooS7vEiK~YEkoDT3}e2nsq4y&kTOVOz4#@XOGRT3{?^VNui)sI8sFa8yp>~E zB(rjlo8#HBZHbCL^Mdpjaq^8#0G1w{7+T4-gS4ZfnDNSA>8P?r4i$J83A~}n%l0fA zj<*<-hsmHl`vPNixH;*q$AGGGx47b@lj4+2tS!&BzMq6xW-whY&J&G|sexYi0$zbg z&P(V0hE$-<#%DbD*G0wU9JKuViFYqzaE^U>w9qJlco&|~`+;laYR$^(;QmEGPEHIu zU7tEuh14!kV55gXgQ)#>GhwOEO61k=FLO=j8`EDHF=P`su14c}rZ_KA5s6@waxZht z9Bno>@QA~pPv?|4kxyXmUp{XJo}y8gAKNY*pIbi!&&JXxy}%v}mCc%((y*Ma-F|OT zpI9)K5O;J5?<=UF+Oa?U?#=3<0~6$XBtjg)H#ZG3xDCfk3qZ_@HyKx{dhplO(s|ue zUa{bl3Y4H8O+4grc{!=mR4|0K%B!Bni)NG`e};MaMD_YaNwYq~f(bnFyPAf*b^Ltp zomG@vi@myRHPK`&Ue@(t;s{wle!Un!aOmwfqp}liL`eW1-@5pk8_$Iq0i~yWSSXrr zmCrhrG;xe25Uqg0^br#Mnxup6nafb(ckVQ43yQ0Gcxj=tqk>%iRa+5tLz%MZaZHd9 z(fjjHIY^6Ft>a31MSCt{~k>2M`h!B6Bzt>z&u$I!}SD z>-F#iuI{zMY{x=SPod;YUUQN~1Xv5=IUZZ}Ku{_s)qrflT$ZWreGLxh?zKp3EZKmn z%2+lSE|Lm!DRShJr)JdiQVBw0*)JnyvtD51Ja*jaSx0%JEGZ+SrJ^EJ7Izl1aYoL$ zJEI;XLTWR?@Vcq+BBJjKz9^lQb<{`>zZDCaaUpoh>2LB>B!p-)#yM8uuJSguHl{;m z9b^&H_zu5)ZmJ?f6d>--neTCnQplCCVA78tpe&jZZb=^k21C$KJKu`V*|*Kw7`_<0 zmea0tTvu>5zGs&Lg|}AB9Gd4U?^swlUx}_Zxvt`OBPTqKALHqn zF%uYEub)dmmeODH`fV!9F7^`cLU4^%u^ZJ*>5(|3!ObtT)j{2yi|D}R@rX%KRns#y zf)&Vc3Aocse*?W3oZ~;9T|Poa^w^R0!cKxd1lOC)u|vOZ)R-hx~}`(%r^~M zw-V{dIJo$;AA8rljN(wvLTK5m%qhrRh8j-Shnh+ZFe=iNVXi+$+x1xHZ`S6VVe&L7 zQ{yCrIAy81XNF4&Q>*Q^M?qz_+S!PA)%R~QY&ya}DEI`u zue#PBf4R7lPtz;!z&$%p)xV#1DNb4SEsLB3u>)kTe$-KcK-Z9m^Fd`I{2Mu9A_E38 z2*RwGGT`=kM5j^d*mdMk)|l`kLABa!H^xXcFSig5h7*({|7P53vLC`N=b&k>Y&s+2 zb3NN?^R_AsZ5Kr(jkpNnAp{-49;c&kUVmYJp_0t-P+8=Cl74J#{+tNu^NMP-TnWv( zM=tkg6D1<%j!YXYa>g_4+y#>w_)e%NA1f|j{e!J-xpw@3rckndkYU)g8{M^vSgYYt zTal$ey_9&XYB5^`wW;JSqhtne%_%lhqM|QUp6@hF8k7kCT{T-@-<*umtDkmPyNGEp z-fN?jN*~7HuQHx`Ec4;ubLCY1_UP;j=DvYLB-e5hb^<3l9Mg;l&jFEy($-A#%e8VZqG<}`4NU)zMPg26@ z_+GnQ=E@AAFAI~F6o#H%jRj5IRa#zzdqy_mCB>iR--ic?v}L%~PM0+$a9A%fjds$wdou|@M&x=V~MmyDwvJ1%8e zbXTUkkzx}v!Du|Ubzua&&Q~k%V6P&(C_S#1H_KE_Sj@5pf7fz(`VV^TXN94okPt8K z-;Vr=TjyfE*G>fHL5!#0M#rB_(uoS8zk-E# z0~bf>p)fH_z5}bA@0+*c6TyfdUB6hh-$aPNkfcZywLC$~Upe$W)we5`e1$z?5=F@? zKd%uinh^8`yEHegTa&e}2lknp>s?W?!HU=0MuAp?L1g;#Qxj_6iQIT90HqEY0WSh* z;*iIxlJs=E+5ZTk`vS})dxY-rFpJvXy3l**(ho?=x66z(V^o8IL7b`=6&`CxSb z|00+iN?WBz+|F;=6W?UXpA@I1rmbG)Fo2iO{xBbWs7VMSdpLIY&?Xxiv1@-%P<7tw zU4`Oy(mEs*&h?62`Ei>VetfdF3_SIEIPz(y+T(`{;;uOvfcm1FtYl@}0OJ1S)SlGU zQN7ZcEkZol1secRN9Sa%m_fR`ss`;nUmh^Yt zwK*RyT$b-#l>Fs$qQKB9lvSjvJjOW{7lt<)BKewxpTyKs7yHGruuurEnSk0>+3d0E zJ}wli0@jb1UcaW@`^H;t-FygnJPMTDiUdg3J2!m5Wn(`zEKW9eHilr6mHQtT_I3%z zW4l(7WVM6j`dQeA2nLx)Tji0$9vtS6CciH0fXF#e07rlO(EV-Cwwdcw_TuyE37n0% zJ&t<^SzNf>FO6v4Py4eTLpI!8DNt#x)zoYW*_A^Ihz%Dz#gR&Xp;CcHiyi&pO*C+# zvF~$@fsQMeq)DOk1#XcTf`E$5T*+}n;j5KI6xW5jRJQlNYIqjlFS1ID8^UG_d83p1%|sNQbTE1h<0khmi~n_*pgtAwQu$1mf2O! zOt`o(jKh<2T3BahpanvN`RH{OE>~UoRxl5)g4q`1f^2sFQiO!ClbD?jd%{s}Z5r-A zJ3~Q5oae-=Dm!-KRa_Mq2!scdk!Obv*g=NZ{j<-`Z0t+lA$rZc%K?^_7Sd^~Cy#hk zL0g0SJ-&NQ8A`xsbMtvD`Tdt&S>owCx@{Gm=pa?ALbZw#sI=6mwYX8r^G3Vk^IZFG zhn!Y^K>^A(_RaPHKcK3>FrJE_#1uBV-iF3xitcM`H6`;U36rv>N1pOH?X;?oWCequ z9m2c@ic1kg?ZQek3!~!X?ULiFHwKDjc@i0=5@cjxNKR*pYpNQl;0{yn0Z}%Bw{vid zuF5~Nf-E6!bR^iu1Q`b(XPNFyQsV8;T{;-p!vV=f**ct3c~6MGcu z30vl-#Z7pl&tYfDH6#6F)BVHY;`!FKdgi(qi>9jTeRZzv5z!~J11;@c?JG9jc4Fpa zAeMur?Ct2lle7oIvhs?p%iqXR3C1)68to(o@X4KkPuUn~ItTd|Unj+$(5gb#XJ_`i zLlw)`33u})*9Ywt{Lcegqw}ETqq(oV&@CcNpQ^9FziXk`$W+F17d_~MsVytO>O5jZ zy4c{iR}^>C3AQTl2Qn!I#ahtb%|t^fRYPV4y}V`93|F!DI9+|k$vZ(IH6cgCDmyE~ zRYC2em09*oaidLIAqBv-e4Y#*iQPBgVf-cE37^98duFpQ*qxV%$?hp`;k;>n5z!E9 zcwT?I{zFgaQ3&@8-?#UdQphQbJ`9FTN7?sqzt=DBm8Kc>sP z*9j&lupOQ$CAN$%z76|WucOj4VsRPxMc`GZfo+DOsk!ba-F!%j6tq?N5J{j!!2n^- zTNQvyuJ_J_4pBx@{5O3y{UsjEih$wpI8sq~2!p8x4n^ zo`ss4T0SHxOpbj@!ZkGCzg5L5Rot&>Y;0(|adHZ#sAlG7(uDIUuxxB5omW0r&XH=Q z(QtrsYGePgyOdKO_$4CCcSd5jxx>P>`3@Fy?UZBTXjm)i{U*psHw~SB2vhu?Zi@uT z6ahh1VBy0&p+Y{q@kPu3bT=yeXN~3lR7g)26e&T@BmL0rxQFV0p8Y1<_<8%Vt+N9z zsge+f2v(m+Z|?F3y!7wz%Bv7jzSi&RM1A1xp|>)93|6-R!gP80mK4v?#q1)~YS)zw zR$8#Xh|ju;`!ZsHK}^y;UQ=Gt)GQkfMu!NV)Wv)E_Q(?+Yg}4*wguprJi(03gRBg) zL8)SD_$eyl+@E?+Su{7zyrZLTE@FPh`?laIDGRNymRet_WReGr-r3orB#~#qc?Fd< zm>D)XCf#12$v1?Cy8OIY*{o7(|9&ukVac}7_2Tb38>j`jDEVcJo{Ub6(Sb#I;VRs3 z?~a^PxF9Y*|2Bg`Q^|~@e(zRxXauCSx?sfS;^&;W>;?zn zuN$V02zi~hPgdVNjoaDOlOo3y(R)Jt515&61c#9FN(1}plc?_Ud|X*JO68|j~s9iM%6F)#LN`}Np)TC|O4cX+qgVA#9Qzs>{O9Iv*r9!%)OZQK#be=?YH13c?WCtGd&drP z)b!`l%Rk!b&sC-`8t8vNyAiQ>7cJY5Q67DRElDK9IwqgVlY*?x)++B1`q*o<7oL~i zfrwJ1zZCXu} zPQ7t2EQCMEC$*U@%K`b&`el^;;SC;j&Zdy4Y@O{LETOH{%pZr?b+(q|{yNYai1`$s zY~S&GkB?YhvKXn-yiOwWh=#GyWaxx_8tb-$DACuR_+VqkiKdhT+<*(I>w^0C)EP2^R@`L!P~5~6b2jj~0lWO``ov96WLBgT(>Y-_%@{c2zpLl+AQ z-obTnA2NU3UIywRg9LQFGIE4BW!cr`nytu4=g<7Z617U~WzUPB6+}=wsie} z@b6y-8Xk8np`63K`qJI%)bO^=8+AzIw=CqSdc@>P@ndE^qB7$l%JFXLfrYsb6@zX4 z`MELBs_a+k!okr`{!S;ZcqBG=>sEjJ_1OV~Hze*$f$!_`l%+23i{OjVoljs#iwX=% z75y!9m!lC)>5A0JjDv&n)@ppkIv2k^izs=gn#?1&9w*Aq)aiQz#4dFV|Yc0yaN7oPqxO)Pc1`7JN}k z5zhM@WzTW$U-Cd9beS+9L9U1g(s(dSh!C#^cqRMnO5R;f8aE2Qj+SIT>W2G0GlU)X zu+apD&JCq%PI#E6lI2rhL2}HcGOOmp!{<+Yj5IO6=#9ufjI9qxJye)uy?o%vV)NPI z(P9IA;P4*)!ixvc@UHii zNI(er<$Vjy1I6v(w_F6m6LPu)?m{Ttk}qIym$_pCo;=xp?y)C~8Q$#$wZSkQXZ~~M z*B4yvi_Qn~sexAZ+p;Yih*x@@FJ49HvHlld!2JbW=n3j&2mvPSEgPldmXGDtb9dcc zj+LkRi2r;Um~k^U1$Ez=SoA<>RT}kwAK^ZSuCu@?uAreovN$-=GQv>9e||x925&T+R~(+{hP+=48zSewzx|;Bg*vt8$=5sC3sF#g z=+65+MJIo(M=Z&1vB*j=XF>{6)pZdVDMbUL{r>YWfIjCGjmv1hs>S8MIG?ySpD4PH zG0*+{WGt|ek<$~Xud5t9N?wMNV2Lioej0nYbm*a#e8P=(Qj8jRw-A&G+aQ#zILXYu zv)>c%b0wDvh#HM~6ED+R!u%o(!z{o4qs`LS4PLhT&+iTNrN-MEA6D}Z-wx1mCS|q5 znI1@}yIs$ku@Mq7r_^1P^6RM?nGEEtrGl6Y3aExf!H^x=p}JhmFL>I(%9sOEZdE%* z2IZ+dqe>Xex1GWAU*Li%D@B23sZ%#4-8b{)BlyA1SJ-U#g~IS+VaQps`p-WH691q={{+ybEor+?_A8o=EaQ z-=7~}%)Os*t1_DN8$Ygfg7%vypG5A@HCmaN3_81LYu|ONn14?qw;Sak5)v{R`1w9X z{?1U>%*<@&@uM(ePWR@U8l9D{_*g1y)7g-Nr1Cv2Qx<$>9~JbR6q8yf1ybwPmJ6C5QUt>6N0~_-y@J8UfpQ zI^XkhA%Bq^(^6fb4Slh9IQOmQ)Q|s#y#Mony_R`-IH=PHr>AKJXg)NWU&)3(TUweU zV1$5y8hkD}#?C!mGSYbfHg&Rb*9q{BVa`d3cAH21B~zX_*7pBPF=S&BUuA?0gSuX$QgK zF?8mEwg4sLvt54Yy%QU#L=AJk?mm@doruSsZf%H+OsIvktZ^Fy9~A~NMO!laa2a)S z3JUBTY_u!wBYbPrX}1x6$CcqeBjSudq$^9Ta%%EysPlEO`iTpRii)Avso84weu*Cf z7|eA$St4|lWmA~8HTbZD6VqCn-zD~kVL`ZeFh&BWe66NKqZKG|D|gFrw;uY*-Z42T zuTtEGvYyQAv}Clh+evVbipOR)>~rYh>YrDM&+J*6Kcxlvo?R(^;Pukcmmz(4QF%?p9B~gW!}1q1rxJ=jP6W^c6r=SIKn#2 zNnXBnTSHaC0t9`=-$U-(#3>j)f+C+_8TxNj-}z08Tg|x<&g!bkuDf> z0qq_WBTnGgUzQRQFLT`ZkcGTld(;#zzj}PzKjTo?*0k@LCv{ea@r~WC-_}A+>CD8f-Gr zFl&$7$gF|>q;q}$@I@`|yYh;PBtHG|k@Ayv7r5UmISXs6YnIpgBei2qvq7H42AhE~ z-4>9U8Ix`6U>kqIOE%k`C9;k!XLrn;#)a0OE+|FXbtTTt=n3ovxX6!M#6k)Rmd9`{ z_QC*oxBVo?jIgpMZZm~UETu77c6ygv;R~E6Ec}+IuC`V~g`TWESatccqs0P~$*22; z`$^Y>K?Rt&tP7Xp4LK6hwfD6n`o@fL-xY)g+)j_YCdI;3i*7B~f;W-QcXRWz)lRpk zuUV4MOBu*}3%^ zt$Mbo4yOgu(hHl(DTRDN&D41~YmM2h=ADe|M?%zaF7$5s_dKJM42_e3PM zP>bu{?o@-eO}o*4==a_2GeRDy+;z@R$5ZQiWLN|&0Sj|-c-`*)kR*88Iodw*a4I}(>FN;8!Qv6@@Y+9rjiQ*uLKId(ppXc9 zD)M(=PrBMu$@VrgUCw&?n{MzAwH&ozopgFksa3Tn)&;3-d`lhOH-FLp;TU~MBVeR? z@$~!Ib-%v=Wke?`Vq|l6eohy4E))CWU)Gh_&zC6}?&*SW9s#wG*YXIf)k&wHEKXl( zMa74P;<5@juhPJ$5G=fFh1sZ|o|blE#q1jeCM-KAN8vHY{6`&z*sRRV)BTaU*L_L6 zwQOC!!lbLX*!|Zw5sFVN*z#&KMaeNMv~6*XJI3-nLFaUsO3|~{t2xN`_7yib5^Sws z=T}BXjz-6zd{cF{@ac5RT!Ze+;x7RY-Z^ID0l7q;rP<3M2&)lqhWv0PN?8o4&acLF z=F&MwJDtxXJ|=0X?*5mkPJ{u>gk+=1_Hy_Z3H`p(rVKRts*$Xd-MMW$PNZ62g@XJ} z&B`aRSIcoc^+?%ySW;4lhjitbg6)zQ@+v;j0m<+uFSLG0raSO_sa$J{Pm`gHjQyZY zuw{CCeT3`->4D(9w9};3r9)qkW~$`vEp~RFml-2R8L1|Hbzk*Tk^(zc<>iK%$I9^m zt+G08c=wZOe3D=7EMsFmc{H@Wo{jQmj~w9e^K`nb^pnnL?w?Q1s&X=Q0b z?mG<$6AXO`w;tQuk>cc1Qpff6H+~dhSePTsNvzsXR&lY(p&YG|=e?!$$u2n5VRyJD znsj%%uE}oVbIr$RAaK%hNLdUyKhB>iuPR|JpVv{KtKorjFwi4Ux!5HN};MytImDt zZw;gbV3msaqkIQPz9WYv=iEMiy>V5)a&xbgxT6Rik3HmQ@}l;vR>EK9CNY$N?)epL z%qz`O4(|1dIu^1|uJveGT54);b$UMd)ZZk|AgWG`67$+fBlN-=M)RNwJ6}g`BY_9%=F8Nh7OlE}W*yXP81Z9vI2|drbTQorKgEfET#&q3 z$(Wf)`+K+V_8|K?I!Dk8IMHIiiCte(&CU<(NQa7@aU%QQFQkroFFim9Gn93Mtz{y&{ z%sRtI3kp^exq+RZv&kQB6xGyDQnQ`c=RGWNM&|ldG^O%9ycUjNgh z*J;%kM0Mxm$`i9;o*NU5EeqUE2*3LhBD8A#7s5O{4VaYa)xY`3G2ndqGo?7&=neE+c%ge}x;b>hc>Q^v~fL4A64O64lnyrbDkXRB9$a%KEt4VbsA_TX+ zwH@iv>D!7EP$n;6q;pqb`EF+ z{!RUhi90ZOa)M6s7y^ag)JS70u%dUgN{I>mk~d*(d0qL~S0plXpeXyM>iLQYe?fyI z^V6nk21Nw`Ch(=V_C!OS{$dj7$|p`yL&Gg@!2^zH4m2>-XsLw`=|#_iqJ%Z~k~f-8r) z_Jt}Fb5n=iX_sLi8`$Fd_VG--3XmZbAH}kQy{*ngI3-E|3H^d_mC5hMc9tN484%TG zPSm?`9=cU}S z1Uj4cs-{e4e@PPVnSqZ7UB>T8=CA1|HiW4D?w%qYMs zgRUjD=!@KnQg*#>yx~1mtm$=1tR}-f9UVX1w=oP{dJc!#Wd*c-?@_f5iF@1A(Nmyr z^2#&hrpd?GIl0btp{xJvduTW5^|DKI9IaE3BrVu;@jKs^&Qc)Y%`fCU9?+uFJZ4ti z>rZ6*k=M-WzGfuY&1@+X@~s#~rD+FqhJcFoqBkTkm+OmsdQsj~li1rtQI8vPeYJ&t z*yro_fBWjfC=}zGVwHr|V6X>q>BLc>BrOSl7l7I)vZUfBw1s!AiVe)WM*S!(Y~LCw zXsC;H*uMT_Fj%uiIOb6y%>b1tgKa>d>FagY{$!Q9zGRU$y>)RZZjO?c{R5)HH``G_ z_!B>O7_V`c!aTv8gbT`}XB!*Fdf6l4n`Jv+k0(;ILigt6MJ#iY83`g~?aEo3h+j;w zwjybpYZr2O@*RQg5=8&GhP0yCJj+NlvNWv1*+7LiQO%x(K-vH&kRnga4L#`HR5jD= z!ejl*`ha%PdOm~-Evf-nJ*vY=2$qBNg z!#L2?W*V;DvbahAzZ%&s+31)!r@gI)uc=H~PG(VGT zVez{inAMMu&U_!8DbfqULnoJ*m^YU03?B7iM_Rlvn*9;gDhB)gX|OCg<769aXt0g! zTD{xL(*yQPtg5)R8VQVYZK7gmc%%H+>VXLfQV&a~bLLE5SB%qxyIphD{xBklH&sF# zcCd_Y_Z>@b9}K9+(;3u}ROys$Z~`VK@@Hk(LPFk@zNlzuwI0XG7eB58Y|sm}xz@L~ zP)|MHsBu?XO9Z>U#PZ-iYBwC?DV2FTzBqU{H#MNh<%n#mc0~T#@o&!|N3G)~w#%~Z zjyE^@zSv#8#S>pelJEOtd19kbf%%Y=H3d~GgHEmZ*fEd~&}o*wr8pd#>)e(&L?^gv zb5{&T)x3Tu|K``}M!TlcMR(to)o@WB4zo$o9C11N39qMtSR|Gj2ygm3CDhoMWUVFs z3gc{Np2u}Ge1NnFJv+PFpu4<=f%tWcsC1(fzi36V*hM(68@j*a-bfiVG1zV?9be&a zofIzHu$zcLDHEr4TiP($@}q;-4b8y@otXJVzgNX+%x zajMpGVzUgl!K2Rk+A%=RIaOn+Ehx1Sq5a~qFQ!QHPr~>XONJ)KHUUm36_fLM6SpDF5h!CJZX=th9gJ!GvzMi_*q%-Svdw{ zr75K{PLT% za}(dxI69dRGJ2U+wateW6;$eOf7dWHYxk@LXDCv0qwAP4u{hgmoGnw~=_5Lf$QzUJ zx&^_CEzTzQh@k0RPFFzcl+E$6yzW2U#VL31SCc`L&2Fj-YRHf$2YM%j2WcZvFErxe z@R|Spy>eoqau5GS-hIinJUVU(sE6_Fr@^iq+~QSY_21I&WTP;=>8z2xv{+627O?3| zm1#tgZa~cI6x4wWasl9eCuDr5#nwDe8X8$*NQRgz8^U^Wq)zKTswg?_xToiN8v?Dr zkrQA_+?A}Cmwf3DtXT$(YDbcW*}>70`qH(1Z`^AKbTdMjtNE=v+PaD}RTJjpyPEW3lNts+qJHo8r^myQI6&Fl=A#uvckYLn! zt$U@#Me!ka=ljyl&F4gk#Y=`kfA#M)Jr zmBF=GXfUQYiyNPPKh!-pXmwbD&A-89swg*Fs)xpakz_6^8i?Zpe|tGnh3yi8{KobE z*WfQ67mF-!k6Y$;pVlb)1nBm<2yNSQMp0WE4kjT%oltqx;50#^%0MI`EzRk^5=B## ztZMm^+h}rb26vL~tdJK;C1HQou5)zs&D~HR+P128gQFB_L?!fHm4Mpd2nl_eL93?3 zs--f;`->~_2;alMgJR1Bno{Kn6 z*w&_4SykWnqHbdJP$HzgAuLpCbB4FGRbEU?N?&|G6e!bkSN&Y4zwq_PJ18kj|d6 zvYT=}(b_&G!f!@Vgz>6eI3#V<*TkjAm(;DMKJ`PvDt_Mu*G}>AJ6Sg`KP8D7DH~Zd4b;ZJL#jU2Gnf1EjGqtwJl>R@`dy` zrTq2t8%3d_j<8RYZ`U$I>d#+-WVo*pWO2$gb0jMi35FT*Cbow*FSoZ(X01Od)0KUB z%I;|hm)-?1N58c?8O#}hOsJi3BDHn$^)bc7H*z{iPw{rX&=jI_3` zox<XtRhU8cY^JI} zbq>aopjvkQxDUOFar)x=Y`D~xPi}E@X}H*ZCEJu7vn03Hbu)D;lTx%GtLD>EH$$RM zg<+lhrKq|~O;S=}45iaV^g2*Mj{@th$~@=m?VP>6HnAd$sMdx8R=J&rZI+db-L$givVS&0!T&J$M`Xeh{c9QI^ zLC95Yyn{R31DI_WsUHX`nF&WIuw5&v|q8AT$+N;c|Bx0Q=Es(o3m&2Q^lUtfx- z&H6{rGh#hDE2u9KDc}k9DSdjbxyz$h*>-AZ{*7IW4{WxRRc^ci6bPtv1>OMGV{YN< zbL2;?vL3fAd^raa(&K438x-wdCd`PCV6Rx&@W>javc&&cVC4eZ%T1jre+ z8fZ*&=OY2{im4C^3adk?84fvRWY_u=n3rItvs+!$j;j(Bky}tu@p&mf&MqbZG@xD@EpzHST0z_pn8GdWpyNi3xR@(RrS_#k1|s<|f$U zYz?ha=0H%R=0ez~-K`A4h>a{mb1?ZhA7?p-_U^p<^a?c^Bu>}8Cp&m+9g>*MbIr0C zKGvQ!BM^F!)!uSA;lq@bl{wvS?&fR z%-OA$O*U(3Ae~Ci(vpqS|*q4y+vLi@Myi(_{Nya9SWnzSpdBmW<3(L(uB$tCI!# z77tz`_gQW8SM4h6$`eOurxhyHc4M5mmJ-%1Uw9n%Vv_xZ`~}cqYM0k=&Tg6tpNrr1 z(7$W$g{OJwzwrEOT!Sl%Q zl&rLrt4@|*isB*uWkA| zGhW;j^VrF~G8iMCCaps7)7<9Z#W@6P4n9oqOl7hdo=ocJTUkUo@%C zWmj3maBPp)f7@RIcifr*Bfx}lhV0!YYKmI^mMUp%4<5@jcR#kk=1_y(Xn~zVRsUQF zPnMY*CKg0M;&8r{Vdqa)lst9SvE>&H92Hd-SFH4x^Rt{I>x>^2lr$$KNA|!A^&*96 z8n^LHt{bOyRO1&b=P(A1_*o@mhRW}h-m=RmkMOt544C2uu;fiyVBr!O?d^WKFM?%I zx6EAb=a$BY|4vV7P*Cu%7OQJ$%zALMuNm=}TtMq9pUka{ekQ0MZ2h5SZ|d4O&&36> zp3BEYYw5i`jOC>)2rxV5< zfj4Y`#Z4R8x$#IvYEAR}?{0yNCXJ#Dk&c)q0u0!h>`($1?jDn3^LifjP6}jADaPS% z#zd(YuGYg~jRN-f3f&3REOpD7qOOlc48c(O;1r?Ls;bkS_8mf~1E|u4AQ>w|0pQy!>^92uJhqaz@4f{} zD2f2!o2T?x2LQf(P#$YMcNwGmU%XTx+8!uByMd2k@n7j@E=PP)sFAHJ8*ByGE~Ay} zM~19>T)xcd)3MC@nyy~U+hH;CWMSlJDjOv56R+12mf zP&0Ee&~q`!q{xpS`hp-@&FwK*T&;!~kdc(;;=opH4JFha9JRa3c5wZ!;u+Hhz)N(< zQYJ7K)iShJ0TY&e|9@CJ%do1px7|-bC6o{(q!mO&LRuOT>F!2aTDqAaQqoe=APv&p z(gM=mDBaz42JZcyf1dZ#xh_6z)&^X2uC>N^#`E0w?~aKH3yulv3HaPOlF4Jib3=UV zX{Op;-RHbA#Ew~UQZ=ON{6_xkitjwg#RoG_~gT1lvb5%)Ym? z8WMvuOhZ^M1N-ARUJ;Ohl%Ps?uqF z*fA@2)ZBt>4kjY#>zQm05=-%G)rF)c_f2kVlaE!cCujT1hCgTvCMmz%u6upw@KNat ztFqjH`RqY_ugUY#krAyLE2I4kZRmS@yIxnh=4;;rgCZ5-;KZY&-4o0VMLb2tVU&+e zFo?zzk%(b4egOS;>46KZ- z&+!rY9gn33jp#|)Dy2P=M*DG=ml@P>9UAJx?#2krROspXT6h`us2{caB<-eVu2J8= zkLS4Bh6ELsv8)oTobG2JN!$T%Bv{wLqRZGzG zId4VDr7WO+1dcnFL@3?p=`~L~J%egZfZ$_bey0k0R}?K167230tl2+2072}+>q_}0 z_yyzXCh7qHGXCg$>bM+GJA~cm3eosFnDw}5Y_z#PtJL^g$~XxKDg$_c)AhOAcwYH3 z)OQZ<8N*+!e1y^gA;9G@s`-wyT2#gz^KVH7Yqe|R{l~8~Oy+Yc@#AQtL~1oQFStpF z3Lb8(R~s*P{M-O~`HiJ_-%i;)$cr&yEvMT=GD}MF%l*Ozh#EW(tc@r%b_y36ri;J z1_wsmVY^sDVmKr^wGQih#|SMIqnA+nj|bMzZJNKpEk-#GVx76SABSb9U_=U~$ov2$ zYdM}zUSR&1*a-ACEz`g(`I4NsS!8=ST1(13J39O#C5u3GmN1sZxAffhUY}WjxoqGgI5T=Q`D|0sQOs)O&r0+9q zg=cqRdHvhcl&o(olSDNBp$v57`ZSUDO(N`4Q@l}q{RU_a@9}1PE_+;==RpytX5D`?D#|27O^psOyD$_ z8hXg5QSbU1z?&k)u>Ij7-agCgM7|@km*x87gz0j?4C?m>H7DZMx6u?BxUA`dA&1@} zMUDjmc>Ghj>bR$QyK7?={0PI(W+JP0k2l+clZN~IF);RKOOAII1B8Qu?zvtx`CzWY zOH+$qzkWWoF$yGME=_0g7U(~CxUZ*6Hu#Q3UVff6H%dhvR)@ZO-&KyLRj0rUkO&Ma zw^Yw1-2Z*LKb77!N|njW%E)%1(^KJzu(@_usXgv!^I`>=(Yop}&0cL$SYyR3!+QrC zQa*bED3FxBPT6r3;nEr5dvC*q{l)?Zx*e+x^PsuWAzN+?0^)?D-|PcIwil0{DcYIq!=`#1wldqmqKOQJiEtaAT>t<> zl$Zg?4B)EBQ!Hz$bUhrwybE`9!6|Jzy>UDS{nDmM+|^Q4;lxv1f?7OVTWYYEE%V;Y zH>WO}J+w-V!)zSk?gS3ivWw%q8g}z>RZY$Hcb3c!BMW|sfVDH&a9-K(l_^ac9uYrM zHVW@JF+c5%XGDM>B*!?lM1n}T*0c%(15X*jR5?Yr;{2K5yzE8H4O}z`w9kZlr`0%3 zS!x-XvIJ6GOS<=ov`0JDNVOB1-5Ubt+R~j5yPI*|tK1XldRAUK@9LQqRMy}2*)`#o z0ArAladxJtBwbRsE=x9biU^nxqME-%g(n=f%8r^_z;FF*Q)P|E^zEJM>mQH_dIq>= z-d~STZA&k?1?e=|)nZs|7RxQr3&fRUt*6hOCuw$T z9(`Z;3cTZd6K=y=>nH7$c>Gm?9IL{nLUH~@fgmqwAB9JMmfO02!10E;L_BQ1?(oaW z!phclBGhj#Gv-v4<4s-j1u2z&Ep_$=&XPDeR{pG{e#uJxR=LrY(+?b!X%afkjqanQ zYTS)=Gs83-+_>0q?E$PRndKK0)hCGj&PuPWg|x1>5YY8L6sy|uVb)X_(mfFE(S(2K zFtuPC&stmoPVU0udCpyESQ55X3H4137JB``Ji8f>flq%i?;evFKrd!Vh2!%@;0rPN z^4x}=6!1Gzed*`={5_kY;bca_>4<~8pP&BGT3MFyRk_TaUD zAPH9`Q9x_ueOzT#So65MFj0kW#b)&7cTe692zk0Y=pOX&VR4qf8D_!iD= zttjimnK<`z*!LB0@Di0Xddf%Obm%ay;^8{&%hFf$Xl~&@hsV6B)x{~)#a}~?vT}zn zcmgFIN6BA18K91t;Z`m!rFQEUrC0yl|NevzcI*J5z}6p zqa^RIZ-S6}UuLREybT-Fq+YEHLCybY@)pq!LI%347u0PaKS%Z#n6xvM8igo=6^zh5wjH5jK)=b1RtMOPii$x{tm?o zE~i3E|1GL!VXHwH{z~4PVD50sH^XNFo0CxY*U9A3y0jf6~d( zkxjr{UnI^j+ayxfLrXOlo)jJKhAuyS)-$M`z{#pArt?sAlnCj6NJMGITzSIqbiw zm~&jd2n<|nmi6|wzVH#yPAo{Vv0BIJNpZ;eT3%pmVezRS{o=umH6cs&x?rX4ntlEF z_1qWc>Lj<`l{>&2Uck)uC?g#SdQcZSIjM(@Lzgb zHw9-r_w%pa!@+JWe-`8)8UeJeVJ$hm5nG$fgqk~BN=+%&V1*J8IAYZ8Mibyk| zp!Sq`?RrEPBFrP>2iR5JbWVj#4JUuD-tE?OO~1vPPX$`Itg1b_ z_k{xWf9tcNTq+}AAi3%G!il9e%PoqLon6r_(=KlVk=!`Gu#jUneDj;lde(1f2_#GW$i|*ftEM^`oFa8!GMydbO&;I`7t-o~GeZs;gznMPt zQhk3#+0;Zfp1>s!W;wMnWDotBnUZ@+6VOa(|JXIIKgm$S9kA?CzWh+5dPcV#-h;@- z_Qc#=Uil(HH7!-7Z7#-FC6nOM4qP;Dbu8C(bUsn0Q)Cwb+VHMtWL6Ld@z-;{Z~RT| zoWZxS@4SqCmGV8*^T4S@)e~VTGkYL`>sJ5q6IE4f1TvQtijzRYk59rqgb=9E3C2dz zz-2YaD>lRGwT8>-ahSYw({~}1H@{icLuwy#VfjC~Hb~3h9R$XmnqUnjx^LNw4f2oa z%xiuX%yTDVNfR8{=?-LLcOakdh*4sn2@~^U_^w=GJ`eqIp@INW%@GjO6%{=iADdGR z28JC|1uZRAMNK_D^Zr6g_JS8%R&ouz)7J)_$6sMG+3W|>4$FXtm!aGy;X}B*IoM!XMrfY51gWsH0EzI%f6@0m`l_mGZ?rqxxHn7T zQ+=Y8U@v_aUN054KV!&mqaMwp?NrpstBK6~e8c2|^+8@@2vA7@+W5r^^ul6jF0yN> zj@27I&S9$Re6AyPoh(OW2bDc`%xXmdbcq81>!dz`z?Kl2au0Rf-_r9}SOTd+_wgVI zjOO7r;spc4Z^)2?UgD1TSHLW5?-d47LT_5R`(^Y(2(gZ6Yvz7N);uv#1di~!CPd&l zgfv1v1q4dT&_t3Tasx0F0@!n}Jmp7Qbd8fkY_{_~(VuiYqn;^Vz6a5&*0>D(&;pHj z@Mn3K@|Ya9*^t;@`_2~5jLgHhnS+}1}K{M2jX9egdb=-^1-`m2QfcX$$LGP>BI zzAGMGE|_j`Vo&6!6l_nIA|SQU&Dvk0XUBV(@P1J#P$1>rkq!FxMu7}0_ zSqrcTzPy@NaG7}aL!R<;X{our`wecu)ahc2#FeY;xWy9p;Be0ROBuJ7q9nSq=A|~3 zqN@DsRIEziELOj~`zjd`Rrpp5fXxCo?)`)s$IZBBfN90)Aang5FW{7%%6;Kv`|!Xv zLz;A7hnb0uiMlfw$pdb1AUShe&wm<{U*R@6tHf|0rT!B=1XP~tUkD_K2A9W9e{f-j zSNoh$rs-={;WFFVl5qy@9j63H+{v>ERaP}96QofzZ^HL8SwDef{%9EVM`g&6O-nxI zOl+R_hOErCHVw^94WHxZzrh6H6JkiV_KzqyI27}~-&1QKeTA2C zr(v6WbxGgA;#+|j;7rw6Rvh(*$Y%zx=CvwvS^ctCeRBxVyFjseJq0Vtd+F(z^qDb= zb>>|82VUB1G&FrJ29P<2VrJm_<+Hz10zZCX+`M+u#3Nh)n1xt;$DM1OcM|Y6mUCJa zP3@y$BBh?c6cQVvUIeyl)qEkUv4j(NCp#IZ}W@Cz>fuJY%}J zeGZP}G7*DRtTFDC?($f`8 zlwW@%nixUnQ7d*zY*cCLWO;wXJ166>P~bI`TOHQ?zbVLMZ| zIrk{s`DMhQp-30cVL85bsIFMxuA zQO`B=VU73Z2j}d87?7h@W)rGjQ)tj&reI!UI@`~2*ZqnR!}tF?1rGi<4BY-&rTjB} zH%&S)fCgV^F~lU%OeSxY^EunwnzC#{9n5r{pSPmi-5vRz142arx_uEhD(6UdV{VI6 zjSzG%eraCBeJg0w0V(hp0sW!M&uf1E$K+d`M(BAAw*M_25_%W`<%}~{!%k|x0?>*9 z>B_|9l!b5@L}zdnP+z~vF7m{P6tFOu+#+!Usn-b`Kl3Ee_wS1D2HbY@X2c+&_hPtd zFW#I#1{<0Nbn8Pia~oSgcJ<%Xremt;E}Wz^02Hs?6=0CYXONC=6Q`lcIlD)=4G`d# z?XZt;(JoLpDDt(Sq8~B1%HAt5%$5OxH>e*ULnr2gv+HaY+C}>LWs&3M4VY8G&M&fH zM{xt-jpABvPntYG&-zsKwxggQlWhCK#$1yG9wHr^*0rxki7tGZoymPjE4pG|ay@bH!+aMQ;9Dcxl?-PO~ z*Lkga20D;AB`!VyVd2214*o`F?;bFF*OeKst3O;Zshe`JAR$90exps1PqE%&R0rc9oR84zxY15^wtaci{1Q47Lljl^KY1@3RG%RBc>4(R}FWDTH7DQ+7 zA$vf4mcqTkd6~0tPnTQoY{T&Euj93|&4?nyj5b|=N|v#0E!(LtVP5r#6koGb*jxt4 z6Zsua4S&|-T>ngD@yqSW&R@*^aDTXrJD<}RjPIU3sOKMAkxD$V9;!IQ*RW%2kj*6h zS4x}5C=o57Rpx*D>U`Z{I=aP;wmtPz2R0}n0MW^jemMl7M+G^WGHUryegTirgvWluONfv4}+*C>!w^K!;jAW8`W?In}|v$0z15%HU==Qm?a%7 z7>hq2-8})EsahUQMHpaPjD%}O1}#+{LL&MDepa)poVOfL>}uTCEkLlavYlX*f`8xtRe4he+4Ts0nvTLu4{*D*dP){*rI zh0%H<%$(!xKuVRZ^wN1t$yNg`gyF({m5jSyMp(SLzb$Z7U=Rsp))*UN9lk&XRfiM6 z6S3i??k=%!w;_4Rp>~&F0fH2mhcn!r{YlTBl|652nuCLK%Twk-TxdSpvz66%RGCId z{8~E3vZ8O)nbJc$fI=Z7-+1nIP`3h2t0HkAT1fKt)+rea?u^%05 zw`44QqAU)%kS6~;G_t{d?+oK~G-f672Kd`O(>UQzg{y}_Q;_GoQrC(~EEqI=RlR|`Nw zc$h=%h$@~(cE*Jrv!H99VJ3i}j_Awc6#3&vK>-H_x!H?di=W!WDdn<7XpM{2%t;y! zZ6BaL0ZH%0GPF_PSkWfFVEsmtu7U3M{9QrNa?uRve`k{-NMjDqcY+VN*BW7>1eIkm zK8XC&Hv9w(mUT`x58^(n%eUkEQIcKLqyF{D-TvM*boXvwkWq`(8c=+BE?b$vv$rR9v@PK)T4*LGG(e4QvU=luG&N}kS*a}_og+H z9jj8f60YE5&(^f-E(t*QN|8oOIjma260kgksabnl+g2!ya{j4*9s66Be`Ow^b6xBC zU%#%4v;$b%(lQp*0?bquS=scAwhWornE8)-dpMmj~h;Ze;|H%}9I+ z(u#EqfXW!z`i#4LCXbWI_)0VVQ+m!9Z%&xvhQUh8dT#K~1iIWTt`O^D`ljjf;3_OdR`n~ubb6b=QJRwKK9JY%N_yN%l@{F*==z(LoL7->f=pd z+vG-t6o>6tXuLbpa&1&fs4&djCc~pG0G-*z0sW$3=;_U+|8;O+&CSaC+HVYES(~X~ zmt*&D^@+h{k*5vPYfkp00j)!W!xk#mt4VQ6c!u`nO4|wG7IQl6s;OkYrB}X`=X!i! z6Y=%Mbc9$X{`o=y5`I)K$$5IBOZ5a{obpd{EEG^iXO-&i_s-r&>B|jhkT^Oj$K<%( zI*F1Vn%y!hVhGP&Jw5hpleabnYZHJ@&Pi{{84cN$RND~t|F#q#p)t?f#`_?{v_?h#gBt|2=MpFU=#IG!4I0bo_2 z#sVsk$KfK-`}wW;ALpn{RkiBxxUwv9WNns`YNX1SjPj=vxC{!Zls8XKe+Y}N5)#`V z2iJo`D+JznfNG5!9RYM3{Tx5Kn#b>G9X^!Zdg-1Jp|FyyqPmhSN!%BUtODHrCw=`R5@k!jnAvgU5{*qw1V7$>IUb9|FG+XZ z7qbquT%dq;u{~gB9J=rSWW9n+{iR+@=Pag3+CciceJ<19vHjXi3JEmj6zVv?rROd1 zaBg#`F4c0rX(~W;3vVs;lLh1vS@r9H(XCbYSz(HmFB}H=y++)EXb zkJoetZjPzXFKVr>YqMVi!QC6h%^PTYBK}RsJwKExI4PvG{KcnFPG3{nNLk5gnKO6# zR@ZSA?WF9Nfc`#J?gyw;-er}<)0Cuh%L0GFY? z9&g?#J=YVucjCS!Z55K_x~mwitq}Vq)^1s60Kf~u1BMxcCc@c zMsLq^M2~QM%V^~h02BWz4Ob+C8!$SwM^wyf^{ZTi>UiJm>WUkX{{9*Ccl##x?xO7c z-W_wm;7vf}x#o3z#p>MJUs8brbs2_i&ZJByrYh6qu7ln@nTr$=(F!O7dqA}DaetTC z6Y2+@zX!x10`@fIAh86_jAOtlpN{`_bDD-jLq9t`VKQvm*;&;)r%Kard&=jM7o`fLVx=t1*w8zE}!fF}c=a@5|jy!V$wwf5FspJ8_9 zoLaPLD?hg4uzQx1{#yQ@+y-PZ8ud=2*`VrBzB~yM$ggzdA%slUPGIhOEWRtSa{W!E zqyajoV;gtt_uGB+S);MD<*c-`C+$+l_L}H)b*u*ot`ojMVtxzCpAAIYnwp*B<$pcf zF+*oNaU1~M@arA6co3n6Z>M_QmXlGJ#r-2sTG(IyZdxSDNdqxfL)&<2oOeuCxQti0 zPVWd)Qf9y``XC6kVw=0tZoX5BWMXiYg%!i)=Z{w|4rW>NyK@F);k)unv6INQYmAh1 zJmO`A!R<-l=vt?qr7hBuL03a4S7T2>Q#(r_-u~S(6!23y?O0bOA+ zE3>)VQLAqwmf=%ZtFCdg)=A}L1^oG2MVuyZ!X#pVC^<>Ohrbq0#8W~q>k^8swdaoS z-0T{E;Z!pXf3~P{RNW>Ty;6`@XFqOF!bMxW;E*qv_EX!RET5hn9b75pMQT6Z7_oYL zy|WfOp`%w1{GEZxP!eEot*)=rYo72x3yb)KL_`q3sOWfhNi;HyzEY+)84ElFz{UEM zhf(hJYq#MEzR!u=JjIq>^Ct_Z0m_%fW{Ig@=C2VF)6zQhnQqS4>1f+CtBP3$`#s+K z4J1tDx{GVGPo?4+Y=vr|6lN;1j=HK%?A8q?V_wiPyVxn3?fJrKaTRZT zj+sErY^5YI1bh3~mYdDixXczkU&e6VkrkOy_o%S(Yajx^3Uog@^=Hew%fS< zK|3-J(08B6sp?p%&RT3LiVtzn_H-3Jtt2GAlaPakfaQ_glTEffAfkQlte^o-&HUsn zAMX%WJ5on<4k~ZuoT+9-DJYGiebgN`#S6!P>Ju^G7!EKR-)0#Z4PGJqp=gBUQRFGr zoQy*yR2?&Z`~T{YiPYo(CsCeSpTbKyHOsMTEQipeR1VX-)xb?_D>*pICpb!I-U0ov z^pp7WLpzp~MJJuW1MS6kX$A5!3WlJ6rXjRgu<4y5CC1s1t`B}rfnkM3O-bq(43;fF z!4DewbA>S{bvIzzKMdQx%=E0vgSA60c6t)oR(yb_88x5cg?olRrbXCmS!mXLg!pG? zrawLoBlIP?++pD^@jP@>HYaU?9ms^q82aMjdnqUg|~M$O?>Zva6Q?&O6fmd`cY_M_j60bW60otscJ|=ysrJ*L2Du*z);ho!HIc~Sr zLXYgSF1^FA5=;0geE^hC`J9<>$eabqM4eLZTKpPkeF|J(PP5R6KXe>Oet%uP1h_;1 zJw2>bfiYlBEivPc??2R@5I<|=Gk+0EY!v3U!%3IlWa{F2iqt8}(H9zfF|W>W*QRzyD@V0=(p<8 zb9Km4VBmqsFJ~Pa7vN=L0CFvKre44{@_NHbVDQkMJcxKv%iEZmtk9I&!h#*vqG&X! zM#vWk(?p3NkW*c)f=U3yUQHYbDZ~Tt*ZY0bY34u*U_P9f(@ms{6h3ss>tFBbs{2TnJRPXbgf)nhP7_zF`&gn+pR zIEo+-2CQi~Lf6tj}FQ)Uj z4i|&hf!>mJCZL=+8JP0^LA(^am;vNXKuZ1-V=(k3?jaJOnS@2AKLjgj1CW%Lm9YRB z_M6AM$2Rc5=x743)6bhM8IO+ST&uB${7GFCU4jQIHP)xK>^PLH&O1^bXPIYL^@;23 zm#mlPZ(u;kKDW1c!OG}bcaKUV{|rFp@ve60hK_Az0tv6(xX4041~(!UBjL<3iISp& z1Np)4-^k0Sc5G!mCOP~Sx4?pvdghMCb**tc9iRSO*;1)&`$RCl#(opT+^Nf2VtA%9NhlT6L!uPU2>iWLS1=g8ommZQKR_EFk{O*+x$aK;FI@P-7o7BO zvSm2ORaIi@a-3j>OaT7m!qATAtnQ5~N$~M@w48QfJ5aJrw{)8_9PaANmQ`uP8(N<799cc#dR%dv#Cl#Rb zZ$rw+U2S^NH(>x|XaF0iOGkcS$^922@J9^I1GH>~*f3=b2xJ&JKEOJAC(wMyev5#` za^%5q5;%1WK0YnQtSBqL0C5Un=LPv-E-uv;*Yl(FJid!dxL5V=F+hBf7j!#Jtnr z`+U4}E}g{G*4gy4r7|Y$KD|agBj~sA(ZvpPaZ6A?*qU-VnEN#tvZc+^H+p!m&1-Qm zw;J9K@pldee#dZ=pSJ|=C&$|d_s|Yh%XHoC?98uIaA23imEs*=OX>Lfmu^eHaeT{> zPn<}2tlY1@Dq0;gh#D{fI%Sx0$X)NRehBmK+6{n-HIsA_CPy8CnBsS7eNPJ4Ujeu< zV(zIuCjuKQVbDODxStGV#$eV*_GSXhW_-UJM*U>h=1NO#)8{axrW3^bpoQ@nNT|Qc zW>do0MIB2y_jx8nXu_Z2cD7AN&)D52)gCJypp<(8Z3ao2I3WVPuasRA4$3o1rXZn4 zOKgxQ^1(6~2xk@I1X8g41^-@T2S&`N@=e$B&yKr?oIn|U&`!y=CBoOs9o_<)0aH znGg|gXn{ZXd%Cs1@u+5X9^ozjY~tM|H!kNU2@;&+yvbwpnL+{e^Wh&6FjxvqVbvD^ zt?JSr!n@ln2zo$MSx69=i11V+KoWO0yAc=wy4XdK9r9>RW4|Xj;rJ^qoAKcRRezAr zuGnO-096Hc?Yl0tZUw?f0aFVcRUe2&un^%IEl3!j&}TyOIZu zS#s8-!HHtICzcy_714&qN)1M}xiB-h>lxja9#?4;fk-!K&gvpOc-oheyY}lE-N2{X z3;cXuO>DjV*cif&#l2s8Mp?O5<=4BWCC^7kcC#L!B}kc?7Uh~|fv$RoqnpTG0|SGy zC_H@3b>xEsRSN?<&EybfrQ4vMHETrpdpXrN&VqAU!G(bi)Mn4LFW4A?qzS~17-k4T z$tn4X@t+fSH=HERHO(}z6Ql20O+lW1eF*{ zytgl2ABMlxsjuwH<4ciV1+?l55b0voT&p!4e@Atx=;QUO-#y-sy_^>OrgQTb|J3Dw zr?T99``5ehrZsl6Uqoa5KzI`Ui4qV&|G@!$tcQCu8(7)5TYmLBs3ru&`Fd2ygAN8n zu1pP%^sW&R`Heab+bipfCN8T>uh|0bZ>*z1pb7<9bv-fMmB5+)V>}L&tV)JHug`4< zMidxwv;GwTBJgON!+z0e>n@1(0U-nHCZ^DL0N7|YvQU5(hQY)OOfIf?K7jCcjHIfV z&^-xtd5XuhK(b4WiT3B2|JmsTvNo~hm{vn_1}I z*7Ppuh>SbE!J|6E{4Gbw);~HN(S-{<_jWd=XMnQ{TK?dh+fbE8Vtmx)iD=sw_|-Ja z(6~#;rCwUW{`v<|3#k#X`yfK;*yWpCqZR6XdmMVKtS>

nqMz>PeHKv$~V#n;{? zSS$Nme)IfIEd`*PH+T5s#1`<`*H3={Rl@xZG zSc@&!^TE%1Ih=_QgbjaAI;|XUpnhh=^zK!Cz8O`jI_E=+%DHEBm|Tdo*N!b2z9jQ?487 z9{_60to%jzJ~*G~WaAO8nrer9qQFMol428;P6AaBNKcsfQ)|U0M)J9wDh-=}aLRAR zLV(3SJojQ{=*%0fwRrYOB;6X@pBkKiuwyuV>B76h6M4bdPg0^A2s{)On*s6HU8PF1 z%wHg7Xhfm?UvF1%ZV&wHu3*lnSh`%kOyS>kHbA9Az}$5cUNkpv=)gk*REJd@YQUuk zhQZ@KziTYd*roC+OFs)zvI(+-{veCxnv5P2Ns%C@+b=4J9P2y3vdwmLI!SMkbz{g*|CXW*9{z;0D;2}c!a#Ed=(r7}30BjRd=Z5ck0i2uZ;X$n0 zOd)Rq;e-4G?#Reo$IkX#&l?HKz&h3Q4RD@GF^|L}&7kGoz_P-1tPPA@SJ)DWPKN51kgFxy^TixZE|UpTT))jMitZH@8C1)Z`S&#T$_y(8T&} zDx!J_FPXUR2Z=oiD>SDC9N3hC%Ow=ZOtS3R1GF%a7QDaWQnoz=ES8*oI+Du_)LGd| zA|0|7#O5pgGkny{1kM6}TjK?U#fE{;>@+nOCn?I!4J-_}St~yFW%f>XOVNfUo-Tuo ziLw{01fWYZf_k%z{2jo0wsGt1C5S85;{iARwtz=T7J2ynyvO10-RRK?7znuG40*KC zl7k4mU>5L@A?2EaNeMw9sYW>4Nd*=B12^xSo2L0n$r891kvC~9;K2_C=f9qVIIQSA zas&qOi%G+%#`2KE*wI#CKtQ1+XY%B4 zy=mar7q0m5(>6Q5i_%DW;AbE~SQW(nT_r~Q;*k(|cD$AGUum*og$`Zo$~6Th|ASzB zYioZ&IiPR*h1z|Ob(e7OZqCTw1QjeR=XvO%CijQ&r(p;3*dj8js}*v-eOsI_ zSiYetUZ^xuq!a%&3QMB*Ibu5AI~3rvRW%l$2|tFp-P- zuaSmIiMj66V~(euUhSLl7cPe+rxSyqHW$fe)Uk|tao@;Xx5ql~ggXZD> z-fg`$c=D|2_vZoLOCjkbPAO_^`0RgWvcWk|au%0+N#9!+2KWb&aq51K3n0%|JW#Y-HhC$YwLhTz<71%yvoPnNICMw zW7-{1Ng}3X0rMLc%nsDz&$w;RoZl!WgeRPW;ZxRwVu2KH$F&Kdn{q^a1ihU2(jEV@ z@IMPsczp}7L9!}=w>4ev#u^6%izNoIh*a+k{F_FaT&>vNVfk&rTWw{bd+ zoQgNIA+9Bm<(6J}TG|bhUvAS-$LbUi+n$C5f?EO7NB+TLE9tm`BNd0@PnYxAlu1E^C@7~F6gc~m7Hm} zujT4wAPGuskjV~&AlccA4ye0Zgujs>FlF9}i9>zXTguA%xCt@dthBws;FWzGK3z*scgD3X~Cl^PsR;%ic^I9{XuqN$WPHl09l_D5pVJ6lm?sCt zI%a{1z?v({t^=RlDh3otI93+?^rg)ry|)DEL}qwuo~oIE+8af4)i-u#y45N5N`le+ z!s;baQUtdwi5^E>{E8*M$+b=Rc-zgmMUkHzQIW(H@#a&b6>~V9rmak8SUWRN=9av@ zOTh);ZG;R%{Uf!GN1+7;%dk2=Hp)ky8uk!U)`gNE>qs;-^f654`2oT|3hx6HdWbCD z#(iG>-kIi12?a6|Ly`lo5~mM+U4qVk3Saf+FJ`C`ecSL?OrlvjJ;b@|%j z>pl8u7T3!0NS(alH-HetXH3E2 z_*fH9A2Ax72YZ1Pd1}J@vTXltGv{+9bG2&Sx^%r{>GK_+8%6Q}8z|6`N?9~Y^Ieb7 zXDORZfL*Ki{j$#2Dt}%;KvzttbgVHlg7J~N{vDe(98}Fu%?rba^##7oK*S3;j?wv( zo4?FT0F@9Nguqn&MnPP$-7T{U7o2mzTApbz=+Q5)HfFnp+Hk zgt+XKEik(U)J7t2%MFlICU7xL6^LS4{?}S!;`D*j{j$(rE*l03K0=BcT@|__lmkEt z-c5B5KaK9v!x_-GZj~+(UVoQeFySgg8AhMLGr_OC4psoVgr`BjDQ?nTNw7$ZcWUkn zgq4+=rlzDUDRUlNz@c5-wtv(aZADH-55U)0 zDL#MD$!DL$HZXeSG~>viTtny5lSO(DywcMFl8Jn7Dj;IJ0Yk&DHtB`sS}4Ho!DO|` z3LkD>=}lg*SL%!o8kyiHFtw<2-|c>UwQ>oIq!kyuScjz@t3qhEX%hKv>hU@%mbA;b zyIvFLVI7i_PF2;MR;;WO#WK>$?H!FFKAJS>kmr4%)l>XVL7Xk$`5A z8M671Gi_G-`3MMR6Ez+$H?Oh3EL-hwULP5Wl6Cls0GLKWNjuY_jcx@RoSjRBFh1S6 zVwttEs`tiXYFu$K$Z5P!(6_ZvlmJZR>r)&H;J*NH&9<AHWb@}NZ*^sPJZb%9GWgyS+)yd`@b~&O)HzqCI%pEPo>U( zO=jznY~;n!Wy)m-x}ThY{ume;ng1+GOEYWU=3=Q@13iE7bh)#8XNDkdyrDpQhKt*5 zrb!!cU=-l>i+VeU&OsyCQuVU?OA44a98P950E*&ovIf1r)jAh%I@O)J6wevq^Rw#r zJkB7e%7|g|i29ixPLUX^GnL<-Ds@K}eV45#49XDx)Ff-L2_1Q!~ zUEb}jqhETAj`;cEb%P8Q)|tI!uj2B@JC&n*x4=BhG^+?$M$8tuoetlG#p2Fw>YH1n zWv7f32)};~mm!zgunvscmok>T=y$LyWMc0J+{WTE7TNSu&^83>71PrO!NcD@%?mz@!acJc zopdz0-^Kyot+_${c%96QTeOSE=CHAUUpA9oxSgj%fd&Ek3>=}kBpeR#^4avqo2DBu z_HsK?eV)yl9}X{_y3Dj##EYs!yVQ1ZT$mz>0p$0verdwxNb+;* zSATR8&UC5hT&+Iu-^npjTD_950I{@$Q7lqBe5g9{sQ0y2Frdx}v&Kihqxq>~dJ#=b z#ZH%&Nf)QajqWzaaHsuWvI*XZr08ztIsz7Q-Cw^WTc4z#Iafn{xkd!a@_H+w?hO~! zjO-2Hf3|#Kz@k;HRx2y^_Fg^6o=5Nyr0iVW>&&6Cu?ep#$!zROL8oR}^ZSJa;sGoB zUuQ~Pr=(A*N>FwEjOZGk+xG?;AO*tquIT6o;A?ssj^CaQ3G!RPBZ?-#Ua-{DLxt*^ zYT9_k2zbrFEU(_NoHvUxS-V%&Ci1Or-=Cku@OLDxk<0TZ%NWp z;XnWpH-NiNG!VnBvoPeJ3eBBl-~F#r|LgxY`!}>Oxd*BC+9(%H!klnVX(N(zoobVB z5h`0xqizwn!$;eLZUZO33>G8JJMKe2C4!V`6YfH|k;8z4K3k&q`dz5D%-b5C^N@BP zDQmlOWQZ-U3SJhv<2950+J!W!0eECoXC+a#XZ!^o)zol$J8T~?@>y+8R-IIiTa8Iz z#ElpB$w-SIeocn6zB#D4AwQ;Y+idy`!Yfgs>WM=uIZgBYt*#UmyRxchtK;b1=R|VM zj01GEH0wEVVg z2(+<&Z*F27YFe%p@RpU8;nByl+Vl(*7Z>~Oc_TiU`GH zP@mkH;(b~{ez?l)!ey!ml4@#swAWK-c8mtXGt1eca**>N;8cMRTAUyeF{$+fYg^1e zdXYjOb4)U>=h*)3fdqYKs3eU26iCTH z@m}=mBnu^A{8#G^XRNIeq6b||BfmvwEl+VDy!#Hjs6K#8IYC~tOF2(Qvuhs2vL;br z??xy|5`gjR>y+L5VMdndc~8a-2E?qnlB z@9ajRvV$Hvr#QOrd|^f1TY5+|-alP99*Y9wXx#00Y~#|6>$u{Mnfo7edsb&DD%E}M zEz?Bbt-iGyyGP|!Zm}EDcC65v9=Q$MrhTzhvq|#v$uU%Br?Ij7KU}?aRFrSjH9RO% zq6kPMC?F^;-J?iImvnb`=dB_kNGK&OAYIZi42X0L-NP_+58e6Q{+?%j?|R?0W-b0; z=AL_IuIpUq?7h!E9D`G@VGZfen}r+tMFSazV7=Y3>B7&!2D00;Ba8wO-Y=dXs%nMx zf%@CKDhR)uWY3(T@riJ`?xE3PaO0K(&th$&nwdr`3B=MlI24cn4QXVH_fmWH(ui{c zbh!fuOq-9`cH-!P8}5N)FThh}3{JKlwjJx=W+3>&gkziI+8S|O-9SsuDB3bLtCJ+j zd|eK|{2IBqNev0AJ;h;%pBiCHOG#CnmQ_eAnJFq}@R@I>wtsi>%eFn46V<|I56|Yi z_g*SjUU#MvK5%L3Q8m&|lGAg3d-Z!@VAg+aAl-6pn*+j!1NuyT06g{Wl~?cOND9B8;F z5?_43`D<+=07<|SlKMxhi5-2<%?#SV&TI)x&8TD%wHrc|lom znLXsg%tc;#qN6}E!mt4QG;Ynw`yRTH3&EqDpPtyZ#K%|n=*g|}tP|FZxa`(1T8ty7 zF&m@**UY|#*$#`$h`}o_V!Bm$!G`Dg0AjKDa*+T&u&tki<2`H06}|{RrW`m|ZMj%o`^u|Jh{MRt`l-ic-J|icx0sZ*#&4x4 zYR8H5j>Mqf<@U73txiSs`WejKM`y1L)gzK_#9R#Zy0Vbc`Mpxgq3@-V#(m+euceC| zV=8adtg^#QG+q6j+W7|I_E1GT184BsGNY{bh~(29FrCHvX>7*j8@agD0igN%^bfcU zZ_G9-y-1n7FIU6R<913jUwDz;&xzqlik!nO8!^n&Bc$XzgH~=wYEJ(TUrhx+}1OAZc?u$9nKO13p1~) zvrun!6gw}=mC5jT>^cL@+PIdDukEH+%afeH;GOKefW0>M#tCj-ht)*37+X^*J)$A= zSai5qg%{EXG%QYf`g{7_4MX^u_U^6Np9bys0ao07i_E^yIyp#m5HLf2vqJ_vC{vH$}I<7riBVh#v5BE`*UG^P`?jb!5F>Xq6Bp%FsDzYwSRmV@7!yrqDTT z4{$sUBhwx!>_ia94M*9IHoSU8NN;?x+>@5S_4UQ$@JNCtBd_Axo3fXl^|a(keT#0o ziSHVZ>HT=$=*X1YcrmwaZI*0ExZNl&UW4zr^6!SC9#MoE=PJByU0;F2Zk@$ zMco7EP)izKL-4M$9ICu@Wj*ZORty)amEO1R82c@ zQ%3Y{0ia@b>bg1FQEdz9^mXUe?~1}N0bbd|HuvXJ1b0`~R^cZ*;J!jw@xFP)M_uY2 zFnDYqq}yVO?22q=#{26apaF8yacTx0wWz3$4nZ8EOsR+DV2{&#R?n`9gkcmzMt_r@ zW_WC0zWV zN#@R<{7j(EaZRG)-TKDD%~oZ(uR&RlMaty?QoAg1YAWLLRAH*w9KAt`3z?tVC%r$X z-)>cj_vr_p>(P~<@y?5KPJxcfgNV<~IX@I}66B9hPp<=da2HHlAw%%BpZvwZLwtfE zJ5O=a(4gbZ{pZ~*((l6e|0m(xS0Q=^BP)kceccl&F?9U6jDcIEkUnq_flxY`?f)zq|@ zsQL%6zUjNIbJ@tf|I$N*<3*+M#W3dELaTRUnnly`z~ab({1+*{-41JtCg7Z;;W~e% z7%-@&lN>2@d(n`@gUG?by?du#j|3*7c8Uad=GO4jZ@8EF5Ge$q@)_h zHu-bR*3_#QYP$sl-muhEUT|zBV!bvBG6knUlo^RFm^kA?0&!KSMGAIdhih<&+qjWR z`G-k?%TxF`!4f{N7wP+&0R~vawz$g?{Pr@tF>mK;<8Dy1k;(vWO{)!G>X+KqYTk{v!;0}Y7PmU`3r>DI#lFf|I8uABeoeS&Ob>i6kgLAKHqD}|J@aK+ zv4DT((oxzjDzU?2uBuh+>!lr%h3BxZ*v?v!@|U_jn3Jy9Hb|;$p32bIc{Mi#9@e!Xj|MbURk4MyBp?i0a@zP(Y2jK0&M~GAh9UGi+fup7W9R&ZyUfVw4Qhj_L2U_$3vgOirODfn7~# zn`zxOIdW=A9AL?GW-jh_{$h}PX(_k(lEovE;Mm^5 z?mV#VW-^n0*Ty+Gb8t$T4yy3sF4qN`cHTr*Y6$CR{ZzeIlwW7n?4Q?-%D61b>lY_A zgvx=vcW9a8d~f&JL)1svM1G?nvTClLOdfcK+ESN0B6d&)Fd% zx-gX5houbAk*;P$-`c(Gpkce>?P5d(n;U@w*pnuAgAns#MfVtu@UlK#@sNmV+a%rq ztbef_@8Y?rN=s}82LCB|ewQ{h5}IrW@Jt2Q-qawY>H0H_M-1Znqoilr%p2mk?nE8a z6S~YZ<$&5R!GPKkr0*>Ahx)a{QfXPDC`=jtL9EITLYy4ORuR2`_SIeA{vgT#y3?MQ zgsF(i44;m_!*6C1+K}mS36fb;H;&_T=j^}JN%8O9PUuff_Ko}9ivW6Q+?iu{9S&A?X(VS+1fV5#W6;9v^NGea=x;&-v=n5d;)y8dkD!A z0#GiV8d{+9BEEewBtnIp;4Gjw4jsH?x_%T|M#L20R~7Vujus<^H)d%YGq|YSU&;Q+ zANY+6s?N}#WpaP?Q%*O@l8GPmf=p%WdV|MXi8m4ZpqlT?aRF?VM!O*1=w4#UJ;#kE#jZb%qGMOaMh(6f?i z57cnZj26;YtoMk@z@Q%I*}pm9BL3`MxMC%W;IjZc@n;U00#as|-*h)^FA{aFZg0Nc zAodi5|5MQYlhsj`+*A<5AWaa^hi>rIW&}+AjHg^v33p&Qx?Zjl31C29S=KW#s`8~9G+(n2QSgf*)dn? z<_z!qmU1ng0uHxlh-8LmyRVYgT4|O0zRyJ9GD+3VG;huKfMt@Rj7DJ2Z0j5jq?0h( zS*_rIPLrcw>G!U3)T-)$q$?5U)%5~ZXkRCdWnJ@`yp-9w3 z2j)qGk=NFrivA1c^Y8ZtYhY~~B?=qKzRYpcHhjK~!qL=^xoXJ7XGHhahHX5JxzGor z-*2xOwLkY+Z65oHtPQ878!+-HZ}XN zcV4nCD)Ye1wFeQYD~s87V5iY8MK#U`4>n&M1vhXh`p>AuJ`KN$lx}@<)1PlT-83B+ zrcQ@i_P0!^xs0}GdS(3=>_?ZipZzVd6nb3f9M5&_xs`oh)g1*Mq?u(^J_a!iV{dJB zC$OTI$K0#)-GRnjsNfS&j+s;!=1x)PedZvQ)!y-WTQp^O2gWk6n%Uidi*{dPVrZUL z{AIOVGUw;g+NVKR@qaL#{XNPlIs=f z#r#lC{f6bZd&>ZrH`PIJ_RED~DSEnKjzUnWVE`DWWn7KWDff{?p1BS`(=OL`nDSK2 z=WX{UavVQ4xxDc(=1Kz9IuZJw!=^W*T|`Wob1G>F74h^OLCU4KZFP_LI z*kQU9w29V9Q7i(pBHvQU#>3PH#|3+GB(E~4;-qeN4Bs2n?%ITwWC`=Md-qP=cu*tM zGXSuLqT_!N)HnCOMn<#=FfcQ~hIEq^X{Hh-YE2aIi+qcvK#MzU$IiLr4_;;OPU6x=;1@P4<4e5`+A#)SH+ZTiiC01)7m3 zV*_i3woYnVll-d&tX}T5nWBMAnO(0^6!lN@47*!cNe(&*H=a-}-iJ&&X*tcgH)Y9X zP1roaICc_kky0(Dy0MCarYujxgW%cSWrE1leDIUySuIZp_J%QcfIVGh(_T7r+0;KM zd4($cVTjigPto3dZAjFH>WnbJ876Li^^{&^EmIrA+H7>5&z{_76?C<#*oR*`o*c&dXNh1{qWgF)}N+S z+1O=8#yzq!t8hhL?)>k0)r=$jd9G%vS3V!#OUXN8)=Jds0Xf;@=~E|wOx1vhIPb2D zUgEUk(FT=-*=t%zwf||d;wr*FW{uo{^!_;`?#TtNev;H5N43qAWw$Tyj$-Bbdso>+|0xx3h9Sv*mK zp37D}`Vw=!kCbM}ng_ZoNWrJ13VEF+p*gi#HF@(@0(LRJAO%o}zHAu;LG;!ox6UZ4 zll{x`xWPH-RizuE(b4nxfn81K;N(^=MIIEomE5N-Pab%4JzX*jHgO9Y1)A>tk%Ii- zKF%e68|Sqx@gr5663Mt(mkGVSDmFfOBDT7@eb({)bZH4NgS^gq55FCzcv+a=VYU!2 zXKn25u*vPf4&*6*g~~&u2O@j5godYU$qrrki*;={H~zVeKBVnEm#EK;dD&B_dTA zoI-!q@DfPwGdNx5EDzKd?k_UW@NGkd; z%_pdryHA%X-@>m!7_@lnuf5)288l>~FLe$(=WD!{9c<$EJgYawZz)CJ_6QbtJyiMu zh_TvstS%q%`d<5c>%%bNkvT^lwu~y4h6Xh&^Zw<^$6nr`aPuh_;{1y3q1Sg7-o`i7 z@l)3(o5DPQT)B^Df42XK*O*?`cT`a-9e(nzCylQX9ggJ+hM}Ez60ht>V&mhc`71j^ z4z0(#sguf4hby>TmAWOylbBR-+i(~V*|r9CUZ;XpddZC%) zEwUa9k3yQHIg{$I{*`zS_85>oS=A-=>#^1>ggnXpj**Vw8yeMYP2&d#U(HTBLQ~Sd z3-i64xKMUDmAPa)&@qDVt|y@2FjsBe4VfQkqVasO|wS) z@Yp^pEN{8=Jl;iDPL;eO&7_xLvRynQuDl4{*D#_LV6t7yON!3T@H+_+jNV35Qqcu0 zSxv)kPdmJg1FyEL@pl7{q+{k7<1RYNZ(!5?;^uLG!nq7+$KHw}bjiD89+EJ{W^$=~cv)E0+!Z}yidy~+ljvr ziUg{foi4{$vDQos$VlanIy{%e-7t)4Ev>b-qTuxNuYLC?E*$$ViP^xK@v)mXH84^x zOR*)N_1;}bk-FyE^uCus_7_GHte=ZohDftR-?Ro^nR}PMlwUjRf5e)zaQ)U*+!B4o z3;P{M6E(QhENuO$DmcB><|_#68flUJx8;(O4eNbc-OZjE+p*ET;&y5qFu(Qrno}sv zVXxksaxAlSjS!a4AFXH4ga6+kN*;5S#F>-bAIOl*N0Rgn{BQ>~Zvp=HH|HA?3CC=LLPFQ4-<&FgIT zz;UBxLUHf@X?JbQ7w091C|jl>n;g*x^b+P(x{?wt=-8e~=Xh74?P^kMw?R5LFSl)S zD!*M&>agRB0ma@NukOqGr(R`mK~!})XvEh~-jP$t!irM-vPWy^XVWk}6p|82 z2r~h`n)l;laaF9}kx?>nV4##}Uno~}BxB`I?%p^|!a4aOk!mQ_sU^ZvLl#9fa@mz2 z3Ib-rK3PS1H=D;1=aETmm}y5urHrqp68tiK5$l6Jg?cTp>aiB)ja&GcJ-_3}Gq|?1 z_|-)A%A4k$IN9elDM!O|$^mO3?Q>dYzJ@->%)%p!H4>4H}ZEz4I=;e^% zpUK2+EUo}FP6H?B(vv;IFTeu?d`MzZKt4dMWknT~^fb$Ji#p^J@=#VLj3iUxA%r4N zAU_BjqojVS7Wx{Th^tgJNXubGy!%r%`!G>enPNITLzPT9(2P7{7W->ZTJa#ag)ryg5)n#;_UssP4nz;U zef77eUV5v~Wfr)({p(?|<#+D}Y*{>jyv`ZTgP!_nYVxPHX}yTY->-lSiHj^E>2Ie1 z_$hZJLJ^wWaCAt7_4DVRowTLr>oen+9V5EBOOuOpKYgS629c_1c5t(w;(QR%4VKKp z{?HuEto!gW-dUm!;rU+_BDrs++v0)BE*bujr*Y-Hu3sFT-q*FvQQivWgsu z$LULlLL%^15`G&ewHYA%-f6;}kUN~wBgKl@y`?^#faIx8F&a@+2eSw09)5^93ot%J4v#oYfYL zUwytQbs;eLw{YID`?&9{I{FJcobZy$>N(%~^ax_ViGQ5I3A_~Izdfcv22wL+=Hh?) zad-f03uD%dw@7%Lwu#z05%d9|&ZSzXou5J?B`z1nldO~|MQOnhV-S4zx;J7_@22$Z zcnkRw?Ry3e5ptyP+dFc(`(d^!j02b4B7asm)(Rew<~g0gDW9+!r4po8#HX(B`a3gB zJ-1=)8J2_-0HPQc`BBwhXF(1T@@P-!0fGZ_viwdsUCBuW(e3J8W6iUEGgr3e#fJ!pfEC5dacW4tn%9<$E`PF> zu4d`;<`Wa}kgfe)A3wO#{`t~7S8JiXl^-X#)q;%}>(3X_7Wm!QQojcg5u0fW9TjS= zDnYR9QJc2!X1Giqj5*5bnR+nN_IH@}W!?Z?%LkxKlwpIK*7aPm1~eJ!{x>~H21{ax z1pxDNV`o%SVzQyn;HMfSp~#HxA5dOU<58Keoa5^+lrG}^jZhKHXxk2?=)#*DlNIsu;6?Pzh^N3||^;WZ1)Z1)L zFvTFNvWi&k#p4T$ECHJa8n*t9uy_m*Li&ZG;HIb_QJ=26C7dJg=Vb#)Z1mQjm5ya$rK?7mk zqiqQEVB~Crb7p-EIZ)-b6m1*VWntJ2SamjevH|NzmYs~1qtnBK0}tafVA|W5-M74< z!SX7eLiQoe*#hi#%LbsZmW2qpys+%=ZdHyxQR%3eKNMobY3DdMg_lYds1_Orc^!!p zQO!Y}5VddVxeTRq)EuAxZ5Wlk^PxCyOp86hfB&E-C(cg_M{jp`YvHOj3E-jfzzM$T zEqMibv<_O}iJXnnPgLmugjLB;HP%0;M|DpRJB{uvfi3->#|TGle<~>7!k|)*>_`<8 z!yBL9M3B$-eAmE1s9@nV?ZBMcL3na#Q9;S2NYxyGG2#s4a8^@(GMXuqd*Kf|R#~rI zzVsC143o({32!t!Ku_+bz6yFIth5@O3>I97+BOp6mI~chSqR`yrn1XaNzlF;NS(7S zyQkASI6jx`bGHJstq^&H*{h6*Jn55`_1?l7e)ht(6vwch;pfDy&5%dSTTXn*wL1!o z{h!rK!6p@Bi}2k&EOBi|iF%Msmx=4?ne$SlU=9c6E{>^hWJOupL!GBQx7T~_(>Dvi zb1?3CQD>eQVD9T7C`^(N0cB-%Cc42_FlZfcxi6;W-zQD~t|vYmd*Xr6pDsrb(CeGr z;ZIh?$rpv z-s-mQdC@wxUMijEci^qDQ@o2a2>C0v(4iKR+(UpkAMe@vU#6V@o0i6cab1eY=5_Ug~;y_d`f#P@Nx2fILzY z2-s-X@UZQ-k}MpV&FK4S4^myziq)5RlRE=`@QU$YI99wM*rl(eJX}`UJ98`=eS@aq z1yA&GuCt@ba%fuLO0}|5&Uj6)q%${lRHv4I?Thg{bd!yB58gZ?NRYAN55ao#DCQSb zIZ_g_=2|dzsVrYExc;D1E8%b>X3H8-qF&r&3M_)+&WP7|AuS@+pOftMY`K7fO5aGk z#qMT^OYX0Lt>$W#xfENuA;m|a8SD+GQmWM+_Zan)$d2Fb@*=iSY^*1iMHA~&>{e@~ zxsDYHb`OGOcA2)pQk2}bOD`P zv+`-)JgO_Q$2d6Z82T8zq9m;GJRVSfn8=0oO&o{IXY0A!+z@?I>4o`9=ijuY#Op1K z<5~fdnLti9JO~2e2AcbSkBw>+mE<8BYVUvI6!^Zk+hhUrf1&4IbYiA##8Gs#x9BE8 zPzv`px55P{*Y&NFS2LeZJGgVx0HfK zf+LC+^r{K|=WXWqcYIRNh^@gEo?FsnH<|I4=#nk6{75iNNZYqDk!hS>J50tb(?LG}+DAzd{HQ0RLA=)nH52;If;c+FryFHs|L$ z5>~DRSWf)#M8;I3x@6dO_<#wJ!C-hB0HV-vo0}3&8NrNLndnD;X*TyMINSAJuba+( z?|I@70?KMWJ?*!04>kZEKnB!_jqZJ>%MX@Sw?_DGEj>q&0}`PYX4@2(}*1#cp5V5{$Or!n@&N2Fbh)Px0a{6F2|+o z%0Qc~u3Z%8(Bu;ch#-Ue3zddZvT{dm&NM>}ow*%m0t1jYe7bMlePRK@5U>m5=X=}c z8&8GuAK-8zf`8lvMl^+(Y;&@9pB9>~p{BXE0eYNh@*jh|K)V!n>`P~;%i`uS!4})) z@d1LQVh_AKBHF%qegWLe+i?MqB$@seknLRl4h+oWiEnAV^9?v(y1Um>5cn+HCTdUI z)CK_q9g8MF%rX#P#U}84jV$3awvXFX2}tB{8a96eaS^w})~mir$9BoWQlHxj-j^&@ z&hOt_r*Z8ayREoRZ+X!g!jJb7zVm3a`1d`*h2R7aqdGo{-Fui?v(~+lC08*fsyQt0 z)XEP+L$FA3NHv@ROf*C&sH0}o7-jLUQADy36Sl<>z=lsAw~qIJGfKJNT<23I!p?{^ ziG|gbuf5+(jGJ#gu2)fgw>n|`heRO03g#A3cqivasI@?G!^CoM{1#Z9uW7)l!3TaH)c63ib&`+tQ%Lg{$=g2<%S|w4=++c=^ z&Vj?iICb~Z;({^dTPG=sR&hP=T~@3Hau;>uLc^u6K!%|k46*@^7t6zPsVBc?*~@W0 z=;>;7o_{(uN>6!=#>70p9T{AP^X?{p49vcr_4)Ahj|I;PdHgb2d=tRy+avccp900$$=}u9+YUNJ52dH%np4fGD=M}ey^^l3y$~>kuMy9 zyoQaBGif_OVuI&Cap)C+WGq42N0;YsTPUr@sQY!7`8AH0`kVRjyeWuYW&(*4y{F|kxp}Q@_D~+r>Gu= z)mXH;gDC2C!~TboHyKmBJUnA{)^+o~RWhP83T|A6Kpa0Ga58r|ynqEG%Bk(6CzIy5S`cVwj_|pe3Yc5_&rI-_) zxE=?d6gfs zv(`#rKb1Zx2E)txq7uDz2pyhHR!{-ujOPQ{u};^Qgp{|K7~qGZcc7VZi`sH+UTt@*hLE!83o)gl|o9&^<87G_6k75u?JrB=PSV+*qKP+v{YU#|_@dVrH4 zqmVP47e(`kp42W~ySQ#9vEe`1JTgj0$Vn%2JF){~^(I%H_7@3(Ds8R+$v5EV_y!o# zj=~8@@O_s;nJEeLA~r=JLmNkfDpYjayRAP*!Rboip|8V0a^~AW_%2*H6G#wq(NQmv zVp>PTQjMG`N6N#ZbbdUdc>@_9V#0+44-2`EJn|Q<04Y8YXr@}buSa%+Z>tOz(O@M{ zkV_3YASm;U!E>nlSW^U$!dt=U`#E6lQ&OgD{EQCEl$xh!4B>&7x0`!nCm3ueQQ6+7 zs+GPr)s1Y=S5S<1MeW2e5nu2?CTinpLiG&D!=}}RRgGzhT_$INV9+CM$OjM%UksOW zCR*EU#3@yV`niaKKqD#5&eMd)=mKmAYY2~*jq{gxLv`8!m`95T>CjiiqFcP{Dtq;K zbSuK4K|0y*y0_@4C`pN9HB{LjyZ9Q^e&_;kk9*w%-dZre5hbG`8M8;VgzGuR?|GV~ z5lmuEcb4d!ps@BY{SoT1k*z#XC`+15!RLK6zil$gI}+1o^>^uqgD!}RHP*W;FDQNc zKtsGf4D?78d*`Xp&cxlW-!!j2o?~y)dJ{eHB!%+%dw~If?o`B$(EzF~ zknTVyZaVF|Yhi`1Ei<0z7n9cklvL-YGgi zoCcxtIqFY-eFtG|W0j;@f4vMQP%zMKJXUPC37*?MQS8jYX*e~NdIEk!7&$5fT1=7M zCjKXz)4f-3{mSS3&Pt{Gf&)-2G4hoe!Buf}-2p1rhVp~`jJNiDDcw(%k?bO-FNGoX z4O3wE$)%5wLi?SA`$q1O-|sx`dvO;4S&~XYEXWj64)Q@cfBGHvNv#>=r|N4vHmxE) z2lBWsO9iQ`mha-RHx>dctO+Dki{ASOQBI~of)1?^5hiv%{E)E)K54P&y=~BM=&l*JJIMRnu2HOfw zTD84`wfd@Zw&P*Or5>KuH2gwyBZMU&zx$Y=9^5VTXNkM=oOod2Hv87j>Z7tVrD#2F zY7cjEzb=J>IxlcP^mOZlGNRcPy&)WT39aDQNB^qV(i8WzaHft*0UFrZT7CiLL%k`X z{b|KHxE>Vv^?t#wfSo|PawNe?zz_5L5o|h&7xCZrAufATJ2fLIubtOItyZR+?9Fk# z*4%U|I}@v`LgGSA(PCgppu@o-A0-0{%e|_DryXuK0Hm~0#!euqpA)L$R&t=jG&pX; zVd|t+^mZ$0Dst9zW_$9zU5!DRPypZcSu2NyOFM`S6m6cU)aylgfj|_9n>Sxxn3o)u z#fD>NVHuUTaL@Uf+e#~0c`anuS-Vb^C}=zFNO(ldR_SKBc~vvg-)Pz?<@X$bf|v=F zA^~9W1i*Dd78)@u>a&yyQYM29mP|HI4e9>wk?IU2vB7ajIwwZ*flN`k!UuEcsUy1YGX09 zG0`KD+$f9vE3G$g)Rwqa;xR!k3P(!=n6wFO2H_b6axs?w(vqo)I0_lU@GVJCPa(ea zH~C#s*cK~B5=rjo=Y?%ff+&Hgu%4fBIVS(W_4>7y#JYm+N1;6yTE(7{5|e&wwGZaT zd&&@&xz(u-NF4XcL!2l9_r>`_^UF1|_^U>*U7|?i=ZwrI<2@^qH{;&MK=J{1ofxFL z_a2mn_zrFMozsS!QA9*zYaqikSWOJsjAeYgQEN4liKBu%W>s?Y8|ZZ`?6DOlNWg*U z#iy84QE(Y@7+0|c9)A2vJ&pNTPB#8PG$u{IhLPjiAZuC?@>=F(oQBL3cf@UEfc(zu zni608gJd$KdQ3*IU`oFpkZwBKJPNL;(VNlbhmMB~aVXE_*lpq-MUMu zwYIl*7Kp;+dx^JBqCaf;lFJgtmkl|UMD^?4^fxoi*J?!G%090%d9@+unzbBYC156@ zTU0Dq1Pi;2z&3!G@T>>=V;eUcP1h2hdX~h!rzQ1*(S%3EmaBdTM9~p=NAqqv*l*rB zex^jd#>R*m3gZ zrhfokU3JNUdMg_w6-Exo))fw}|>k<~ErF@gyckAyffZ4Hzj1hZNTt;j*f+rHB zpw#)oZrUntnq3o zf6;6b5Yw)RBmD^LdipD4;5qIBooKQWou%O!OIS;tzGcm}fwCGH?4qfE9N+vuw88On z|M|^Ll=!xbA9-ZQQ&GQaq|g5}-|?m>LR>i44#Yq7pDR7RjL-L5WtRPqaCx1Mdw^5jwGGkoTXBJ^@c`hX1 z@t6SUaA1Czw-$P@{xs%38+)P9j|@>?AFjCRfU3&q4huzUYHb~L-=m`r>#mb;Y-6_8 z_i;}iuDMTJyOm}1G|Y%Hs}@dJSr~sIIC1l==1={yT)iD6{?_n`Be>d)>OI5-{(7rQ zwx7IBZX?NA_t1m+*1X`CRarURAYNWHi34(h?Zt$H47DIy0p2lm`kUSD%j{MgJ2ktK zycu;8>~)XO`$=V8vbbJEr^22$ZZZSoH?CQj#Muj)@AJy#!$mVP{`$`#e7$7Pg31yD z+a)s$vIJ7`H&M^7E=4Bh?6&2=@x_V-g2Ef|@BU1?o|TkTbj)e-aZ4CxAgEx#-nduf^Bm#~x2aDfR*#JWV@7poC8zHXwLlEUg1J^wT3wQO!pWk_{RN9Y1 zP(d~=jvqWgy!qG+8RDwYR{e=~cV7dCVRejm;BQ@J2supL*9he@h9&ix_UXrKbRFfZ z75+aUbY=}$GU@}McIndis?}r&m5vcNe4_t+Ws|9f>^|D4Dd1rJ7u~mya{DNWYuCF; zZ9J)nawv2mC?nP|ZV?u^e<%a?mgK5~ZD6lgo2`&pF-c|F!v(b@3$q)Hq9OqY1;6-_ z55dE`)2aizc>f`$dAz7!JSP}>Z7Lqw!JYa=x$>v#Q=rhhE(BfnC5ph$%45VZO0563 z&oWg8Rrn6ML2OUh*#dfI$AL$w1W3Wa1K3MiAd!OuYI%r^WETV2leYda+R4hw7M{ z(@LYH0OW4!P@SZ7%YmD-9p2DOLx#svve;vSy$eQ%`9Wvn1UTuPCPT)_{CSAL_W$jF zqZLpn9ag3hRkdSdwjRM4`1~FO70(`i!RomiNH*3f^j%1{)vIm>z<^nByLFE^y zPa`*E8?`&e7yo-U+tM7bHCv<)yAB85bzknBIxZ*5Fme>y{l~j?a)GquJh5e|kExBk%mZxCDJ2*!QYNYf|mo&el|Ff+x*sI!`M8r>C{d znbW`5EG(6RTW$I|>nlumUjlco9S0~9ZI3&7X+#5a(-oVM5J| zc&?_af#0tNzq5&VwG(BY|4k*xm1nkJ7xfv*9&BO3Tdb**$PhEn=m9KJgfO{hLFQ!g zWD~xVJ!Gs0yFWuDb0_SMOT9)n9rwdAG`vc&`=b8ZolnWotmIo69ujtT@ml<7yJQq`hU#h7{O6BMIX9AZ6y%pW~nA;`NmbaA-~6gS+-us z3df9Refc*rDD4+WMGlzEI2k=a5ELSeuis&qh(vuWb-H1^n=$$0n^-?l-$!@pTFYXNsi_|&+LCC?M`#^x|iy<#b4>yts&UEE2pgtu1Mk!zY zWhpa#AmmgrYs($pX1L@+b(@DXQ8Xjkzwv{8Q%s}_`#HOhL2Tz;zv*76qupFf!hr7 z%ZA6-KMbGe(cC>RqGY1*PbJ(~GYvlWJ1}z^G%70#vDOez2)^t#k*$)1Z*>d1;~vU3 z2u(dkH%Utb8MBp2eAC4K|N1)Xu&UPXYj47!F$h6WQ949A1O*ikkrL^al9ZNQNC+sQ z(&7dY0qF*55D*aQ?(URszPa_BH_rRJJ}>`3V#{9ftY^+K#y!(#2D@#0Wf;6c#DJ9Z0xhx%bi|-Aj(TDFH-K7ku`n%Xv7@-T+8cVJj@0`$*1IN62GoC zlJ+j$V>oevlo_IBAss8Flel7U9{ePnB{S-yq@7ie*KA`_!S+zL5ge1J%248Cl8K7z3ng=9h~7ukJgzDGp>r3OQ7I*%!}gzKNA| z-Ig!aK7D1!k?kBc&A0_;B&?%)oU>Gc9QAcwBaL|AwA!oOS-rz(qbBoGI)0(!s$ajD z6*tAHXp~ii#VPI!c2r`dUgzjERz^)i9E^OG1zetWURq0 zXlm>eJ4-v8&AUq&4QwH1cWqfH#h-2^Xhw>}#Tv%6k=`nt%=^%^&kZmuJ3k6kmRi89 z{7RsU-2J<*Dw5RNbqJo&_1)UkDR^Z0;|?~R;;Lt#IJr$q@YT)bT0QVI?|T_stN@OUuSkh;L!1|x1H0g~7Kb7Cg%_e6 zB+nK_p4z|MXQwXKfv`aJfhMhOqET+2F6a4(9-Q0YH3qrr_ixb}vic17ukfaH!nckt zuWHW$vGeh)pkhL@8-2^yaf-RjLi@b*Lg3QY6BFv|A03^93SGi4F7sB0t5(|D=ODY$ zMl;`F^7-#K1sSd@EVDOO?ZWiwe`D=I#S>qZd&q^EZHxK%-xzjh-OWIoe2IOjcc$-H z&r9>7pq(QF+4I}>K%2WskuSk$_U1S@>~>1J71w*(XZB7xTSpHqe%fe3COAypENVM_ zJUrk-1Jb<5>q$HvoN5(%+!S&D^=1GmHYRumR;amr$Ypu5@?W~I=-ZLgJf(fo184*p zN~Q)xO7SF&*+L&)ZWWMp!KxpK^69fC9GiaJ1;_p_>)TNI&ou_6IKeo>EA)vqv5aP6Km?SRvR`-EfjMON% zNG#(d$~gISCbsx&1@pdsHsl~&c%H1sbiOZs>8GoM@6$f`>A>Q!{9(x>4y~fGnW^s+ zIW03<%q$$B0%tid#3A3t+gC4JF@#`Y;z!D$V6Klg>`4fcR?b+LihKx;5s0Ovz(YY$ zt(}ptH2z5kmklzKg@DcAu&!CNzJiKuy3XhZ`|BpF;gDkI#yF@+_0Np74NE|DCx`#> z@TUX&A&hYayqkRbSSYYdK`_i@A|sTQ-jGlKMH&)UBx!J2m0i8UvaYR5g9Pe6xGE{| zp4Z9EC@FP8Vh$U!PKO`@-Z+ERNAY^s)pG4uZuHj03T=nRfg%4!JsgkHd-2l{h*?B_UtHVPpHd~`zhSq4~qHvv4i@cYzXC% zCi39%&4m6k4!ATS%f*npJ1|n%)y1zE<5mPKW`A;rVGz3!tmT?=H;QL5!HF<`EBDJ3 zv>)=tff!q?uBf1@={zltF{sz%%Lyb^lRuuF}Y|a7LKJ6VX9k{XZGqY z!Mr79q$Z)wB-DZ8#tDq60@jz#7|@-n_qSaghq)oD2n~HyWxs`_=EVdZcTRq~8pp11 zFVx5GS>n$Id(Qqht*_;~T>Sj5)~aQBNW{FS>QTBZ`*u4o*k_GbL@v?LX6>&sqf8W1z+}Cf zQKg$!!EIa@Q=Q~;_aw*rTLTSM4!iv#kO4JkfGo^FZQF8(V@xnHiE0626fBX71A1Wx zT;kk}#O^Cy$wYzd16xV9eTx)HfuGyHtQ!T=3UU&oVA(tA1;aAYEhYLqQ54Ow%=u)P zDmZ<3wc#L2cB=rickIfhwRtzmmIDYmt&|B({q*_vX*>s!d_6x~Tu;W5AU(0D%kLm% z1vYY!;CykPBkI}%1O6CS$d8h>?*!+xKk#u)xMB%vep2qvySiJmie;@QHcYeh4Ak7? z7;1jE!AiJR;EMl;mV2D(86^YJ38xeED?g*xAkqLg%Nw_3O4R$wSI`6ncfu(~2P+dy zT)!M-P>M2<=mvwdLBzG>aOIXW10Tz5bx)#753l=L)BG3t3KE@YZH|WLqIbi(o%0(K@yv0OI{~t>gP*EbKGe73 z#llK^B z%6~hkg{OpXh%B}apMCq$DzlzE!TBIdRR2l^vSMiG^QNU zu&1mqd^2bTb%rK^FG!J^*4M(R>0<{R^cc>YZOsysWAmJsuL$jrFELeuzcIf0z{k~6 zQkYOWAUo`IwU^t?p^HCK=X==_?_SfraRKuJ5f%u#q{`%j;8VXcbZ_I(({aBVcvwts zMf!P^TfZe%yzkz&Sx;I4q3bKL!uICJpa2?>Rt;1OGSF2v4D&Gz>Rg+IP@s_&V^API zO9?kNJ$#|voABhLd-iB_pdTnY(%!_1{`MEZ%T?bR&}LHX5YKh9z9c?eSMXP}RUlHp zd-*SU?+WWy3_rG)SVaG;KDOy8GsB&?eyzwwnp6~K=OcHW(M4m;$E!2(KpC;hEc%KxN(hEZ9Hr27MXSDQIP}&wUkoApGOgQnsaRJGz0<3>bwHfDKE3 z9gp5Tg7_Qw9;n|>5+Xun_u>@I@}PMy!FDa_DfFuO&b|;&$Vf?cw11~gch$1F{aY%_ zf}MWJiLg**x1BC&70D6>uL*iOcS(A?T%j}k6#F2Z389U&SSTc)!UadyTjy+iCAQJ% z2K)!&siMc-*YtrZii2_y#*1wnvr(NiOOPf)VT&4X$AutpnE+H$J$`}g+}etX!geVK zO#>?%{5^yJ6@|hT7)eHqPYpB!rmKJOscu0ytTren9yIHex^GUW8`o_-RWNPVDbA2LO$?fMgHL_<7A>o2Ex!G+ z;^|Cz_Lbgxc+SLCkOVr<+z&-;_6aIe*iVf_@z-|UhpoHz;i_a~we~`i2M5O8?{XexPO*l#d*BH;Ci~Tl6=Ju6KZEMi3m-8yKh;Dp|Ap; zXt0vU2o)gOVhzwYJj&X6%;06IrWt=f!=!L^jXXiM#<=xqlQMO*1`?Vf>kuAL-|PEZ z!|A@2H=t1N{@R++?bP>*yC*-&z)TpW|ok-dm934^TppI zS3P9aJ*R4fD-hmgH5>~oT(0GlC^#?I$+a$Vf96MVMiDZ)47{8shrKwiz}+c56Z@A8 zMbh1!pE{^7+0Gdfu}jL$6kgirJhxRKuHo--uun6(B;#%eGaPSQ8DpPDjb=s0aI{z0 z8)J$F5m_)$>T>o;-$gy6t5B^axk*M?d(8cd6@P^ z{{B)8N?u*zk+NEc0v$NM^K%jx5(-hb6S`xHo8{#yi4PIAmEEOJc`&@5WlY&L9+ z!6+M*b%AT9YlV*d#=iY~3^um|)5P2pKL70L@EH`GLhSg&P$<}bV>E~;!joX-SD3=@ za(kTrUoQOlibT92IQZ8p>keT97H$U7wdWPWsu+~vH2E4=)zG7Wq?qOtC{K?kjJX3G z4(EPLHu!zqbcLf-A!3DR9G}u|bU&xSYazh3Wa__V4%Rm*B<pB zYCnUB#>+Lg^|OHx42t*El@w2)=&)3-jlSdlD%9&gyD=c912h*SAN3^u12^F(1b3in zq-7+I?z%2&`fJkqJLbAvw?2?!VGGC7ya(4me z7Rt+$8yO(@NK*CKMNW~H;i`s z%b&<`j+iXHWf2i#=qi=vLQb`E7b-0+soV_fFf4BQKq}B{O?J{M5_sq*}_$ z#z`nBJjMLHNbo;w$yPLILk&I{W zt|i3fdbZauc$*BMfcnOSEdGmv92W&NG3o0XFvrR zDR|6S>$tyBN2E#IXwFx0bl}YqV_(R5d_BTK|HcKXbj#+vfrm_2_*@}$Bq^u81Ig%T z+c)E-^S^gAz139svcMkqy6`0GuFu{fm~B1jE6VnNgck678uGvO;CE8007ND^!LD?^ z(R}X_wkSV$$tt9_R*;|3p0U2C4^Juh6;zGw=gsu)_DbD~ZwuA1vsF5#M9F{26DE#b zqNZNdW&KgCDjwfSwLxmEmE_t)$${dW}y1>?-_(>D7i( zy~AR`-d7H^f)o@}E9Td+JO)2Sn+A%C3h8zQ@gxUkS(!`S$sI@FJCm=v*sA^3zAa-sK>dNGWpX=#@xjp;Gff^%er$!?uh^W?gq5IRQl;ntM~4JB7vUx|H+W{r_u z`?=3cQFxz1d~8;V?ns)>Q(=m@4#(J@IU*pYBgOagEV@hsGrDjS&^u46kLpQBAoZKB z-Z;{Bc6p(D_CO*_NC$X1-GQ-}{puT{-fz5YA7PmNu`x5K6Q;O8gE?n`@KNf z7QGvAhMbD}U5ff~ZoAs)J~gC4X%@Ms8i!V-N0Oj$CaS|s*-@Hh?q)xb`sW|01`^3$HvUI8L-tmd$%9-pryZ5T~I4Hi5E95rWBAESC|uNN_&Sxb`~`Q6JBkv%7gY~_cY?pYBiKD_NL^Be=x>`+|8 zc=&KA+FV$&`+matsJLpVb6rK4`b;;cIObP)t@2~zbDjzMY~;VUlqd!-MASw% zGbwu#xD}O++o5L(b|FxBM8nKjE2+0hhrv++4>rExV9@*X6*oHH4S!cX#ba_GiG;Qy zfqu<0r$${)tlOZ5Rc%~EJ+sa$QqmNoea^9>zC0DJ#8TTPt7(^x4dtt?!u^EQcp{Y4 z-BRf2qabI{FvdX)11LS=7jOIcs)b4B4@p5;+b9ik*uPd&pl>6)+|Mk9s_(ieko`@2z@@oCK@ z|CJ?pV$CG;hlo%D+ZE2_68wL?9<(-p<7|JQdB{-w)ysovkwnOI*GE)m!n$&ThSRM= zQ+d_X5{?-b9$4|bx9sB6MZ@bu<^}U}vkjly=F7Fq6XG2mX>O`Ln_}p0N1FORd?G2= z{5A1IYsKxTt`?Kd9%0fcH)`o{*9Q2NHsm`0`gs@wh@CE5@pSvwwhnslDD{yJqId9q z36TWaRmDW7sCx0)%GrtUbb7@+uo=jSBDcS6}k zV$>RW7lg!N4}VjWh9PKnVgA|)R7gXq)5#ao=q3qmx13voNL>$<^>%AC$RJS#gr3RfLmtw(~AH_=Q3b38w z1BQw)wL*zu2ygv1P1CA_qfn?rP@`T8<*oXC8+-W09`DHiyp29bJS3)BT(N zRehF!S+u*t(av?d^_=ngBe@yKQUNAJ!OPh`p${o@UH5xYRDEpgpx&@5 zL6_8NB`i6YfoP}zleTy-1GV(F1n$1;-tszhjUYe(Hl_zXm@a$?@eir_FN-pC+DHKh=xnB#|x) ztLRy0?-t773f)_w*>}!O%g|Ua8Fih~$&hNSr{|{%NNhmjL!fI0H$a$rs(cF3$%(-W z@t>*>FAzFw%G7V>XlOmX(p^J$w4>)wcO}!sKo`nb*{UU)mn5?nXr`}E+JZqH07=hm z!=){1;Wqy9lcUr)m(h{(#^vULYBg})AO39Rrod-9|H?~A9P3qlrvw-~*&imipWZD! zasAc=!jzxQ@z^7HV6oxO3D=B>l8`d==kf4GWs5T9)JuX{6n&b$B(uqFrdXBD5&^2q{ zhLv4s@>P@DK`4WMC7VmJfHZ5WA=I=856eTg$q;JxJA%+W`r}^q5>7RO^~%B4&LL}Q z^36Z3&g1JaU3=QxN^r2LwmhXcMm8y*J=zOhBf$n%QxsT>Ev{kvNG~zvU*P_{9n9)z zBbWxvH6ZP({L7>bM)C$Wv(P#R0)&M*eQz~2EF;Jv{$$;QyRPQcBv)H|L|S`*QM0*? zSdwhmCZTGT=?u7LA* zQ(O!xcgFm?t*iyoM)()4Ox|(NZjk#(r?>Gnka5T&ygjp=#|2a712I=U-TJ}RS6=4g zojzb~2PB(-vRZd+Cx?GXR%bSt_U>4Gey=v(GuVS_EJR zU7mN=xQ)fg*|TqTq4#-bZ*x{Ws8g0W`wZON=+8=K#0f_5@&-W01MP$5W$8U;^0fH|4yjF#!pCk1bsW$4JB+o33lilo03Db?ua9>Ijh(*Ia)EgXr@*va{*Ja{0TT0eKC zbPx^pFxHg$L9L6+#R$)Nd{pS;Zb*v&cZb}!sn~968ZZ{c?cyK33?J6Nv}QcCO8E$;LM5s^WKCQ&IiVx?JW( z3bx?ian_CNqtlD>8Y8eDz(GMW57K8kauh;=(@SHa&O#KZ)7bS2hbVYnJO3W003z97 zBei3~AormIiQ2(o|F>~PD9g_+TkQ%Sn#-Qq-IH*#e{5ftghW3nF*M_kfGrE?j54I& z!M?e#6z^DEubtfmVHKy_eh$sl+OG+VGdAg4dJLk!;!+ zV#L=H0l2H-=EVX;913g24g8W!U?}v*NG~x-0LPBn^NZ9-`3RH#| zfxUS)Y)fg8-!s$qdM2`>){TO+vju@`n9SS%^vNk$&`_Ml^L~bA+Xi4hq$UI`_)sEts=v!0{MI5Kq}p%jKlh4&(u74nN7&|AwaB`7IDPIop>{W8u_NUqls zJRae^(UGr_N!yE?e=T|KRuaJgiwEeAugf(EP-9}lL=V|9tN1rBH;5R=bx?=0JRH$h zm}Ft;1`{Zvk-O9iM9wx7B@O>9)~0upQ`0+RDy)=tR9<2b@C8b*{N?}hX#%$HfxD^| z>lqfM`G{B=3%A9r&zPMtgJk(#+*wOv^f zEzOU%p~!tQjHfXe_8|Jy%>`e%0Lz=79j@yOtGsD+@*r<-du*nX%6ZYw-kHjjv5hE4 zmj-<`OgdZUw2jU^3ztO9$}<9#Fv2B@0VJ%W4&y-Kto*G2Z$$1o7xnk~Wzmx6X``fM zl8)KWRlQ^F5w$1#1TfLXYhv!Sy?o$H2_{i!Gksw})=q!=OY#k2K@p|k^9k=-7plHb zUpm4PPr~temz7&PBKG%#79j>HOAPWKk-M4+E=Mq!;^-3I$GQcaG}#1*yMaXoZ| zoh(Q7V+WSlATjcxk!x~_dZu|db-VvVgu1&1gSq3CT!OxrYxo_x9m0#9g_d3n{4Mok z@-hD;aTJf-KLe!hgGHsTYk}D3FuAM>>6X#BQ=-p98>hJ<+8|I_yd8o!J#fDP4-t%j_ zY)t%e-qx?F8;a?kJr-3sIPfAJAo^F?e*7NgEB$bC`a*>U%jJC?PD)No!qlDj_cKrB zUMN4*-W=O6Jv?Ps*RgRP-ynv!bVuB`%{NpD5ka4HI~N5*d<}y)vA-z8+5_)t%iJ z>h2bW^Um_Rh5h*Fqvt8wnT+G(k@1o__0>IAos&}+L~cGkSC>1anH-TBX=6hKUqQ;% zQ`${N<9(!cF7^MsaIxq^Z`S=su1%9;V$nP=mgdDzcw~mBd=GwNHTd~LYiwAE8Kt1- z)SMU&3Qb&oD7Lv3eUssw2F>3`VZ%?P^G)QMP3~*%F0SGl6WkCy*V3niCnKBWwVq&m z)QJB4BIVqo`knQ57?dVp`x>~v|R+rmR_vA7#kUuofU0IJ;0r9X(Y4A64PLqP`fY+#@fN5tCr zMUKFenWZ%}yq*?()h&&k860^n$`<_u2B)W=E-BBSjcW{UXZmb9C#w+Esh`jU~G*k zD5!9ojg>#?Vh>_}gCILn$o*op_>1Km0pt3QWHYSmKbCmnN(Rrh7+%N-iyRzEwkrRQ zTXcDrF^*Q|1haKnedQ1q_=nU@0Ly+BS+=fqKwFUeL5Xmfz>7z zY}AfPT+VuYaUG}nL$3aY<_r#{MwVqu%RDps@5;h8-?^OajMKD|=4h))PcuDiy8GJm z`HUNKVo>`jwz)+ziib8>T!O#eF2%tF>toK3n?{{WM~ocJc_}PlY-^zncz1T<)Foz3 zEt7c3>}%s&sb6w_OpYI@98*vjo8C+CCwwL#I3)XsF7CN=D~C3hkf37V$!`O%UlI}j zF6Js^hChAkczTm#A1iSy^DVDH-@uWu?95x_Vi2rmfHnUr&@n&%(`HwPpsBk%DmAr< zJJ z$>y7cO^JCo>wCrxBcqtE*ydJ7hVj|+m_;k@xEOs(4svVD5z+*d3IT?ZX#d%9uju_BOebbnsI7Us>HQcO5$8|Oov7RkhY{VqCx7TYyQx7>SVzP z9-V++v(cj*TS7abuf?s+Mi)?(Cf*4nDW;}BQMXB--FzrlE)f2SfbcWUZC#Ye;pdnS zxYyVp%2^KPJS;H_4yy97R3Ky_%Txch=lV2n;0A>wzq$o_*9b|*Lm6&Z0|#)-kp7Y$vF~ zoSE1gogdiD3sME{=_WnVI`YjV@+S4HaEa=L1zm`p?MS9UU+e)vTM0$3vH1c?ljYlu z*l;9y#9igrFt)qooVRbA96GUly#6wI4K-x^=bIxJ9%2IM=Z zPs0LBMPzRAWwMyv>r_toapKWpjzT>BS;U!p_n=~&_dNc_O5L78c8)R0ckYnBb?xyC z)r2t{CKlcsZY*`$(iV7>fjJr(vh8Xi$V;$b zgDdfW$>Pwop(pV&aQp`r-4r zc`Ub2;JI?&-!A|M(Xb_+A<>$fBsaiki4)KhHoe^6N!EVZS=wv!+6VUSs?-rJ*dEv+ zzG#N$ntZ-ZrLO60^({CkmQ=&QhwK1joh(V0t~Y3H=t|J)3IE*Po(Y_1A$v)zhjn}8uF=R{lt(zZXG@a&04`|^`lv^fw#?-QYztZy-#&iuG;8c$+}&w17Bp8*PkSo4=0Aor4h629!89))D>-{4+GVc40B7#Hh%gnZ z+fsOZoXO3)zy6UL1t4>FhLO}qT^QKMPsktzQj!)LTFnPdo`VMBTUI4Ip+NB$$0GdX zC?%>T5@Z=1Nsu4BmD#_!=v^h|zPwOy>7i`H#rNlh|APyznH%*b*=+HPH$w<>W|nug zp4-k|z@r%sD8mkF_iaZrm~Z;!4+P8542+m?*=r*>US~@#$%sgv6d+EFp$?_I6GZn^ z;~O-q>N~JJ00OfAVgv9Z!0SQGdl9}QCYH{Y;)89M=bCnY2~t2J_3g-=Zn{|gu>;=D ztcle*viS%VRT}|zv*DjN%*iK!O{Yn026WyTIQcMT#O|&9a}~RZs@3O9cW>0!BqQ5u zinN93wJgTsW>H)C!I=!iv%A$p~HrP zTs;gqb|)!xUjVOS_MNku=+DH84Fr#TZF|{J^*=c-3iDJosj=jf-QpHv2AXiZ9mp9$ zvCY{B9dm@e&1bL|tA1^aXEDEhd;Bx1yZgOlP-PqQpCjc9`FXHgO;!Ak(yQGCl~+J` zP`j$8sqg4pZ7TR0@6`eW;|kJus>*=x`kp0#X(2%<5r03EAKL?Zg|y=)R`K%58dLUj zYk|OYyKwF#7Sxu-+Uog63wkVJpi4oO<`&jkC98jxoNLw&6E*&A-zxCFH$NW@#G)M} zvt?GF{ta4S=cX(;g&J`$ZnMS3cYe3YfxfIp**>SQ3er^%z$yzGO1cHTjgLFRVY(`h zAIXv4Et$(>dJHa*toM882L#0_N1wm)uMPE|IF9N{I_u1x_4fA~EW!?kAKTaMYa`R- z38^7NXgmQcM-t*y>w!FBL-1TInb%yGrM@r9o!M`*igtPg2Uw_VtcwK6``Op0AOXe# zq&g!M+@Kv#c~DHLY5$~{4q4#|H!Rfjxq{afTm{%34KkF0-yKB{mllp)lH(6u?w){r zy|fjlda!MgG2T-p>7;XsqB~<}-&VF?@qu(&pG;C4fEjIH|LAKAO2hS+x-DDS#)pm> z@`Q!`djWV*{_562&24S#0O4qGR06I$l(!y;RDn-(f7Ss&ihe7AaD57myIR0pxnk!Fgtp1nia_uy zIIA~P1RWdjLMmz~0Mr{b8{5jxA%wAV|3^y&HTs`f*;Z7hth7|~t^PCQul3Yu!W;GA zjM{kDuPkggQQq?VAeR>gjX;ZdLW>8zf(vVsxch@EW8|RLAsIvN&taZqFWXCx7Bsg# zE{bsFQsF-mwb`IXGfk@Udbi?~$ScuK&tM0;1UdfOWpU7e4R6}HCKN`$^)!n=hdku3 zhU+@+t8|!j`_6PBJ0RZU#Sc-pe?tu&g6B;WG4R1c+^Yy}nzxoDY0Y8ACubdc*F0b9 z0EurhoKXSF)J;a7wKWQ3r$xkoS2em~S*Hu3FqW;qj_~ZIZiPh;@i;%+gS1jsu&KgR zJFp3#aep8rm@A5Kx?1GvdeH~p>v}yyR(2Ea4|YsQtb{`o;{$)^T>hM-I2Y#|Pnx~& zB+r1R7v{GE&OHFSRS5xMuM+iJegp3(1$DM=|5q$k5_tA~j?*WL5U9tZjo_@uVn9Hy z^}YPDI0I{8Z0zyx2n>eu_g5>!yLAGn4o6@P1eV{B<6~1W1r?9**gJbECmq+xrN@73 z)KEes9Y&6`wURsY_QNru6rSE*Qt>}iao|@xV%TyRkBun(uFuu)w*4nMvclg4gKmJt ziyR=GLM#UuRNnME=pe(^G$4@Z%Ep_2@a|T>mNcIIueb=jkuR{P*DkkQ>H9!O8!@qH zlGHU<0ot~l`SXE7aKM99;L5d#z3@nd1X`IumoE#vMBSTVUe1w3$Q<~Wt#V}X$O~C=tlB{!R2}kEW8F=3OsDg zEC9^Fp0cW}!%BakDMJ`T_Cu3S*;H%WISR0|cmz|UKD3m)gQw`?q>sID5YYWk>=hrE z>m4T!)me3QN_y`=u3%}u1NmRBmRrW_TM-*hg=+wc*bVN@Aq=les26Mg`pup>hhGe!r=73I@@-I zBVN2YiME0fPwn3Orr!BqUS9O%57;R6yI(F#NffPb0ief|JNIV&-Js8=aVA0{9x%U^ zw7>hm;-?RV@N-bDa$5c8F%S1>y{5#L=4N-#eNd?MR_<06GGeFv^C78iQjy ziZ=%Po2aXWv%MDN-qV8cH}?^+p#jxt&Umf^&;B%xo~QeEj@u zM3cL9zZ6xVkX85WTbv0P@d;T95O74@ww-|Z1LE+zshhEmwI*EGKiqm`%DOi`6R2J` z7P8BYUbNs}xxd6D{D2(x5!*B(>lHKK%eLo3LCt&psu4ynzeGsV9`c&IkPy4frL?-lwBw{zLs%cmg~v8;a#4{9*F zpi41xs5_n(oQ?BR!bS;3yo$XLQZr)>P)V6V-MCGKIz(cqn4-W}7G`~9mz+2m9T;o&1qQTT; z^NwX{ubT9w?_!gOj4|bpS@->~WGtf`FC7oY=8o?~e!+OPFJF>&D zbd#TNh5;trFqO5p`HJcdY5J)rl2&S$datPf<`yOa3-9XWMrGxm!SaAdxWtWr!}%Q~ zi`KuI`}@h2JJ@Dt3cZmncW}t^5hi#WKzklOXPuXtlFWD-8wJBJp1FJ{^)E}WSu0+h zZyHDz9MG^qtl@`JGGGi_sj&r2J@|`2^>wJO2E@$)Kisp~9AMeX8Nwg+ni=T`WgoNBOkwgDpKt{Qvg&{@?g?|(&0%(d=uM+sB1d6Ujdf%h9` zn87UIy6V1K1=G2At!*0Ev`KNvCs4CI?^8oIG?xug0A(0CD9D%S?p5Hxrj59X-!DTK z^GDqaLjNS*u(!&;^Jl<2#y4$O_eL8N3jV*Zs?t`^S`9%uQ9R|NQtXU_{(X?O@sp zSOp=_*;l(hPd>tdFETvQdfpgw9{<|ra>42VFXZ#ViSXAPZ5u&z zr`I;~kw;pKZ`v&#KK}!|9YX!DA=+}Z=+3KLS;ls&Nw?CBvne4@8#6Jfa35p(^4kI8 zE?)Jy>^M5_{(Dz^m%v%w>w|n+YKK38$%+9m2OaEfjD z;VY)_knp+Od#%VmYF+Ym^odGNNZ}W#V;J)d_|BOI7IclVBlx_rb=fhyWLGwDMK5A` zRFu$oRee-U{zCwU?jdqEL~MnrytP5&v#kClExVTbd#U*<#mg^drq8bx1@j3*zG*jG zi6voa3we(Zp4u)uL9l*-_uh(YuRVAyBL|b1ezF&FrtVbn=nMBiR$kUcrc$P1MlA%w!>3x+4!W+ n{aQ>cb(r~^n2q~k-QlfKB3xfOi<>7<@aO(L*}ECyx}N_J9F{I` diff --git a/sample-reports/multi-account-summary.png b/sample-reports/multi-account-summary.png index 639c175678a5e4399681bc988b77ccf50cccfaaf..78bbe13b107a9313035593b898c41a56847177dd 100644 GIT binary patch literal 152530 zcmeFZWl$Ym*9F)}fZz$11P=ra9$XUw1a}Bd(BN(t4ekU8?he7--QC^&;_fz`Jn!?? z_f^eI&HR~PQ`L2=@2zwDoZjc0wf9DU)TCy zt^TJe&ui9rX9i<_DP?9ES|drd<)%3@|98;vVLAxi!_5!84x=_&Zg+dlwWH~4Ww*Co zejD&V$(=4giOGr42+7V6y!h9ejwLXm!3FC0F^u5RT=Ih^D)0eYNcLRb{k~GxB2V5h z0?@wx`FNg^;(EctyB$fp%(&1|7;Jj0f|v6B@}Bq8t%E+s{G8r!!*QsxKuS-IY*QLs zTl%{4L+Rm<6b}t&4C(kL)BO#fZt3LiE&qQ<+UkX7X*%!Z;U=RzZFy_TY+L9qX08bX zpb~Ql9OV(#W8h%p?n&M^6F)+Sh(Z(U9LJ}4Bcheu`HAuI_sUNDs+XTmy`-C+ODJ1L zN0YnPpToN#I;%m%lrGI2mX{8j8nedOOjG|mGxsJi=z;0>hkQtYQZ#N0vc2v8#O!CF z1T$z&hpaVqz3Ynqp)=W23xo zvGOK`yTjFchokpS=n6R}2Rr6hrC3&>9Cek{f2Z|v5D@9hGI^JUqfUR-ex(WHAt)kc z_s-bzR^laq`ewv$cpIOu-e`WQ>{M)P_{dFlF^L98QgZMdE=>jr;32Y@3`@zPAmnn; zL5%6wH{f>Mn7|rtcrjvgyz*k4?|Nf?tPHvFf`H%Yac6rOJ@C~_0#4i3F+Aq-)7YFX zdIaL?dg8KIOI7Np3BML?`Wl+`6Kt&qs|+Zd)4Nd`a`jI z6BVVX@Z7c>DKu8vx0P2_`SdR)x z1VCBN;)A#<^oAj43GkrC!lDSpSJ9A9(2|je*tljoIWNx{rWo~GOJYxMw-5ezRWo{J zB>WQFJaiQSw8y+h--h4xta<_3^F>mSJoQGm{L;MFz?vW02barQ!)TzTE`*4EZ8l^-?T-2W1NKCmA4bfvn?Hwyppy&4ZbK(A4ooE#^}U+;9s2Ou3E zF+t74p8ty$AVdLEU#QT~B;h{>6XRn5kzHZ19+5d%+(dyj9s`q%p#&og*= z)%BTg7@7+Ui}Ey@jVJ-0r-8A<{p~)SprNFh(PHTjKt*Nmqh@vCmB)!+SWCPwiy!Va9-{gUrj{zZ-tBqyC}U+d0H3`B5M}}w3qg&x3&y` z5`zOJ;Acez5s%ADAeuhjC*;+?-l7f>2AxZVjG3onVWA;Qkt@~R0+7j5aK3aO z#3CS)uTW=mMGDlov9z}rSNmxlt@Na|&GE_LL(XKv|K*=4v+E*FZGfQ$rguJ_iMSvF24+u?D zY1Cof<^0!4U%hQ9HQR;(`~y+*Y3jP}`$f6M`Ri@2J~A%xZ^8l{!XnTR-Sq9e&9fcL zmNKF8L;AfROfEeDAVc*l#pNVJE)O2ydJYTRc3r@FEHQ-xmZUqUX&E_y07ay9%ALZO ziITXplx)L2tZ5Vg#Nej86X^)@gm-k(yjPbX?4Rr=r1*c{0x${oF@Rp`yz^Wtk+2kA zx6^x#ePa)IjN8^Oy88Y;TD2@WZJeXjD;VHyyP!^bd+9SW##bqSAfWDUdEz~%%ek$F z23)e3?R4fCo6n~J3z)zDs^yzbeNk1_Pb!g<0vsK3i?#P%!_kN)~I$^!pqcB z%pg_OtfTv*e22%YN%oZH{)T7}u$OLDXm5j#UcP4t{JOh`-~42Bae=>6Jyxz~?Ih!& z<>=Vcb~CPWUamI6S;z$xFd+;4J&u7i*MR zW_x)hDa=icjBKoEvx88#sHQxA!FS{GI5)XW7tg*p+nbhKQ&1?mb+ldXaHmDKj>yC- z;`X$2mXjQNw0cNmWCU(UsZjJ~_lIW6n86IgSSGuBwc^4|2Sth)hGhQrg!;OV%9CPC-FJ+Dk_yb>ST6JghID=X?ROHfcXug!44O@IG*Q1NcY_NO3+Jz- z;!1xNMcw7r{Im@?{G2V9CzT|rmt9@iJ7qT0WZr)HfEc#iTxc=h^dzi`@L;jNrBPXV zF;hY0-`1vcYpW&IxYQ{GIxB>**xQAmBl0ZuZwSY~e;4sW?gtt=X(=Vur`cwF|qThwwl+6o7tOhrzqK`l&V?i7xL@U95U0(RPz*^oa*B4AsPxgX8QUjCT7OI z>1)jBe(S4;pD^KH*<#itX>A;Ajv5uB)#NWBjy`mO0Q_Eyc{^cvxpV98=RXVv9ivEE z?6ZW6q!}S_d~?rd)rdqwpQ9PmyK#=nU474KDX>6hMgESi@Z>p5P@tH)Mk4yra!0WA zuOwIJV}EJ@lL*&kt*7d))TmOGaMD@NPV&y|n3A~R#GB0};8D`Oc=2?rJ_V*Fa1({^ zcG)Cp$er`zHkebos&s7*jA*QVJe^PgkD&7P)rW)y^(5laYTz%Hd)_SyZ61OF5j-G> zaN$ZaiUvT>X*0sA4ZB$!oogLr-u|Law;Cqog2dCelwyOBRfx|%z5_)7Oc#&wd8KUZ zFAoC7@z~keU|K-DA&LV0vV5-BZs44pp1Ha4?ejg0Qk=YU9yc6*SDt|nl(f#@^L^Mp&dxMIn{&|IRUcc1EiER!W?chh&ldly!;T$4mZxi^cqyj1FRA-JU6 zIiUvp^`EWnuUD?mri;G>zC6BhJU^QFy*v#okh0YHiTk~n=cD{kQZv$At1lEBB>b}* z-csAcQmkztwXUwqk~&Jvj*Kp&pki#claz}lae4Kwv@V;Cg{8VEt#xs*bGh2Dv9WLo zRpPO^F$pbf+D*~OD5|PT3`T%zWq#%>oQG;*QK5;pv{95;dD+>(fcH1jkL03L6H{s` zYLgRF+%xmmwdxQw&f1%~MJ1MbYkTYOQDSPUnFA@>jQ)0r!=7%98xQARH#XU3vrWob za*H)_$&ohPj3XEl3NAf;Lv&Q{t*mX4P|xjbOW3*8bmeUz5PM0pBtJisKUmlqQC@C= zhmCVq(@;~R3DOMhy0On!)$=nG63Xe7<&|4!H^@Gxw}Wa?QLJumOW@%4%{1z*#OLO4 z@$qLreuNr`iq91e#K+gIkUXUd@V7Ux8Q4gi^$aug_4I`xVNCXCntcB*M-}Dc^Deaz zM=Zr0CdGm#>+ouFFDR%V+MVKhz7-)<{&7CdV#TB82i#hX`VjwK6|8{H*e1w6LWsFN z%?;umLMn0UJ+OffY;3(aVi2@_s~T?Cekh?LKt)48IMl@Z)=frGFjA}#0SNC=FFqn2 z7vm&o8*N=WrW?7ims6e=u;`rY8yk@LBCS9Zb%7>%u1hP9Vq?RywK-vQcWQfk_?HjE z?x%Ym7FL`W$gXe0w15%jYH;5Ai3eaW3j_S2Q7%_r3_IP<4v*vP^mXGxRi?{#oyz=* z3Q8>cT9EF~O?Q{#;j3xBS4G7Qm#wX2lyM(}YSj-5USnyw>%WV9J~>5k_IyImKar!1 zj^}->%Kcff+wEh{B*19<<*5+g4bG#X!4syP0!HBT@XvL>>Y^LNvzVvq-=(EHwNd>` zu4g{+b9Kp$zN7sVNweGA+h>zcg}2Q|?r^$!ayUZMkqp^V$xZMeB@*<5PS9ySPSDy8 zhVnILTpipZa_!?`67dEP!E)G{-Wh5=I<9Rv0gjKen@0^N4d47%FRJ-xOZNa92}ho# z{nwFvk1KW%fp@B+MxB9%n&OT2k#RaECJ$}p{V8tN;Y-NH8q&@OgJI)i<*_liODr3` zn`b%FuN_jV>UB2voG%GsJS0t&H#hNIZaXmsdbnL7BE`2mHh6~J)k}9SXH&fAvGVXA zKa2PjYn*v$^7xSVV({PCFLoWs86{A(>05Ar7f4~?bMhk$(`Ku7Ju{AyyE)w>W;7cf zA2$O@W_Rah`cop0tLSN`LOa$6urZ;U624Rp6^;4ISFRQ&!>Ns<<{PA7JHB`hyOXGV zc0hZghjefH{35P-P=%l+G2PQhh>*l(9Cs@(cd(;>R9;^ zo?SOxJmTd@X#pN<4YUl+m(3usHkM=`N!%G2x7<+U9t~imUF$s}(%lmml=UzCvz`77@_|TgDCO zmg`&@?qYKlexoHg@I5Rf4E!1^3mjcHEYCm%Mn*=?Tf3jGKzIAm0UAAfmSS+Ix|7=) zlCU$}bX=wRW5&5&WA2IXX6pf?*&vM8<>YkoUB6ah`Ei^be%1IW+HDm-NOPZwCmX`P zKJQRozK2$WW5e3peRH|b&1|w12!`+Ng9kHq+P#qsrSqDiqBrUK4A|J%%NlS!{j}O+ z>>x2^=E4BwhPPTd!{p)QqL>{Y%)+-ocV22J1uolAb4++9N$0GCTQy(%3)Q)bS?Q5c zw7G#DtQ|x!D&0?(v94W%p0Lb0Q3&`6-rLSe33p+Pn)=|7bJ@_pw(Vxf$Wk90V6nc| zZU}t)C-MX(!8E^5U%!l;4b$toZ9LsfH?JcE6S7z>MVmR#uoqS6b`Lk@K5#nBZCJS% z+}=JoXriN^B6@UnWxuvb);nza5|LPK`R<{V^qT%>EY(f!7;hKBnkm4n5d#zlHEcJ}3^rOO+`nC8~{k}0iXQ{7Wm=uw9u#jbbr&%LW?^}TN@r-`hDk2*wbYG>a=D- zUwq5$`Z50nub=>T8&hN^%UieO22T0L3ZYO>*azr1A-_xND3-FOY$p%f0KZQ4+mXxZ zRPLOC*!1U`dfN*_y|se_wNEWpWu*m zk&BAc0$)}AyMvi$#p-9I*8EI9@#N*P?{rDaf&`Cxf2#ldxX$r}#%ADzCh+fmee-7( zbj%m?6R#ZIZBFw?{Ze9VCe><;zC76m!`GWTU935a#3_rVj}hd+do8Z3aSYbxdj^dU z+;vB}pt1=b;0_*pee_y|6OX~f{D<4^<#+&=FicCiG{en#Ke7A$jWodFwEM|PNYTMJ zYsI>jf$yqgLR43MG0_M1$EedwVKnhqtfqtf2|F(Y7u6G+A9mp`QP;aekI!vssi_e? z_#fv4_{C)>ZU^h3uW{*Od+AYh{0Tc_xr|VOul_~EIfma|7Tkj!MXv=&7vm7GImeDovZeC^7<{(uoHiGFa~zt2kxV zCj>3M*1DSxJ3n#R4e%M}xtbc{MTA*Vg0PMIc^;~L-quHbGvjBJC9G&N?msX%*dQ_O zhK_vfb2*W$YDnql0W9bCBu`r`zc5^@su?fN(8tan(a6`7<9isPJ_tmZrx0SuMe=t(L6$@w($@-{S zS{fcY-XL^GP+e{QBf<_PODA)heJaoN;fuo6kyYlZ{2OV)7=SwZBP&aGXtU$$2*3Ly zqfy)U?6-nuW)EdJ3>HguesKqr~GpGfQ-*f6UE60FD&L zyxd%P!246HXYDw*X8Vu^;try0IIpWq1GGDmGGuhG@l%E_Oe!@6^GSwuGp{Q}sp0qI z>r%3=Fv8XaU6yjQr8>j?j+^DDircvhHITZEmov#CY}sC49@m9Ow5a;)c9R>*eTa)JT<~I$GPG|Ej{|DvZiPo!ZE+@XQ2WMbheL+;|tuB$dEC zzt2zuX28JC&q2aQ{a0Y*ia+(p>@p)Dg6K?P$|N`s_m1;jRH#zVW*}L&l*w{4;f3@L zg!^@#WcQaQM;vf|CeKBkjt*j=;r+vjqOcyc%0=U@#lEPA4*bF&ME)o~umfP4#17Q5 z30WXBv7_y865^jU>o@l-+!gaD$wl4nZyd@ErQRaFWhhSl$er9KUi>f&6@$8Ao--WJ zIj@jhqQb&7gJ$HNUG*MqKkS8U4JF?WRyVV;if>qVF7H(}U7n7g_oM=hpv!G%(mFR? zcJ-)@TyDH#{2oZw^HI%zqo;ISzTzYljIA-2-7nguo8F0*)zs|AEI;0CR=Z!jJhs4C z5jWf+FWSHWxC05v);qgP4$y)3c|E+MA97x7D zx3&=BubCg@yWVw-x2AGK`YS|Q)5%b~-#vehjD&$AB|iLC^mJr3G6;7-?>5H~QgeBP zH~-BeBmY3JYmrt;Y?G_bP?9vKGih9UF1DHV6w>>D zQeb~_R76A}l7j-WfVP2wuySZgX%%GWhVtORRLgl!7s$;w>FMi5d5$cTJLgV*w9GJN z$sr9`I@paSw2>Z?42x$?+z=)w-D&r0S&cnohpmG16Q#teg@m6p!w=6p2@OlqD=*|)PHvTo@V{@U)LAq3#p9E*+- zX{bM=<|j{jh_yv^KPIvdgo#=5mAJ!(0+FZBcEjFs<-kmvFgg*Nt)T0(N9-nri~{`<^$ zPDoC^_aV2V>8NL%#M3WO&%)PW$=Ev}rzy+H@N$(jTkPzgR?U*DidyEsb*~t<+vR8KH=a*QAPEEaR}KMqyz+Ql=VYhR^i=bqStNykb6u~L zFcauCBPl~~oDXn;>&2KkmzWQ%-X@>;^4guwgz-H{6)I7_)1sy=)&l`cPrIO~8q1Sp%@1R)%uHHW zcN`?gqgJ`!+7SSO`;i|{cTjwQ1F}Cbxn~4mz9uq`HS+uupum6if+Iao4Gx~ZM{qu! z@WC(eXnSpT<&5r!g*P44bdyF5v{duo521RfswkF!pG7IhTc;v}Q(1F~$SQkv-|SzQ^F;q*Gv( zLC2t4+_{&2QV4p!TwW|6HRw3gO@bJoLJ1cJuqX5k?lyvmeZ%6JTqc5xA1!eH1R}av zz6|mFa20~q-_2FF`9z0>m-)H5Ip1sW`1RUq`yOZ;Yu?{XQy8c#Mu}a_sS%GO-lW*6 z9d+B+Gko9}=^KLuXlU|5)-xy}Ezu-#baVf1c0-5vCrFq+M{0~6nb7U&rmdbspk{un9E6xthKn^7&1 zlSn}5i@qaLoy)#-<9(PiMoY7>+$_?KV&9ll(r@Wp*xFgu@7Kd-3=IfqVrnyRI=Xvbnpv0;QSx@*{r=g;C1*rXV;E9~;9&9=nf) zN*43A%?0VqZZoN19&da-(S@Y=Cb1oC(`xoUT?hFE%$v#6a7A3(h$*fxzxS$^cgV1O>vr| z^_XrE5JfXN()zG#jQ^<8teC($9#i}DWOl&?stKD{OOS)vl@$-Q>ay5URbSLG^66lF zmeUxmr@Xwv{(&JvcBfYFQnF5+(NSGPD5);!z+zGwB!`_Ws^?t^&<#i1RL5s=IrqLHi&1Yq!agB{UP51YW zQNzv8fWe698}Vcu0J62a%Hf>cRhf}iXp7!wg zMK!8z-m7EyTVA{S4$hH6ySX3Wj^nZm8s4Uj65|SdL5MSSF8+qkc4h8jK310*_CGn6 zzdTS(J9YV%m7n+QJ|QA{Dq1N|GbPABnH1!G@i#Ub{;m0L_xC&7OXQ-=Ogqdrdnf>? zZu8$Si%9sudXhXouHX6eC+DzyL?`AQ#I8ye*}GmFcZlUr(W>2t29*2wbOJKq?%chq z1W0fLl=v!RiQbeam=+X*al|J>WKh?qRklF#xoz*eL`5^OFt;+yXoqdN)VSM0Z1=rn z4>ku{z*MQN2N@kNEiE?#M-RW-Ov{O`2myz!CwVWi`(q>#6JCW1xs8EDHZgyx=~A4H zsLHHUNQk6G!x=Tyo*g>P9=&5-X49V{Z^!_m;&4Ch^?}BM+r-T~2M3~0;M6%w zH{5NZ6c&!LKABR8T2C(t)?X6o2vM~yLmq1DHEo{U8p$BOBXJxT7a?G(I^F~kf!X-> zmz6sDHb|XPyKAEQalmADnW3eXz52sEI~bRu#UydM^2kR-yEVh_;eG|#dp0e|c*-j< z$C*gD%GjLNUO_)iXVO<;{Sp7K_OM(JJ-3ihiP=1yXxwH53@o(}5$kh%7#rOFlJ=4y zYg3jz67{t&OZNvheCr~s!m}}}9ZB6Dq+X#4W@_0?}b}djB1oH=%*1I}V zcgmUuc2K6I``X^Bs-g-exB5WEDd_7}B09Rg+Eig+NT{CqW!opuslpqp z(@dtTT~@cN3%{eL3!Rju(P&&9`LpxTgUfJhhtWPb!VTiDC5es9$kA8#OOi0>No;?lgOmfKVOvv4*D z&u$JDPPai$xTu~Km#_rYTtx))FpL%m6)`sr-SdrCjl`52s>);bW+&89yVD=$*Tpv5&k*Z0!)j=m9$PAS7o!^W%7 z+T{m=(NGIo)sGJ8#;I*=%Ac=`l-|YcM7gqN1s!;I9Xh|{FK9g81*6e{lVD=5pF06w zf85ad3<=l4YB1*ROjPjNF>vLlXV^#kJ5apO)9XIYoH`q}+ojF{$IoRhWxTjypJ-Z~y+OPM9oOwXHws`)asfum3F!(*YGM)o_4C4Ib zq_LfflcI`~k3frqgN>cNHPq1~f_vLSZ_-u()5I3797^Bo$Le==j-A%kEg5TlS1D(@_(7%$WH$K+w4}q zeKh`dOXRSl9E0yu*bjcC;vC}hJuI(Lw0}x=!16SQ2A+@VAn+we#78f8ehyy8Ggq26 z>3X5g=;ZGgq=Cq?jjQz4e^88O@9{ym!fM$E{jzU#h^D&aG@Scn-z#h+qbR)$GW?h^ zQaSqVKQ%EP8M&`sBHzHm6jziDwRaK$yKl%}<^>=AkW(3t4OixBNXfQ*s1odz7wKj~ zA>whZEco5D>XI+hlE7N@6mBzpC;V(i6`z54W@bSQro;Q9hpyn*-Ucw!>8$OK(^tG8 zqQ7L~btN>VgGp_uTV14MAByt7R__sy$_F>)XS_JobOGQZglnpbwea~Bj#4LSvS&UY%V z`w9_r*%Z3llJJ%)((v1_3cKnC#niX|tdW69G30m#nCsyz_EBe3Az_>cqMjgll>NRf z$7A_LW9OgZte)9CN*$0lTQ#*-vA?zzT@{<$q-l$oHmI_oJENl++ z?F!?GB(z$QM(dn`4TIRNH3&@Q#?O3UA4~YY(TB1@5Q&!&pt98l2e^y5S?mfQY6IS0MYz?=ncMX8ee(W zC7I}{^_-EAWveHLV1K%Igj;@I)=75bJ5KTk2Jq^_9G!z$lYaQ>y-8Uz^wcl!V?dGFi>o zR!mb?-~3}|$Mwvp*ISmeeq^!VFe?L{!A*^@Ibl0$GOCge$4rT1Z=*CC!r83_KDVvp z_On|Mb2_+wPZ{xUl~uOboM!#mo2Wr)evStRl#5$6b?dm1c#y)ewyJ(ga;{zMmO2PPZp!2Wen8S{myoGR0 zvRBglqTzyK;;ww7*yzXU^BmhHB9h|eNd&Y7BrLxfu>#o9N>|6Wrx&&e9<5es?&jQi zGQTAbqLM0w{8P9AZ$zh*<_J+t?~tfh0QBhs?Bd#)8_uISM%-LBD<}hvke*aDqJ0%L z07dclgmBIVw!(SX^D^uNwZOp)&&IPrT4zVDJO$%8by8+5iPtzHV0o;sJU}wA+&IEg zil5(1=%RbE3HK>QWp`@dks*Hmr7$t-s)^7Aj|G1ofXWe-SY>c$grQvjv6R%{Q`71% z(8iu)#^G@QKn2|TbX;NZJ5ZC|s7iTMn>0fOGC(C@POgJTn-{mb7v~~`4n!6ABaTAC z(VxcVM&+0ZDuIJF>gd364S{%Rtwc5>)^X_$*?(@d4e)CcAfEnZ!b!tgt9`n1sd!c+ zk^8AgCT~JdSxJ8ei@dr778tV;hhF?rnxa-TMhSmiZhdQzOoD_G9;d#Ft#LmMrWzQ9MYAVSIiY$FH5I#hpL$PB zMIV=jlliyJh39Zs2qN!LL*qZZotj@PEh*?49r|7MQEqt#7BI8!%znW8MH5vYq+$QD zRxS_0BOrbaSL*kut1f6+dOuwbIa9C$ z5Kke+FA+p8!qC&ZPBYNr?!NIjdk1C?fP|+<+#)dU zC-L~W!}`)$)f6rfy}gc2+7fCSOtK+Ew$?CJB2#v8-lWnb+liC6oX>uAv=Etl>3Ho>+ipr_&m#fgcDCUD#lu0b zr)_$ix1pvJt|FcvOr+XrDP~%;9MDlghZy;V)yRbI5DTYe+e)|np^8up+~C!{*v|#i z2fSSxsgsgnVNyUy>{u= zkjPV^(Terp(Ad*I2c1Aq)U8b)wis!O$bugcfm~dhdXHi8tYx5BVfL4mv)Y2B%()G* zIyS#NYK>6}`Pk*vx4GO!df0x5HS1RY7KA&ZGIK~coYXW6vb`yc$-`R&08d8d?T7qI zqgN4(iEZoFKk}<1y_ZaV{u%gO;nxA+fH_lzm+t**dJxFiJp1at&0g;IeOfA z%|SF=$G3PX%PeAkVhg?E5tqgGYkz)vmB`|h*;uI9oj+#>CGZoJkb0$eK5GzgelYC* zbW)C>Jy^xFtcjdT{uOzw*gZZY?W83cYHw63y%Ob144kF!T*o z;9Sj~qrGM+cu9S`hlp8Sulq(IwMn+jd_H`)4uTT?g(4;_n>gmyQV9j%2r((nGmgA;oh~ncs@Ec+#ci zM*JQTxH}dmS8UZ4$nY*%au@p%c~YTO`*w%i(T@8AS=Cx!SGM-GuXo=hsPR2nxq1|L zpVne=E#dC5n18G7Z%I(zBUD76P2 z=Ql;<7Y6nkg5!wAbeq;3uQ`1ZE)%bhC$r4J>Sgz%z&)JPwx2ujAAc!L6x&!Xfmnw4X$ITIH=$LQ*%n=aa1=yQ0T3e)oRpH4EXHNR?`QJY79;eR|l zn&~0o#?OD~eklm&+7-4hUA!^U`|D<0m`R+FD{gI9=V^C>6CS1>BZ=FV+394zbfCQU z*}H1yGqXZE$qsYvhtLd7qM?Cbq1BT=D7U5IJ>uuO7~E!$Z_91s>QA&Dmo`DmuA212 zyATPdqI>sY5*m&|G4xQuu~FW%qa%1XB#;DmMT`InG- z|52zPaGhqA(?ookZXWg_b3Rp{;x1|Sx-+n>VLSY?fV zwy%|d-XV-2;(Igh4vynJGafoV=HP(kCd3{b!=L25{y=@#nzuUk8 zAAkh=Gy`(0RrAZ>L(A%}DZj~@CD%*vWO;^MHd0UXV_cj7Bjh^)ZE#o7*U->>PK03C~1A-!{6WG)K`)3=`UwjSE1Rxf4l{ z04OoO+wo^>*Nn_@pqrcF{m3C{#TUC!(u~whPx3r!T|~1Pr(nXBnmDVw37?6+_}h{e zA~J;TI<9#*0Y$rqO%n~Ig( z=!s5lv$hc5$nD~vMv!e$rV~IKPiEn|H8$%hvV(@lYiQh@YUVqa*K)B8|j2Wylp(GUN^3woIQ% zoU)EgRdGbx((%m1G&&jyRpti`4HhPpyE+Nc0X6j;3-s@Gm7=4RCq^brZHX5&2;#Um z3KrfHV<>|Wkm(@$94mfYbE%3B#fISqZsXPFt}@^K%^iQ$PxZ^S=HH>Qn5tq%b|g!`Ae$ntAfjACm zn^Qph$|S*iuur*OW;gMCXw+?kLo=+gWo4nK=@_0*BG0>Dvxewse%r}j?8frFa(&wD zEE>Apt0GRL5*vH_u$iLq(M^-Mq0aVuGZc+Gli1&}51MAahtz;oktK%Tjf~0}*$t&jF%y>QX%IbTa#uEJcbW_5388y&@-ls! zmhhfZhu&&gWpLe*xIz{@QR6JYIG@El47`r&f2zwaIP5-@P>!*muh={N&`GPXsdB0h$Ru5wwY_fD{FenifY6N zys^}Zl_BSZ**-n@K9mOPlKn-$jiAKiktF^oG3NFqbWy4gS5sc4;jOlvGI*5r!HJ(P zQ57rE=%wtlx7gXSD#Y~1yU^15zXiWuVn2~nwNl9n%gJA@LQj$i?^k@@epf;{#m-hd zZ?E@QAq)9|^JcM@;{C{W@gO2N8GE}4=tRKO|`+0!vAe>3ogMS1psKpM^Bxw;P2^OYy5=_Y`?6n z1Z=o=zq|-k&osmV$EJ@{2_EX`R;z1+JL`U6l~P$?e2d<^ ze0FyeVs~KqhFe>+3(|$jU&hb9GZc{|`WfZ(c*DKJr?fEZ#MRNVLZ{_c}N|-^xMCGNwM`QLSg7&Ee$RmCbg=l6m;;ZRnZ&C?c0m$ z1YG{+1+y+AZ3`|D_S$$3c->%-qG$cgMm#P`xuc-f(oKY0jW3LHr4lcB<+Mf^F^Jdx z^0ZQ|c9?hGvoJ-FXXLZEucSfiE> zRs#ccV+oWu#$2v}^9d#f9~GqC5xMuaqLmDEA~O|D&9}5oqO{aoiN3^=aBLaCqJ%qX z2x7U`Pz4%)|HUykn>+D)iY*RgO41G*f{}&xGx1U=#<>c+0$Rhzn9E9erdO*r+!#q& z;*EbZ3Z#E)4Ki=Lw({A_ADkU!1QzMvr?9XR0SoE`<_23B2gG#Pr^6Ilh-A&y^GEV&dg?%u>Q#`@M_cBlm9QEU=Ge+LZ5ltNe_P?z7vH zc}$Tm+CNW*|6LNW4?68-r-4h4`wl-mh+jh24-R1g!CN7HJ-k2W!^KSx_tLrMA;Sv{ z_i}!!yb(Cc#ca>{0|ndCGfv0*C*?7sfv1<2nrwyyVcpLF5yS+ebzhfCB1;03mQ z!DZkH7*Kn<)=L8)0p3n%)xPPRNZbKF))cwX!+rM!EU8wS4EiBH=g5rz@8DitgdG8vA)i!HVCDIr4DjSUq$~Lv?__RTWxY95Hx?e1> zQ-^Po$Q4n&wyx1=vqQ~j1JQSe(OrFz84pUkNxoWgnE1Kmn$gbp@GYq_%cnxJ>bnxG zrtm*x@TIpVo|X4VQr+Ko4m_q-Jx*uC0VSq~*M|dSk+e1Hp_(KaS(Sqe5ikkKBIoe_#)%LJYj5P$w_9g+C(WX3Z|@UNzG>}~CzqsMP#q*u#HcC) zcgSJ(LuU<}xz;nC%7$f?kZv+5IKV(OKPszc&&1fs3@d1$zEOXj@Ai_ow05>!JmV2;98dxSxh~nO_h^GAauPj}yoAKVDGKDAGiU6*^>3kW)wX z9Tt(~$Aixk$>GzYGys1=5C$D92ovHM`}~=&(HmSH8~IT*aAS{E2DiGBrInvX3I|EP zgfBUwnb$jIYQJ3?MYrKhED~V{Ji0fRBB2OLzgqdsH3H0`bdw>HUX@YTp;LOKOka<9q@s?oPquhqz4-T6yg9;fxGqG)#}ZbYiSV2MG-#gFJ4WC6_*gCGB-oE`CPY9INC90~sOvxkuIzfYc%{%>Ur1Nlfy zmhQ8@2dszv4y~lfsJ@VrXsy^-h^=k`3cK< zc_5FatGE?KW2=|Be!ilFL%kC2Pg?jCo;7KJ%p{ zT$}9UlR1i!Qt#EY9#MXOBVA#!+!xhJF`nx%WTu#-w=^0p;1JxNdxbRd|!3* zqFCmNmX%f2W=VpAaqa|pveCKaniVG)KZ)C<#kHq%!AG4&oSNaeX4!Y8tXa%Xl04L~fyoDN{=n^5S^&HPT&Lsc=7)p!rWs86I=8J{6{(LkC^B2AJ`kP%cTy=efKh{ zJW0NkxvBtxOVpl%GUUAjf=0=i=h0c!QcNb3mn$Tq5hNV(l}0IKNP}FJ&iPI_BTYDB z_=7;5OQ-{yYq_xHSie8=&9-yh>419Q!F?Y-C9=UVGL*Zwgbmo1IoY8VE& zq6(mvKF^CJX&n@-CTU+lK0(8#7pqXcC!s7tNGmbMkev{j*c-d?Gd9ug=sv`toAf7k z0ts~IrbU$(CGVA4Tvk<@F*`dZ*0qLpUx1RVL?8JqTcvQtHbyMJz%tqiKE*!~NOc6k zxKdWuWzGL=h6Z_-y0*DM%|$j}=P^=M*?sWNf>f3h!ZWSKGx1^e2*W=o;*GTVhBl-{ zr)y`yiuHAyq&M^LQ{%TSYv;~9i^gE`Z%6pl?;hgd;l6fvd-%R0npZ&GQH`Ndrsd4K ztI29?Y7_71Z0hg|FQ(-WQEp1KdyTm5zBou*$|>W?1uU~>;qjT93ais~YcwSi35e*r zl?>c{?7EV*FgeOBoWbncq{MfY3gMt~$j1rq+zO{lYvH?d4%>|8`j`=_#U>T*oMO<) z^X5WqkRR)wh37=)fVI}P=$O?5%+-lI=?5RI-e@)?xmT*p-hoh^g}+D5UbJ@b)Ka&RND$mTNmFka6xfa+ znG{FzMe0XH5bMgS-4k1q{j%!5C6Sgj-l-3a>a3Ac@DTmE3N(uA)V`}VKgTI~m#R#w_m%ipDbUrJJ{4ZhvooCAK1-(299l2~}ZGVz0*dh`?MI{T@18+&0YH93CU6emr zDp7;$;`0ytrqR!nYrjOUS|OikLm<|i6^Y0vLwT{LRUv^XaFQ^1YgcR+&+^l(CJXTAgyUj?f>q61}EzpPE)pWQ!ve&}}ZzDpg2B&z=iHCt6jaW4v< ze(>rklPJvmx})0xhQot-`wEn#p@g6$_dw>Kzunbo zKf~PKFc}P%S<^ijY3oK;L>hIsO-i<`-4U@A$8jIpsgH2tGoo?Eb>;(+jOc{)K-;kN zE)JFl1^bj(69XRsL~oU=1Oqqc0LOljELzm#tH)!s`}a!AX)9qUlFAd7!M_NDBe`c- zIi}yP1%=tp@C^otJG#oZW*OxANmPc%+q%kse!-`s7c+N-+Y=g7%MgW_tEWC>W>L_r`#`8xS( zh;>cuY_VbKOM$1mCvTkOIuF_&dY49|VNCz$N!M%r)VgT{EGn?Ps9eIh*Y+Ja?oaJp zR!w5iLegu#9-rR7ADvT>SFLeh<|HKz(;I>Fwgl?ufkJQZGaCrXRU&Cu+sm4&5Vq$x zL9SRS)vHU0=JqhafBT8f5nCpxIO_Qy$Ect`!1lQ^q{2XOLb6pWd_Hx0(fb&8A2*P% zX2tio8Fu==Q6{CPhdhWoQ67+nOlT%+y@a~c-hBf4KZvw+atnA%H9((TMO@P7K;KkV zqIvmA2TC+hLVFpk%wrq`pDXlFP858meXmZUjaf~2yO#{Oo8S67ZRt+tPo9SJbf#GoO4PEUUK3|^ZK(ceLz<9dpg$MX^}=uttjSaghq z;yY9D2ysVgkv#Qe^WPbK@BF0nrL+`#rpTz;l9|vtIK+qn!LfUm(%E^V?N>(#p)D%s zzxoTjG`RO?x2OZ`)L(FTmE!Oq%45a#H2zBH4%}}>S>VxdG+;-svaEFF*plI*DlUGn zz=KF5X7GIWGVr`bUw92*&KOtwJ}VPCk5Rev>ZHY=0sAy65)K5afK>T;b!OoI{E03%c^DJ z{R%8d7wN|T!=1`N^D{hWxqrgZlE)Bfa^nc>?-zs1H zI|=_gsh0mtYGAjhRYS|2rinv4mM{pdLZyLp; zCr*UB4MsGg6Jmt_@vM)Tea%^o(}B9b8RgG4Cc>Jf3iH{JMT9EYaZmW@Hs+y!Fewn$7{Ay4RP}FT~UtM_sAh>THGqLFVYF zqwwy(5ylm_7|qt{eJO2s@m!SuYH^BqDZdWn{yhvN+}-ib*9?e#r`)s9nb8VcZfO%O zG0%|5<2Nabj_@DB+W1JmKu*KK8(B@-YN8&y#I~vPAcxIjY7l4>S;X z_^s*oG&D~v1@X_xH=bx?W8xFDrz3?#ed%;_8d3g15A@!2#u^cZ-r25}j&vjUC%UP* z`{Z40v(vH8^DC$G5v)_ne}q|LnCUl?)=PaGR!Z9ocfbs*k!@O;#g68~TYK23Q5h(7 zdo`H2FnTLk0~k{DNLd7)kMf82ovo!P^mME+`}Z&(gEb#BvU;C-ibNx`pD6zbxu_dy zFQc}OZ8`h95XsQTW64!d`EC3?s7ZD$x3_+Y-Ko>19FkzPgnzfU83|06Ono7<|2yAq z)x-pdNsSeSQ=KBH4GeCCbSHoNWd*l>y~f8s23fa%BQ{5S@hB!yhgf*}_NF1|-(#?5 zWsNIE#2x__#j;hYt<01iH+`eWa}x4pS+J1I%4wy=xTnNE8}V+{Q@9M`IRcB-^d?O) z81EY}QBmsX%w&&+w=O_r9)r21RE*=K#7ozV^W|lY)?0ZnM$Y0Q@s{!eA_Zts7*w8r zFF#va8h?I<>cfr`K8s9E4S)YCwtI@Pr|`*>?dGfV%y?v1@hfdrZTMw(+&3$I&c~)I z^wED(-GZnC-*rnRCqG#aQXl0!AQM7l28<^VyVjQn!RBr*fwK9j&=+dGu74v|a)epQ zBQ)TgfpY@uW}pNv8sC+bhRQ*q56XaPnR$pvVIYAR zf;l4xOZaJ6!Y@=x8)yba<7!a=W~=)ly9R8@aCe9F5u(yLPAnbd{mUzn*L= zjiQlnAJAtS<(PFIu|46qFBhI57XO&zK0S?5jtGWPP9>{_TQ5nEK?qS#DayYaJPode z<3IwH95Aa_q}U-(Fuv)+GOv*A33Mc`y(HfRO|X&S2_FxUqOO#(7v(O_+~J;HOIvlc z12V|Gx&Wp%+d8VI8-F<#VQVBg!6>*_KwHh z&OZIhNW{@b@`D_E#n7 zl`%xD%95jyRQKk&337VJJx8TrJt!1UzQ6fU;nP+rxaxJo1}lhCH~jxIVcs`7=u&II zmubv?Et?7L13oMy;n#*}hOmh&uqP$pqSK}}t-SOQczhIo8TBf#yCG_%*&&}C&A@8C z-Sg@x`06M~N||yU^HJ!NLMl*jHF}_myNQ8F>FEhwC}yiTUpOu_BHq4rdXL%`gPb<+ zXaK47)^x@7@}4f}!lmziKnzjS7{5I4oI06vJ<2D=nH&ra3E3jJKH&?`ozpfw>`MP! z^O~u!04*&qtFo+&;kiJFM?p@GBg#AXM{=?PN0 zE_`q5Z|`K+6ZD-{lDYB^TT(*jJPro?5Exw0Nk2{Q|Ktw_JY_Gg*!W+kg}x>K^yb#| zpxX>aXJk3HU=`~l!)wIWS0cgNO54s4CBf!;CuAiZIfh_MfTurY*E9`|UNxq8^i(nz zh0Yf7;2S4pi6~3ZF|w-j_Xb+UXs2;9FLJwlVJsXTkK&5;Rw{d?{+leD_F^j?x z9v-CBe((oX)73=xAR6TI%B`Sk@_D8dF3_9usJ=J^LR^_TCu4+gGx;{Fk)a{`C#7cb z0EIg(U#~jp!W0cs_#F3Ng?GBI`;i{wI|3 z(inBn9YLt-V_Ek5CqyJ{M(0_~(gIj-Mc9x!N01f_-P~KV9RY^{;b9R|L!d- zR^NR+z)u}=brtm#1Hfjl*i{cDpQY17h{0^rIB??@6siEL2i7jxdF5gcJaHRC4sgwU zS3%cIX!tlj)W3EL$75sFXWHbWV`E%v>+X1ckZ(Hb%WYg-H0^iYABx$e&FB4$LKSbF zsYa^)>0t!ENv_EHSM8vEYMlE;cPfyRKcSfGH{I`J6PzQrF zR!DSoH1WN%{W@;qj(!DlVOKTUXN{{VvYy8m~uRfvWo?(AT!sFzYmFD1n)L90#<B+-0{n zaF%$X>wUQT_b_Yu&(%fe(Ka#IOki8TA3-L{Hi7638zLl>A}Z?9eBGqLXsOB=qgdkR zJ__|*`kyDecQZMIw^YR_7m|+yJJjU0)dsr(gG4{2sW|&JAinG_paP=IUi8lx!JTI>gV4&M&{YhZa^zpzWswens zYdg&iHiAWpH-mT4!)q!D8~67)oOJ(%0%)sNrJGjYb@Sn(R8MfuF&C9|v2*JjpJq@}`b{sE80a6`7Rl4GRcJf>7l&kwzBdi+D1_4CVjvBIAF zBhIS*`%Vp@w}Aj<+;s&sbs|pR4IAYVZ(NX59ahYNePTgtT2P-e);%a%!33W-LCzl+0KC?VziHR}$COr&h~>)hIhkot;)H&uzRN(!pV zNwl@U?F{2t?gX{T-rT;9jw1?TuTff<|3!$Ew_;r=d8T- zJ>SRk=YR+7n6>$v$_7`;7nxHHB>!1@AJ|*5|1J5cB_O21?aNdOz#kum;y2c?ZYx7+ z0Yye5_Twr=)Cc+M>h7Pf-WI87bwZDeb+Q?-3oIxgE#0lh9<)+7xh$^;3L*wl?~iGm z&xuccvW?98ol)$8)KTm|IC88Y2}Yg473nn9#zx>gQwfNGodbe}mBra=!ksKAgqr`_ zSpMhN%sP&jRVAtOW*-TEnt2~fswXi$vy9q16+lZZ(GKU+qr&0AElN%Pvkq zScd&i&!_$RdJ|WECJv5t4|^YK=}1~k{0skP!Cdi@TwK>5nwAJW?>2^7T@xtO__L)b z`Kv#J>j@de#?%av;@0srA~&6bV@qk_&n|>gGU)N8)-aVs9&9JjO-&FovF22;8)N=0 zdjT?_R2bd}-hkI#`G&uE+=(>NM3iqd;S*s<{GL-?QqNoV(tgg_{7hHQP%C6AFmIgsfkypiz;$DyRkAsCl=BVmgchu{ z`uCrjpRd}tE_$~vBLTs1Y4uCLT!OIWCnLK*=gFN-&O7TYV~Yw6(Iyr~>kAuQR-cjj zj_}gUV0|v;1kN1KFYi0;%31G#!t~rUe)C?hjv{v_YR4xZR%zJAu>uN0pr77zj=zZL zT=;Otqs$sA9*$DjX(?J`eK~=pVsBGR6;JXL7@-h)UT>NZsK+X z610`3_L3Th3+>e{+rmA!D=P^ZNM!58&MwP8_u*F)^h=R%WPp3$(cF1o=VYrEFU+AV zA4%oeJlj3H+Ws;JcJ;i}Y}E`>TeH(7D8-^v`(t(ElfH_c;7`vInM{nC>A3zT9s89w z63XBiyaGWTgEuhoW>klNl@vOD7&hMK;OwZMo(8}x?EqtE9Mn_14A*UPHUtL$$5xCT}lc zNW$3b_dJ`S$$;=5kH#Bw^nehPTS=w2IB9pO#-fP{v_ckVIv z{Oa`LNZ9RgE7|JTPxtRR$=j#or(rCm&58r#_l_8F{_TXZ_rHvuU`WHTnFz zn{PV*uNB+lr|&{=k4zKA_hSzIC4-_G|N6L}005TU>~t{99hZc4A8?+f=8A$b_qG>S zTnO~}T?2N`+YT2@%TfNfnKaz5zxr4QW~wQQ;G!ER&p(&giCRm4TV|`H7)XIDYiQUV z$&T5v{(ZwiTwN*cd0`9_`JNk)8%3v?@u!YLPTETs=9AA@zqQ_NpW|Pte!NzIC~1Uy z(c*Q;rQ4eaT4QQ(<0ONqvW~(&1;?64%I;-I%Zjz0&g?Z# z_sXW$%f4KVaW3>T=e~p|il(7Gq&>{8iijS@(z0?S@zd8Im2e?$`&Z{N@92iRr+Lq^ zb6IrU%@=-aPu^dj^y>?&4p7u}`8Zo!-ZRya6AM=LWxW+tQXxX5g+I#8y)Ww&5Qxs- z2C$tFxrWnylQ20n|IDDtk@4#i;}9it!!UoaD*rShLiINZfl!RoHlTKZw$G1dO|4Tg z&kGuM-Y>3DXvt>t@d+55pFXqyE-$`vtqC8De~3Kp}zj!?3d^jPeoYS6fo0P6I?ReaK# zduJqzZh!Qj7EMk^+5-?Zn?%XcNgcG4tJX5}-_Ccd*V&m1YViL>g`-IMn9*_hl@k(1YSe(D^Am$!QWX-HIEZN z(0{YFDNo`t7y0sbzRzbZvLr`4P(u7%5`X8zR99xOb48Mi>m3o`&tZi%WF(r$ySC0B zXPs~&cwO<_C~M^TY3FW-bN$82C>%ezpS5_`7M93U;3+~7F3h#HLq`0NauEk&&Utp$ zPm!wiW^!z5s8nXAFr3X^N+)^iOkj4j@<)822;ZLR&E7JajiAM5BHyXW5M2~>){apy zSLBP85LZ+9EF4G!K5b~relQUdCG5_Br13Drk3({tn`=inHcN>y056b|~V-s(T9-WI;<`Ic~a#7I*!Fr^|;sXsE` z6am@29aW4@N?yC5&J`i}C+x;HAf?zM7=GaM5s)FB*SjAbK1_NsM0Gv2cRpVoXmBO0QlyQ0x?P_Kq{EP-jZOFzggl3F_f6m=twMipf}UsM zVqjb}Yj}bTKp$^K4(2^K2xy*0i7LK}ad>r{6wac@^V)QbB*cpPu*7{x?y=x}&C$j6 zq$BOi=IDf!2<^&?uCqE-DYwHZA`I6}s`0I?9V$=V8qFe&=99%=5*$*g@9LZd1qmRG z<{Ro$ESt7<897Z63PTEYi4ifH4WBf;a|@%gB&H^2?m#MD;t?PhglZL+58maToz>ny zb4_lrR)_!GU-m1Es2425k!5U{Nj_>aed~Wdn5-5oTWG%Vc+TCh_0UEfY-)Py(-6o- z_)F4gwTAMKtM3#QN`4m4+04I!NPozhE1IPwn!h^JR{Tv6a_0JH!9VArN%FYW3ecy# zu~=k7ORX^+-nvf$LoV!1*SjC$7LK7p@d+-^5xGSE?OIyjfK&z#vYQ2)J315~(8Ms6n${D% zQY|(aAhyGi9k&wZ^Z0b5IQM=PwYWRJ>O&&2u6qxX)=;2OM7PcqBAe~8)9wdQr*wU! z$JR^?{*+ffdbPvOI$C3!uljZ-xmu_A1G?BwEVu*OJ%??u%CPOMr_CToFgO|`L9F=!B>^|b!EiZt zyr;R!Uypy>*{y6NN{Zle?oTk!J=4wEVVAS(5NowgyG>jd4SVB@A8~vfBVZT)nQxYBOrI$wYR(DrEYOD zG5G;3oASvhe=1(PgzIxP-RWAJlc0&fwDl!_HvXR{h8uHjjXw*xUN*m__}z>`EuIES za*IHB@#sv^Z~;h}sH5oUTs6pn&f3crJx~3>Yq|O(V!ULPRNX&luhQzy0miLiL z+QasjyAn;`p_ViXiv77YNgf>ilc2>xHI&c9(rEASfI~8TGtU0nL_y<$OeCH|WZOlQ zn9Fe>)l&?Jd?>SR-7f^fqt_Qr>>0GrdoZ)}N6q;hd_ z*4z=1HFx<{Dg>hE=Mj^?mG5p)yin%^eO4l8E{7yIhS%PE7C0G8_Lc`+kipHontRv?T__8K++dS51DEQl|oB_lFeQ1eah?J5SvUBjscfqruw zj>%?`2aR4{j$=vWotjeFT3uu_-QPVRgE|h}VkSU&&TPB;`*{Ugqw8@PZoLyTvAtat zZV7=4FcX8vS#re#u8z`k(yXwTQm#qqR~h@kj1X#Orn&Y(tF2ujFxu3@ijG8RrRR4Q z9t*aNP5qkdY}8b|xy-PI&@&WnJlfhcFx@tTa!^;Bx*Kr>i07%B`-y3(&LKZRFZMS7 ze6f5*nIs9+A`w3l`z|w~LXUE0Qy^?0LZs9yKCadfzmOs&*@W30A30u}9%X-RO1TK5 zYq~l!KOZ~P(D>RM?pm@75lSVac(lB>tG=`6=fWQ{fR%x~e1j8k|3Ie;-*uEml^)G=CZ+2dSNQORd1a zo#9B+XIxaAm9RoJE|#Ve0B+MtOuwhb8FFX~a2U3G2XQ)tQhC6ScZvc=X+Ib29fo4T z?U_N(vIaLnxW1g3rMs$wW!rD%D?hQO)bNXeYh^hOiXm=W1D)DnRo5$_Mgmoq0FEr^ z^5imw{nX%OG{v4z2G#n2kK2GV!giSm|_6c zH%304=B{i+NxF7M<8N3&;C$#6O5-5ip7E}wr{FdMmq_SB7=U^O;<>=At{R~j!80k> zP2h+XskoQ>0bTnrjMS<4LW2Ws6*mXjOMV%U z-J>gkMh^%F4^r()220iROmesBOc_|9@sLd5gPuwM$ot)K& z>wkMMyV!0-vW zLH(q&Kq`v!!6NlcmUxb!O;G#$G50 zH$(q21Hq|@$sI-R+|6}oJbC6Fx4qnj(U!lH=}f|J8xPu3BOiX&&@0PK4z02Jut}2u zH*5gVeFQOYRv;YTg`k!xD9`9?9rVw=GT&JKsIQFxJNcbEjr-8Js!Hjry8@R!4fxw| z!bv8PbR|AGpBbuu-PI`#(vllcs7NrLvpVKrfv+c9KgvW`TbFN)NNnqk&lM0VDUyFk zvglyYfA%m46bL1#m-*pSYo8u+a#t0fTTyTn1ZHODDD#>NS0k@pLb{Fvz38w9nYd2J zcVLy$SrYe2xwvAjP+_1hl#X>U^BIAc5mirN0Fp7)M!|-l62Z3d77$54f`j=ETRzRP z@FqKj7UT9W*#sPipSx}vg7%>{voguq>_KmhQOonFARX%Mk)#lBCvlY9}!RF14 zzfdbWpk$eS&pWMf;y5+f$5)c~<4kpmjs_FoU9-Z;Mn@PA#Ey^T6CvDBvx5^Afg&?~Z{#UR@UL#X2 z`iBW1eadcw$9L8+e1Dxk`|iugl9{e!d)Nnd&pVKLnH{0?acMq3?8=EP_-5F<_&M@SKJq3YykYfm zT<$B;uyj7k*Rp4iK1CY@+TbD!GsnuBM+5M+#RM#ugOgBvxSL>b|I)e3Xa5w=QCd{D z6nQ<)gJ(@(TSM`=p{jCCD{?8WOjI_E zzDL#$Wftb<-M#dOIJ*YrxX1_UM65Ge(&qE?(vZ^Xa?H(jO)X_plMZe&tT-X|zMhV9 zcWJFV^xv?t4!Ub&=9K1$9;^^RxEy1v9b@~O1cKR+ajgrsQydJHobnC?ca1;4z{lK| zgQvtrX^p`3%|KeV**mD88Zr^p| zb{9zeLFN}WoYq}Hp9$N#*Fe3gDOB)|$vj^14w)1`6t>n}L&<(#CYYzlBcrT+oB{&J z^@|BS{&3fN-q-nmI+`fXp7KQeigvp&oqhnp#5=5uQCCvY6Zb?rzs!~AbV$^j12}9g zPGQJ@b58~I%+hMa^0QonXsW-9?EJV?;p=QFt6TZ9@8F^)Z1K(} zNltQH3J|-`3>&f<&P_TjYsYC=w}jkMu5o1*{?ZraeJvghl2(w{2N2|J#wOS#BnM|? zL1w2Zi)mev^#@Q?(Vx!&@Lg-q{H}-&X!=tHQo->;gMa6PQ@ID75iVqCtG2Wc69y+m z%sHLs-`WE8p{n*)+SlZI>#B4av2oHSYj*h(I`2VX5`O3|rYoeTb1Z0HTnUS5j#tU& z4u}*lN|ashZ((-mWtz}~!{5YYDj?bmPozzL@pg5?*Oh-I{>eMdUV1T0jPYW{?Ddlcn zCwE9FvpHC53-M2;Y$TCzGpU!_b`fm6?4j4@E~{$h)_DXH$|)%dct?MEC)=AmtN>+o z&2j(KxEVqq@9%wFJu^GI@zK^rHPe?G(@#wKyZ-7bps{`xoi**($)zF5Rn(cRxp>tm z{6P8ZXKpLg95P?2b2P80il-8yQ=tNpw4=0D>!~y#a8zRMPWq8tKm<$E29;+=1m5k-aaQUguZBcMV599fh)tGlNfm#$;v}>l(6+yoyy+Sz!X~h5-B|#M0QdD^4)Q-lB8cQRNJ_9J%$;)7fmGz~3$`!kDA7CoZmO;3Dt0b+hoU%; zC9GI&iyqp|;i#69fc_;x_@|y##LKxG7reMXAY1|dEi<6Qq4XLwdnlfDnh#a<%%$&X z?OO%7V*RUhYCJdU1n=ThfKs&OyGMi`YWwrD0zMbWjJ&UM>}O&!0rjrc8ixyzmz0kj zyA92QN&*)^-ug@5#Ap&eklrPTv71Xn>lYilX1=_?(W7#^Q2bu9X7?^vfr9%qpxJS9 z@;%W#+(4Y>nhQ4QM&Kv~LDTtQ36MNb4q6$Ek5N5FiW8RZypJrb&=s{YPAlmI`5>HA z0fBXdGH}G&bH6ELyQbSF#lED(#>{c^RW_xcMNy3b*dvDK*?OpKKZw^B47oxCH~sp- zlUksXFMg-NRGu6?Cm`z0Xv-por04apBxN|0CjHB>4XTI8;q{~Ri=Dviiq6Z%BQ{aO z*9jkc;=h9MbEn5!{6eB=&iPVq=%`@IpH5~I>>FVC+At0o>5D;CM!2{49{AF!+SZ#0 z|4$p+lk497ED7hG9akmpmlO!@g*szZEN^R&mKJtcR`lFiJ#YeJ24LLaQ$hftol1AA z4rfds%Gbl`Y@}|{7lpVNEKig#Bp*u0%9470aenoZRYyI46a=Y_f3rt`rVs8cgF~OStC82(RO#e zC4j+&DhD#ZwggIlR1X%XW0X_p7m6*RuV9$~x%9>}Kt`Gx*9fR&b8qZ2%O*l4|1 zYpJb3`!YLU-CSSz#FyQD9S);EM_?U%+|t!LP|>|{xqt3B zA*grxwX?`~%`d4+5OQvtmOjf|k5d;831zNo4OLV8?32#v&g`n}zq74VL$Y!^+n4P| zHBerg>k-b+Nw0V+rTV3XO|l;3V51YKuyK%e9AjNAt?AARv2d(~Kgaxq_|x4w*daU+ z_0BpzBoKeoig0TNZ@UE?5eDupM7y@(8qC>Cak5(#FUdE7&kYe*4e*xS%l)aiN93B;0kV5tI3l zJr;YuWAiylhkkx@MI9v6@Yc36{<eu+HcasEO=Zea%NP1337m%HstYU61lGe{a13V~iYzT%#9bXl zrs#+$Mnk27ER&vBTxk%7A%TX9acZsgH|9Pv&(og-C#^OTSMdwd`GyW zIRP{>5TMkgXX9;fXZ!r(9jXT|EFAm(PW2)Fie%_X4Q%j>BH?{VCtDs$3HS z)j`_she2{*3_BKX(YyoWCtFS|F%BW7Vc+7O?kTEoAheyD>LA;75}+K^>-GkkSG`c& zzmMPlk$qv=d|i8$5N9%U6h!Zsd|R_jOiX(MR7H{>#rXi7Q3F)WZ(05hfUqWEzhPAx zR-^z35%X;BU(V@3|GJFp634QLmbPJu_R-e*YEf@k7cxR)dSG$GAhfep>=O&y>4%mD zLdj;lz+ON9x%r)QSD#Axlpl#gZX&Em+6@BTa4U$HNDKG5Wo9r_Sy{Q$i08{QviDlw z_?j%{ZFvs~woZb)`r(=UA~^03&yQmr^vsJ)O+C`7O&x2@ zFxjHMW?e3;#g=0oqG6*P!Y6bee?{NV26<@`ewg@$%S5L})N}^m-DQDD?1?=XNWRA$ z?QDS7{mqtqOxyiXQn{?=VHB;p#^^jMgdP7dkfFrfx{`F-kg5=)2yjdQbwL0hsSir# zbfJ`NpAR7dBuK;g_0=qHg?mkcRCP5kJ$%zW7mD`!4h|M6eEFfq)bt0;Gq?2bhQ#M=4M_yfNeh8izDME9t>-UItQY15@VeG9vYnH!>fl3pPj?IfJ0O|AvwPUEoC-)fISmsuw(ALvFGjw*IrLi56T)~7NP+| z*b0T74ODNc&dV$tKseHVn{>D(J#Lq|@5bPj=?MJ$Bz@AvY6x{Wbc#{ znayowS|)Zkwv3NDjBIRTcAGjxBq{c#yOpG>1pr4mXL<(@S&u8 z2zvAXhuG{pFEl=nbOE1#1-na60~j=-D9MZR4xmJ6bi<%|gm+IS5)42~SGhgQ{V1k% zvgR~gJ)B!6Fy%MW;B+q;#m|5-?5i+N!f`& z+%U^T$`xE1ERi8;5Wnb?|My}pKgxEZjsSUGmX-8YlJWn-G(`g*T&bhlq8u0vNZ;Az z{4aq$<;7RE5TNAB0c`M2aC?CLop;Nhb_D!s~cA zR}<0sX5}vnxQEC6tM`Q0&&Q!$lu@2ltMoEN z_X4t{@kPzv*(sejN+VsJ5MF3N(SJ*|g;z+r3gQFlma3&1SQ^BL0q0m+Ed2C2*1KLA z^Gh?TpZ}8H^NMHE8Mfe4iUuC>pWXuo4$jZ$v3Z_cHBlzkQ@nKr&apB3a5M5dt%UW& z85s#b*KfTsHTkIH@|WjEbCLHz69H!a8b7v}>0fWT4`0hpIJ1+_BcoOFR}bn=w!|b= zNF;3P;v4@tS>SL&B_}Hn2OHTrLn*lHMJ>J&*{0UU{1-1#S5bg^7aINeJ~cqXgkU=h z4D0+yu<`cgZMo|V?==~wlG1W|!K+94cf1VoJw(cum|Zg42qDaFT!6`*xK=xDF-4jGl0k{YAQ1s$S> zDCLiuvY3#>jaPS*ggI)YUsDR+6-;23onH3b5m-Wf;dcH6h2&X&{~{Rwd-etB`wrU5 zdm`+=yuI0lP-#NUqNV%wdh>pMre^4AZ#5B-`ySQE3CYS?({D)Ow)-NCq5Te0o1*2! zQE0Xh{mcnX?1sV8vK%O1z#++Kkbc36-~Hp$)+roos$O~nkGrwC zwLH*jeqcpbd~T#GX<}s~qeVc~4}N|ATN00QLW=hF&SKd1l-=o!U+|$34$dApZrlIm zCYqUL%=MlWMnADY%9&mNBLz)eIGwOt{Hs^A6pt~Pn2HOTJi7>6=Ub^s5-&Y;G;63Geq zJ$)K+F*fdQPS2h-d?(Z^(Q9G9ried3wrnpmik9m*IwVm@ExxILOtB&rmdB!}rm1-s z(%BbA_K=QT@bO(HnD`6zxMb?h;)ts8t`50hzmkmRf;S1%zHmamrA z)5VzgElv2_K3U>Xu+bS$7qLIg%&Fh1&54MITYqtNv`bbKudio}_}M5qrkAOv5+=?X z=1wxs?!WZ9c1criOh;qoQk-i=g;}EI0a2`w&V{sI7q-|ITDTq9BRtT6LUouLB<06_ zGGD5(W+gle-s_&5+Ym&Q9=3RaIJ8{bXUu zU|U_&$5fDY_X(}cN}SqJ5bi+m_ET`^MO`*?lfEKIe0#`@PQH7DUmXk1p*X~?^NTUL z;e(j)moyaMyTf=Ed2_6y2QbWqDNN5$Mog`=sxv_m}%i z)!Y|{WmQDO3%RP@H6|hJ7i>RBeXos4V@3;aW)Dy5E%CsS+R=}OJ2vmrfKw95SUuN! z&qz#UwVYQLjB?Qo1{>Dr+^>WiVLF;)L6pzH>0+K&Mu$tS~@Bo2O49kp3v%=8bsY$cwV4VCQV1mu zVzNk8QBD`ILx=Qg7LzEXe6h|fjP$rDT0FIB6uJ9^cc^0_P|r=7%_O8-TJ~KqA5*YL zZ+PgavjPkBYMIzr_M0K`A^`=R#}eMW?PQT!Lge$gI#q`y|J7-`Pg#0i;_erYe=JIr ziDWLKH_RP0V%<)x2JQN>I>I|uJu#k@R?D94t$#us9WxXee^Li(vECoOl2&UxqChgwm_jbX{;EwM`tpKALw87h|OcrN_)N40OUDAarsWEvlZckQ#*M=f^G= z;y5y*IeiVjf7Q$lLJIAe%U+`L{U26O*iv5!XEz+tu$m>L?P$`S+(h&vkRK6v$+to(gfl_H#o=y zz^m?u1VBQ5;ceOCwr5&#iNQpOa^}V-t(&8v^X0d6reQ2|XQO~C7QvRz(wrBTxiCKS zL#e?|gIjlLDSKXXRLro(L$~ALLTA(k2Zw;NU6CL|JJya zr0vKFJ85}L-2E-SSY{Tq+{6wPssbgva$wty-vIgG3I?hbh%h~rR!*qdX1d1q4tnu> zfOOz`F7kOkkz-E{RwYdk(awIFsgWFgQBw5BaLq&HdbdeoUdhkGd|q?sltx%VTq=i1 zdH=?@wwu<=@gG^;r%`534(~O9h6w%^VNcrCJK2L)PMT!UpyC3czdxwoaCA?M4UP3# z=p%9{n9Mx`gzwAsSyBd5!Td4DZcp!v>*|!DMmO?b4gj4_{ZUz_*s-_%W4NB~p^k@r zwC|xlsm;j4HIaz|CT`T_bxBNQY*xE9N@9zLdZF!VKx@3MR~9_CxA%fg#W*V^>C^SU zeWc&zFw!B;bGFsyXz*-2 z8FOEojaA9SH;xwm*MN)r{ppgMl@57Md}MX_QoG}M*5pFKja<7&+0kfm{^lt7BA@zz z41c!~F*H*Nt{0x3F3W9e07@}aWSP7V-vGF%I5=AZemkL%+cv|Qob)}N$KLc`O*+fk+$z9lyQz<96|L1<8ap#CJ;EssENdYCZ5Qh~{Re9ZHv zESMF?;)p#-?~dp`}a{`;mA&&xM>l}=?zja88vtk^Q8nqq+t zj}0|HK9QpP89{iA-5q^1TMgKaa+P!eH50{BzC!3R@q7!;%iTBc|3w$O7f^pjmGYaa zNd7GvMVWbWHp)r1Oayd+_F`HEIw(y3{iAsEAEth-6?;yax1i85O(hV{GT*Oj8*B3F zxj^_dB_=?WdVkr2EcJu>bLUo0_ac_^mD_+AD!Bw*JlgVa< z(BBf8Eg3Z5Z>2445()3Gs7gwl+P~>&FEW&r%nHKfzt*+w_zr&-xil9BcQxH9R+!L_KRcaT&bn&^Aa~}k=%N3 zpsWGy%T65+2g|g9ZKvJI5+>hA2E|eFbYgyc@qmpcpM@;7B)U_Hyno_z8{W8^0G5DC zdUx+!I0RhZZ}YLmQ!7QD0mV>!Z4Y_NnplKTqc$7T`?;B!+pj;}u0EsAY7>@sXi1gS zM#h@&N3S}(T6fhtZf~|Kc*H(DL*MF4t*Tk;?WKBHzdEXLE2}Yo=j;BCg+wKT!ROwi zHXN@R4ehYwGVnO~fneDk57WPm-IZfnY^Ac| zU(bu?*2}0|Y0bDq+*$9>ln4mCL4+C`k5ceabfA7a?`f}`WaLKd?dfd2o;Tl!Pf`Rn z6+}Pdrp6kmi6v%X0YNM0*ZSgy&bF)3+{5|z`AT(sS*r;*6gr&VKE&oCylB#cRV>0! z`({O4svMx--lPl0=wGfVbgLolU8rybjTcUNvsi1zHsWy~KbPFGqj@VVw?Lml4sgsQX}| zg)q{ZE!Qjyy?Ns|A%s9T zC)MIYUzq3$7XEEzHBrpfk}%HV_EVP0l~eU+DTaol+< zfyQY-*Vm)}EcZa~eD&}42|JShS;ReC^5AYief!m^fEsTh{rGnY^UW9}WU1yyysnis zf{^fZ$|QJDt^Hd1EH%DozRlW0+v+(8pLPj3_|pxApYuhu0~>TnFLrWai*#0T|Ei{} zbicaYvC}`JoAzOpMC`*ck(Ki?7Cuqioon$$&!+FC9g?2sW&2&ySBH$z9Qf_c_BjEg zf&QE(a%!*g5R2S1-!h%rCYI~y2bslSl$ zCMKpZ4N$@&!(diW?zon5Ic4!TR)@Fr?oTPW(easBQGiWb^=*nn(ARhR!wH+6-6z|Ko*uYIKBcv}gw7L;S`W?7 z+u0~){m zBVbrAv1obOmxQbFvn9OZ6FE3*0!l)%XI(7Lv_sXWI!1oRQ@6?qI7X2T2qx@ep)y1%#e*)H>%&WpI#^+vOHCC~1+NgB+L2fQ?PeE=?{941Ya<>nE7h!F4Y>l3}z zVi6t_7V6@3Ue*~+pZ*h(FK03_0{7K*I83X##4l$xsUE-DQ3xv9?mby(o#hvNePWnY zn!RZ+u*AfnD;Qijkiw?>NJh=)gP(3VnyUBW{q9#r3e}GDEUO+cdQf$|G@iJRcxpqj z)B;cwQYHYs+;!+B{VQ&LscRz$(DtJTluw)xL{gZakYezliSH3hIBSW;|R58D2L zkA#>`Q(ya&d;fRVmuliyZ16oyf+%XBASS0AD~4w}i}U_dJX;^q3PHgS$k2i$OwZ4! zModrPu(-<*;@Ib1yqJR*7uKcPrNhG~?qcrX-#3R&fu1cGAZ+!SnY>s&g1#>_UBCDVSN_jZlwy#lx{GJX8) zNAJ>IauSo{&r})pPcn;Qh~0yvEU^v)DZ2m?Jw20GuC?%tL8};NxI#^7oWY0lCWQ5jr@w$@U}eRZHqJ@ zf5}XHx81Dp+PA6t9LNGqRV<&X1EWP!Tdu1j&P+djesrzrE=wRl;MaL`5c-{Hs(ok_ zD*5Q0%a#0<-)OQ=SxBmN$&#ViUzR+o!IgS7_lBc&Mmq=o5uVyYO=kUSIeKgYRtCf! zcOoVL1{vTWe^%5yNkF`+?zxSq#u6Ol{N?OYMfHZ`35X1LIxSQw{O2^9#P5KdF+xo|xSDh!ih#3ArBmKnFm)k%}Mq5(iVe+K&#rWo<$pCZvnCCSUg2Tyus#;2j)% zUiQ1ljNcY^C-hH~mt01lO}l^vjv0ITYpOUa5Tu9Gpy_c-UOm0cUAZeSop!X*DSOL=af zjH@Y=(9Brs<_8mw1(poCf_&;NOn}_yEUzXOE0mW-YRLbHoTM^kUZNviAqcJiZdQpE zzFYDT>?O%g{b!d1Qq#qEq&UyJ*Xa7xpvBK3|B281tV}#+#oW1G|Ndrseg<6q;yuVh z18N?qM%3Yn{`A6DE;!p%3F;XNeXJO=ZMAqZS;@zM-Q8PFN>@29)&5pqpFOn6l2qdG zx%30WBk$1mccsMTqYCJ#k*|Ae?YJ-j$T)sb6=l^j#NqzRTAW(2BdS4`yFO z1>f0a%(Rre^5^&4W~x3P~jUj zo{aqu)hHr)&QB0J;j>wV^fRAtVN$M|Sw+kLM?(HKy#9M#d{$1YoyKV&xS zU@v_A&vReVL(xE0`i|+JTJKlg-1yNtZ5lgHX4)hAC?cntA)`YV`&^cm&N{P>aetxY zpi@_Vpu@_~mV*BAIuCbi+af3Zj!y;#8tOCeT2nq&D62**U?0K*uQe}HyYjw~4=c}9 zR*VeB|1&%p^}1}k9x}W`AW)Zqg+JL=NnISIr=|wBbAs5|Y;wHi%eUE+lm40B<(JPP zLNvt4tY9r6|4;)K((CIFA(Pdwkv}}Yr|Ic5KcfMGww8pq4h-gpQl*m2YK2YwCLV19 zrr7-CDPFWbi`h`H=upd49DY}6ynnrK>Rq6|E%{jTu(TcZi(@%x=Hdt@^EOUJ>8m3)B z!^_vJQ_|^AZ*+@Oz4?gS;_WH>ITSPX11DB9$X;5MVy5VMxqX_@W_#^Rk6iXssX)8n6IOHPT6ID;+5#yZ@)P_{Z&Nu1V$E7j;{6xIg>{ z`kQ0ONMj?lVaR?yK5kejYzZP?l8a_GT4My#hcP+5+`x&E{o%g$A@IC92s{G44GP@H z%)WgP)vck4Bue_4)6h%(GzhCvXN?*kvu6q+$?}|e+seB2WXAXLrk*}N)~9kI5HKj9 z>(2FOcYC%79NI1m2x*J&9pBr6f`Xizf$imax6a3tXI-D)w%?8;D)dcAno{%@GqW>2 zf9BmxK~a2N+$mQF9Ne5=?t3L=6@Ew$O=(y00OGc{&&2OJB=D-tHUME2)Wg*~$@+j* zyizrPB!Z z6#0WnkiUk?D&%B#9ruo3Jz9(&ULTs#Jiur>w^-z> zUNyg(C|G;dXX|_UO=+xl<-0rd@dfBq8&J7M3GhP*z`E!VsJP=%zSU1OcE~|ERbOj$NSKzSX*imH^ zdvC8$aAMz+nFVGZnU|i_@dke2#6o1moE_;+Q8LEKo)o+c-NS#3iV+PBl)#df}dnb)CfLA#%UzPy`xb|yvu#~SBS`VujdROuOMRiR(eW#D1iuU z9!XSWY-i?ibvcO1m*8XOwX{Bq9XZU ztc+8WTf9$5V8KEGkG`nK2R^qWn#F}ZpZ%A^+Y;N9Oi#mKv&qC4T-Vl=v-=e<4HD2$ z)KFV#H~U?vvGfv3JBKP{&TNN0A>vy9M)b1J#mqk>dqZ@)#`4>&lATuSj|ZlI|8g^R z8DVIk(`iXY%O^6#!tz@wE3e2Ed24>TeP8tlOHFz)zY=Hq5}2>iSTP~OWd+_~xk%2Z zH65Sl*^`c8lf{YW@klA8ehM0zl*M^`?j_uM#sCURZolL{!F6nKA_y{j@17QsgeS)V zE%Ehz)HjTAyn}x$Qk!n`Hre>QD!o*=IA)9C*>|J1!zZHlP<1#kIG7_pd|VdlL0{tS zs9o2%4nfiQgYOmyx@y`samr{Td79l=nEek1)?C<;WtgXB8u8EA3Jt=WgR9v@!;K6)D-_ zeEsXnANhC(NT#h>o^S>|Em~o)u&6^kH0W(0Jr@J6-;IAI1%Y_>uZK+qO&>)hf7~J- zMo;MpouCYfY4#6}>avP2!3lW92pEm(;s||NZzn*X&?J$A-v-Frz(*pS{SPbjvw^ zn+%JPh1_A>W<(Wr5y4~(j|EPDt3NnVU6ObQMoc40gF4(ocbqv1R5I8*wfm@R;ImLCG@Xu&9bYaBJ!0&s$M}r>VR?vf&khf|K$+# zd#@L>?6b9T|LfBCzZbmT6~;&lbp>~sQSg3r46^p%eRc*SYX5>C*yaz^19hL*2^i=|(MdtCr3aw(j)!<)Y)^Ou(;*KS{9!pRO^!6hy}E^K!H21v>uSzUQYf8tJ&Ar zd_)6t`Zo=ZcggXm6AFWMf{0L<(b;t6nBRH9U5wXwZ_I<-Ds6)dX6d= zmsM}?SjYXSUewXqoGZ)`@z@TAF(z{!!4gbrBLtt%d8bD)m=K6 z)&^{gcA3Y1O+*NxpfaAJ%JYoFDD09C(qkG$`yYyK_=1E4r}jin%{Tq~d-jB$m+k-6 zTA{hPX$^>0ZpP~tjV0-mk;xV^6G`GK(ju}we zL)|QPOx7hl7Jt*t`zxjz<%#}PfWGz?LIjx7zxB6}upJBM5cJS49!1S0l0SgzZ{?%m z00h)|FWQ(bb`f}uiDP{E??T-W_>`2>f~oe5CZl#V)N<*VVPTx!Vq2@7#5NxTxH# z^piXAWBk`T@(~)sL$R;d-u>3MKe2|KTRWek_iVt$?{2*&y-52cW( zV}%5>d}P5Z3<5wgGm=v==%>EHXk3CcT1zg&At__xS146*qkj z&LO<-=7)Q@5&(G_8al`H&@dA6^BUprs84yfB_OhpmHuOTX_63xo{z1hq)J9YllQ*D z_)stP8NSax*~7#5Ebr_a9|Z+`Ut|wG1t0&;4@V1&PZxbC(8?6_?yms-7i?&5IEadp zolX-MhY-YIVVSBX{uFrd(aBiF^s2>|`<1&tQ&8Cc_#RgHbq)pc!=&*GK?h}|Q3$I# z^Jr%*eB7Vy;B{})5Iavi-7RLELz<~81`Z%wNuTVC{t9`*C6MgsfDS5Z7B<^leeowE zzP_*j<>L+1sIjrrL{~Haz7M=*l0}l$Z`c@b(ntvETqiEK)z_$2adtCOv0HHXS9zR& zCi%iI>`bzoT?iCJ-3DUBA+(}*KY~5`@aC3R)PdYEC*A#-HR_(g!dl6YS+{7!K6`2B zDFR=oD^7KTjceV!=t1vpA<;ikogL$i`6}D~Pw=>R(=J7xL-||+I)xKuDsTz0JP7H- zf|uhm}bD9NueE9mQ~8d(7H{%!ohL#r}T9#uy}Kj4wyzN3Im< zA0i!fDyn;3&jRQqC00pMuTQfP{VBmgX8)3<{`V~nnI3185E(m7a-o3wT{ z^L0*oJJ!oUV_09J16}HK^w1Jb>Qjs+19{b<>q4{u+#NFOy^s zCM|mo2Qh@yQHL;X>FWLZ-!}OgrCGu;Fb?_r2^|#E`>B53BlrT_VqBwuc;CrMVd(w6 z+Tpt%=DeI-%XO2@;)#`n#M7GmGfF<+^cOEUdGQCb<6`3?`=x(1)Y3V^7DkeIPzLv{ZfFIs_gQ3pI5o>KTgXpt-mVl|D8{bft2J|EPmpkY{(&J zL+zAkDJS2vdVbavW$Y6?_PUQsYD6O;-EM1Phmn#Pjf=kN-j@cO0^^EziCCB{KX4;+ zAP{FFAyq|{YXTuMTmvPgCiqGVtilxa-E51gto&cVI(4r4$ko2HzrPHB{O@v%%n_$@ zyp@uY6G^x9^z~YLD#58O$&S1RGX6J-g3ffH6&sO|^z2XW?T^?so+x*!MKZ%2EM@XO zvU%H1>5_q_st@T~Evhqvc!GsqqRvd;?YBv3wAUzdwf&|H8m`14JI|>)7_a+XcVQt& z%+xAkyZbfp^Xy`zd~W;7wd`#Ai_6m(KTe09slm+ve>9nrPl1NXXxk&Wia;Tc!sKwA z(l$E^)Y;wi_|NSj**=wMXUf~Jbw7)*HuvWa?mK?ybGwGvSnt-~PzRL~#f^FCq*uGH z|MXjP`okCIo`=gztIP0ibz4;)UvS|o4HUz7Y7)Fei-ZWVNlI0A1ruG9NLmH{%oHxe zu?Ms;K7pg07viK4ab?qxktr|c+(^6?Uasf(HjHN{&jLGrv25pO5lhSuQRW%o5Sx8&Aw4iFi|2KJQXWgdH2hiSkeJlCWBv?Wm4 zJb+MQ0FS8G)#(1Gp?T=bqKERYKdAvuk)>8XX(kV@; zBRE_lPOL|E8uk*!u$WgOS!N~&Y~WBrhZ{!4l?|9%W}POd`D`{%-Dk`;$Tr;M{8FyVe&W z!6=@W^*yQ5R4rpv#lP*|RucWk6>G+9RLZ!~=cNIo=59UQxxh2(O)Lp1pc}-X5`c1Y zdLrA#&xM8Eby5SrrE<3s7=S(_P&v2nO;6kNw}q~b;A82gmp{RZ^EK80z~)(kEUE=C zWf`b*z4?y?txIt#Abo|w|2&ALB!w(5nb7UBeBG<#KgjZHdO1f_^1g&fdrgF_sNLk3 zAC7J3s?Xt@e)34VE5BUu?`AwulasUN)HRo* z==a#kBI3#Z;Y#k^-$-Zd5!}?er=6l=XGXWYd9Q|Rpie?DK#=38{V)Vwxbo$dxcTq9 zO4MB-PN+!BIbKb-8nd3F(cpy?Ct47-1oH;NFBW_B_?zF!%I(RAU&4_adm`s4eutIV zjxRt#z6<^*Kb8jUk#{XBGU=-wpLPBEC(d|Zy={LVV|nFyQ^S`$LEbqx*M5IAEJ@)R z6kBrKIA%No;2|ay#F<7R+7EnMH!-OE4(j#-#H&i+SFn4pR$Tct+2J6{+j3=y8-3Z6 z<*TxB=@7>b9-ShGk9F1WL6IT7O238&ctWx6@3%jHakSXjtUQBnvoCo{x1a3RP0JvY zlC{JoI@GL#-|GGwd`gUwm$$>EwXk~P2@>L8z8Nxu8&5R*e4K|+qqLCW0o#Hd2h2FE zuU+GEJ2+<9GdD_=8qq-ybG{Nfjvvic@|E@`tq|id)mIX=lWIj3(JQcEic%ydiM7uE zgV&7&KV3AoUp_wEOSX^3Ja(L3(ED%hOKO&+_%W*?+gKQnY#;AE{K_GQ5~m02m2K5O z_^eyLlpMv=s&SFIrVqc&*+xjBPKKgE;g{g{)8_Zn9s(5Hpu6>O_mQW~!M)7r;db3aYU<=LMaYi)T@1#umVB>Tu8vqqNt#y8^9&u>fHTfMKp|F zjET0MJpl{Z-3LBC6MQjgwj!_4wN7lKC3a4f8FW^Ghu4pIJQ@cIHmB@S%U3Mhg00s~ z#IywbnR}$rs{0izKd~m0K=?%;wUr9KYjapUyWd;c0|cY)i6Wa&hTAqx$79=<=(C^c zfJaFtQhYmXn&t!-K~XX*_1<5JK0bI=TJP$0;C_0OryfNLJ}=cd|Nce@(UM_8e^2Akg}e1zTB40Q<`57cQTQ9D!1NSUxuRn&d2_SagrJP#uVb00KGWO>uZdB zQLwS6)EG+o@RbQw;%SoC*al@xmjo-y2X{q<$o1e1grr-XeBb zA@RZ&>2| z>_AH3fdpdr-7b)J93Pb?*XcTLJ+g%zLxpMO{zATx;x=}Bgq zN)?H_1IxgN!vyEi~ZJFZZG;?FBrz%|~}iD6bvJ%SUVtn^K4hk;oSu zZA((35`0FE^OM-r2=-l;}!6YKVM|cML=9C&Y)Mx0?31*xH zPfSgewEZ2UCN$uA2v3i8* zyYmP7o4yrn7YvMl3dfeaFblUp9Uo}gX<1nx+|$K#J!YOd=K~iz=+C__uKVji-oQB? zy~sr>D(L_|r$zr0Icyg{)z$9vpucw>ahy5_^Nc+8lNqPUA+)ZOzPHc+e66Lfb{&08 z6*EgK3;*~`;@wGgN-F(_lVVfHa)m6ozPZY+^s+I-Jd_+~NWkgaS5p{T@GYJRC-Wzh zm?x$06HRT23mb^+!G+whLbBIqY-qxq$Ca5qIRBBL*k7)@XkjL|J$pl&!OSmQx8a6f z9Vb^K_*w8K`0E$vPOW#vf%kuE*|dUsKPtO+KkGnkItAY2CA}vn-#7}q3P&9^YwaA=*AzJ6_iJ{kq| z)2_YdLL|yOq7YMMdhb8W<*5g5a_@}?q;YYPc+D`x$^${Z1?ZjZNhkWXb|;A@=58R$ z(C2I`2s@7hNSQsEvurWF3yF#&I4*KLYtbIEaUk-|cB7%cO}s@s8tZ=KdV9){pRWzQ ziM@=JY!&fJSiCBv^q2RZg=tUH=EhQdm`-%jIj!#iR#n`T+%;85q3LAU&5=m7k|y%) z2k&udgA-dNt!g22=^g%GBmFv8P=@u{_koCmXTRu#xQD$l2Rf5D2PPv^-603q{My~Z)xhuz4wo!Uz4AyGwFHzey z?3&sUpf_Qa7~24>HyvHB1H#lS_nTxBt{3SwZ|`b$OjtSbrXd&}S(&}SK}W)Ze-|Jz zqx`|L-pPjLD@_-2{Le=$wq@R_DUFSK60Qr4t)JAL$D&Eet$z5xi%*c?d37GArXsJ9 zSt~F#YQr2K{DZO^%b?OZfNu( zNQku;+^hSyp{=oRFp?ij6k#qZIx&Ku`b|1x)XirrJHu>o0lVOvvhtIX-&B)`yvB4O zV#d!OwPQzv{(g&}iI$N9Z*fNc*R-}xQK9cIR3{oL@UaoRczNg)12=@w@eDWAGnS>Q zC^K1FR<`W&5RxF38ZTV5;tJoU{@pf8e?ic2FE?AA;H!{lXqvC-wVd(F*_Bi;sQR0R zH3N9epVR7at6Us|lihtcj7>PC#&SYVaiIhX>P-Cr4W0J`V>n?yKL0_l5yStKrk|Jv z2b)0nWyPfnxl%u8J*NbMfRIr$3mz17R7w|5>#=xCGsPSKL34*B)km0<*}t7S>K%p> z1IAT$U_2N#FeTejx29y;-f5U1eVxkY#~Zc*tf6f}Ct)yq zSm=<%`Qg;Vh>=-PkkLxJyN{XzQ<=YLjVp}_-#caXZ4^`;L4Xkjl1^Z_1ZaV4bN4DR zh75?P@?S5f2h*lZlxGi;X4P0%J_!fcIK*iC11mNPJs?}I(ye8Do1~>LtM4l?`Bd_M zDbN@`SSxE~`q7%V6;a%M4{a0ZG?bHJ>28Y#b0vohYx z^D$W?;%Ot6KA}Eg6%j@)cI9uWZ&KeFilyaO*8#@<)$@`3r;Gq6-u@zzsT~1mp!~Mv zrfPg)M=QYu?hpyjO7MKAh;x1MH2*-pvzSI9QP$Zw!n7#pZitX<$BoO5)o+0SB=lyU zwcI?8k+sQ$Sr*1v`h@s0?M$~mF$@6;RhzpOI0;EyamN{yVW37$&~Ww{DjO`uhP< z&o|GHPdXL1z$uG}OTxtzjq5L+FYWUA=@A6oNZ9HuCC04pb7(^Rxb%hT2!KqJ#kU8WHT-5}j=y(^MZc;bxmwIBHJ8-Qq1Tp+-h zY^TQi2t(6@%k>_1%@d4}gl%>nc15Cv{FDy|L7fYvP$_gY8FN2yVc#4Y zgzSzjB#pd|TE-+Oc@lD+PJRQC`htkdUGwU|!^HN%BHMrw7Ya%TdkCT}#5tV6kFCKh z|CYD)-y{%m zlR%yalj6Vz!%0olIyUw{Q)d$bxxdxnogbfLm+#}8!V^c{F{-BA<0wA{>BETqAUD>O z1|jGjYkfS9MnZv+|L+OtS{k5Zs9DIXU!^D_3wShC?gjs#m8Xp_mRF zckR@Q7EV3D+HAZC@t|j1AYiG7SG7}zr2qtPAmc79nCTW0RELZ(9pH~a%0J)!_q1}Q z6WRE>>JOgI|K|CBXNX_|5=LwJ{v0FNxt*kIAY9~-A*06KtP0orJ5)wAk+d=Yp9wRANLedCM-X7| z!-ywIWjEZ2uR)T52m*Hxz^sPvR&#A;6X*U%SH$J!aDMXxtA9ZdtS$I~pVU#CU$VC% zBX;KUduQbU%>4gs!TRD1L@R3K^Sll1RYJ*yzSIP z%U+?d_;zZ$_IB#7?WgQQ|2MM$5Yt`-_U+jzTx#|J#yI5rg*x8^xU*eGfsbokLvoMX zsUM>Ao-&5_{|DRt@70|Iy3QE4kmI9gZf9_8kAf!PH9If-z^&fF49Hkv6a+-PHt%xg z4~_zM^XafsNIf;jKQCr&ST(lz|L^NVgKrGrPj4Z)z@~Whew@smpq<(om=9pR&=~J6 znC-wUVxo5;Sb{M~Ov+_1^xvaip?H<>pyq1`k#v6=G{B)p#WQq9RA_*J5EE=PIGBni z<$y;jD9#wHtk_vX@&6ri@Xykf;}U+G6L_LFJ;t6$_ccW7IeW}8U?)XcPX9CM5yy|f zsmG9fuMZfgW4M&&BEddPTJZ)#6b9aB1dbK4KNuSzlbSFAj(ow;qJ&Lo?)xV-J0^6H zOffo0)%pLsEci>9aBX1YU?-iESA4;`Z_nYxh$Ny?&s;;k8FpY*43Q1id0F@cLlyIq zLs}|H2Dk;(7|gYiQ~ruvAB1q~qjFPMh@?qqwoNHo%LspAFow~Ukvx+d7xW$I$w*XUG zX~??#PwE5bt=O`PY+4#KEzMu$H1pr5UB9;n|3Hm-+06V-MYigFtyKKK6Nl;cVF=)I z2^e9-<$xFnZ{gXmInkc71MD4XrfbM`J@vzP3Jex1qy1o6aw?h4@PX&d>aZ@x5EfYi zJAaAntY48avR)ZdhnU2wFlk(wWQPfe6p%I+XnLM)yC?$3(6rZQU+dEI5)yRaOvI6pi5uxML<;=%$d*H=wXpXzwbK6GYkwvJiD z^bZ$pY|Pilxg7k0{T@53gw7n> z)>eO;zyE!v^;oLG^|j46J1#D^CxXA`SN7E}6`LoZhZ{8opBJ0%c>=ae&m_y2Vg1$i z$rd-bmHO*yfpx_{wY-)~t~dD{9ZEM+x$Qwadsffr+&!*dO=$d!CO=>BaE+u5xDTAc zqEp}8P{;17e3&iLB&L511E@FCOB#ud+Y#G(vT#1@jGu$oDbrSe6Tv(NqQZ_-_B#By zqD1Jw=Pq8wW~HsZtKI?n6|=~3ZIZ|+rmYvf^sJTkEifceRWT?~5qZ`lVhqWa_rObt z7#?j}qHEI)N4K0o)DMqxY@pG5KTk`0Sjk>YT~M3WTtLE8qQX$x5vfGuJE!Crb;|CM>M&1zubn ze$u(~oRajz%&fr2mjFSK5iWUmz4*I;txZ1TbfrQ0r-iDuffKFJ;~#OIPt!&^sx&eX zut0w*dZ%x{!;z8U3&%-ad0KCs!~)7Tqb<8siW2Bi?zM3xAg7k z($UY`vF{PQKa(&qMBlyy?@i-v1dV`mdRu+3C+Gg)E0KWA-r9LV465gP)^8f)k#ns^ zO-V+-9BlO=9^PXmdlYT*ItFR9Ed#OB)mMraT33}&kI@pP*ZbV3z3GmKH={&y!8K)&;b!~18Dves~g5+}RXW;e6`KI_KSHXA$lJwIbu@7{H%|Nb?? z!{32VlB3Ocoj<$p(Mm{&|K?#(PYCYp5vnPoWn0?h}aq#;B!IuS!uBcmnm*^@l=ew1X|9(#t z{zH%4y6}&P(UG`9X)5ju#<^-2DkTz>+P@-JxovBf<%P-yXF7X`#}n>3AWyaq$4Y8e zQ|1`%JSR@6*7yp)zbP{%HlsD)D&Up)U&)DO!62bOE*zY1xL^!}kLTUa^^~IQ{S_E! zB5f^xIuxwTqKgU|ao{nPMLwuQWlKTStQ}D;a9slTqA4bGt0%hLF+78& z7XLCfy>c*Z1_BBu^1780moeePZ_~)uOH&>$0Wu4!c(7;&Hngie(YH2Xj3&0v4>6y7 z<`-e-5x@r3Ev%6CsZ}pDg~{@>hPSv+08$n;^XgipXB){}k+h{{;%brw%Bn>mvwp(O z@j%Goj#+fH6)0De7YS8!il?bEFbLC)aT7}7>U^Zb8BbCQUsrX*Td$4DaK#=d#XY-4{vBA{9+vY7uI z6oK?2lL}cO0Bik)NoOhpP`K{_9FlT}|CSB~iK z?08@A(OtwH_wsCYKC+?u3-E933ZXC+T&uKAZF;X}lUm>G$_Wp) zg|2UZS}b~bIg&C*z>Rm)I1jA7$EY~Z@JqfSZ20RRJsvyfsd*D69LbRV?-rq|1R!+g zWLt-i#XOhg|C)v-KmQDY9MaXyXH%3FIDJ_g%yu{=oSkqZK<`O@t#Mn=eOeIv5!AFa z=UWw9sO7Kv;hqsYkoYUqgKlP`q!>pN{(hSg&hpH?zFgSup z#HG5q&37PIE1kU1y66vD=kNRN(zH!F@mcjWXc{zC8?j)x_;1~O?ymd~Fc47HyfI46 zC?}()h)vF^oF`?f<}YWrd_nAjE&UR<1aS=y3o{X!P3vuAdwpd?$&Ys&lH4wG8bwap zG-BW0?QDb>HRPE8zxX=qsHnfT-47`sDV@?%(%m70Al)D#UD8M^4T9v*-CfcR(lK;P zcS)<1h-dqI&-0x3Iqz9#Ef#;l#P>V1_kG{j=el;3LQS3^4=W!wWKBZvwNWgU**ub@ znNQcuuAX*Er`?~Hk?G@YVlqPq6WYb}LiY1$=ccd%wRLtfSB)8bPw}MXCiv>FF+~iiATQ-V>UY)pOAPI^H%;+2 zl-4qFjnlWlB6k+yN`~blE}jf(_8KbMWq*jhTS|W^yuy)Ig#n9X>_A&BW!L256iPSFk!q8_+X>5O*DO{rwmnKdwMVBj0ho0|9*2j5D+)K$RzfMyhSYh6F*v) zafm^qg%X!+9M~#tMSejMsT7%EwDJ!)kl10Sw4x%*W2#Wf?0S-)M`@v_8TH6f`gmpN z!WuJaBzD5a3+%$4()A37WDT?UBU z(!UspzyhWuc;n)!CWw0(`%?|6EIr?{h!3Da=%suQa+Rb6&>9q`<|IaHS9a>P^3^HC z7Md+n`{3d6#OY@FSXh9%L&FZO;C-rnD0brg?YWD$DPr2UNByP~fJ;EB6Tk4JtU zOEQ=*pb3T|MbM(kAh6D3a@+>E>N8$^+I=+hXzsyGat5GTnsZpoE8n08aigS`SbPSbFB;EqPfnVYHr8#UG;G}%9?82=W#UNg`W{{P5V5}{ zJ8`*NuZUU$`Uu~h{Im+Th?qyok9S-)8IO!5;+t!Kz0_vYqI?n=ef-TWC5K8EN+BpQIV?d?QMW z*~V+k??LrR;{nI@H=7rSuF1<(&8`ee@HJs4aq%UlS!+)c_kkmbUt%dC&4yt8uk-#f zkaE2}7B(?!Tw-UemY}Bwn_HRcvQVl~XU=Y1#K|u0ay2Z~t`vP&dOKUV_m1!utUz-= zGd=8?bXX3y_sOl;u5t{;-0mX2maH~bRpeHl0k2wEQ+4fP#;<7OwfZtn_7SJ5#uHz| zUw09{$#B<01uG-%t-U!}wA@uW_Ckh%w?>95Ydr10&I_NpYja`xfIq(QDKl`G$fBD& z9IkO_dS)Hbtm-~uYWMamCTbcV+4;(4S!S8#c4g!QskiobFaGOt1?WKW>o!!cshiSQ z&v~?e<$F}8)-0`yd=L^}D$!;xvV2?2&Zm=L&M=TB>?6lM=dsq|O!_>3O+u|acE;k? zX8+sLb{-a}bVa;sS~?pX^-R1E5++wLvhA8hRF|KUS(d|Hg?~Z8KLR&i2JJ9Xv8|G~ zy`@6MPM=0{npH)#+?kPmjqsX?cK#gGb{-~=c37Cn?N1RyhqhiU2-w|^LdP@Hbs|;t zz@NmYk!0eUJsEWMIXjQ+fB5nH+p^u3?+?>{;D;i|8{2vk(LC*>LJ6WufK?lT;4%xXj+UryaLI*kQ-y*Z4v+v*DK&L1iX z`NQlc;*LTaJ3$4bhkYXC%gjf^!a{GRHM7VkWbfm$zcfs`yp}&VG2pmkOz@~bTswco zr(Re{+;*m{=OJ#G&gv+BYwV^df2IVPC*ff;e37Z+W(F%U1g!c6j8L3tWy1Y}^TXM# z_5|W}AyQ&{CXSbW@7KSAPfLI%siEB2=b7CP)~^d^PQH3nK=ZXN3kO27Dq2<$Uj{C^ z7PQiHy!)00yK7tnMf}sQV%veEMZf#Y(2>9b!SB08r%Odyb8r{x&rhB$Rm5-J?R+C9 zVGIJRXPU}0rPs&qVQ^a<5<$!ul?DEHI8n;>`dY}4RAy%}B(sUG_jyduzM8sT9%{y3 zs+3C1w0UVwW!k;6P4~W{s`T2anuFkatE9rkUR_EP+{U5OkdUOljNn-h#lV&aWtS5n z*7+*#!@>#BUw%PRi|Zc4c*#)0V&4tK!SJ?c^!%a4^?HUBVK3E^zs`pSY<9~xK=HDl z$l|^*u{kQNv*(Urd!702)L@daGtwXD0}vaZbMkOVWcrm>l_!f4xq7IEUMRJ8natsIQ9M=|vj7N%Ptvr-_p6{ihk;{j< z=9<#2dZh^fp+J*gk5WyvANE9+!qNv*x$8E}9LlxQp1@nRQ)L!l&riAM$&o z?|%QTn$=V&XUNMRUL?7kq|q_KOLBZe^oS~SQv(w$DGNx8M7NGjfPLxBWNA|cv*qH3`zz4fg7U_iR4X= zYWDdOLa+{j+Nf=1tt=n{R#7o4n5e$CBJ{ac^x0AY&%x|B9U@*2%=4N}H?Nnl6cLIghP3*8nw`=@YEbnOOpBC&uoK)yY!AmTJ%PrD}4^mQ@zpLR1_om zBwEdW7HNgxtar2)+NoyH8nk;&!4Q(Djm*TZ{gA1*Bz3`+SYpul`x&7>g<~gbY(MD>Nrr zBe)G6ESF3{Sv{;61(#P*Ehn%`+O_5DE^_gS(Z0q~+Tih_M9QaTEiH8204sdjKvjoa zdA~X}Sp5qy_4$m&NH=y1SIblu-h z(|Y|~*;rRXn0n~O>ie(ue(j4<5jo5#*ZkEb16C!2pCn06V4u+{6dIK4L}M$}V9MZb zxOnYg=v%uhsME{iVfKEM+jA*Ybkv+s{7T6$AU#BoZ|oyCb@V)hN5j1(WBy2Mn~oF|T+B7}8%* zS|UJ%(^0*b!a}NQ?xjedW|C5-kWr>2m0PC|qKro;uvLpF5B zw=bCp+`P0Jwae9+%n6>yGcz@4%d65O|4>91m*`9*z^x~LdEB;nEs4d+h-YikTv)l$ z+}ZacKKq7v?BP12y5s2ca-5Nhxy7*iO8#uPr~<3bFo#h+L$NA)_}c7n-P76jo50_o z-Q~u7As6@bHbtLsZ_Lh(H#JeIp{eG2r5y7&FY71oE%dppj&YAQcXfga{pah)-;`eK zGKsvKHq_k_OF;>#-Nf^dLg2q2{6dQtGL5s+!cC20Gh0iMRwK+v-KoRwkI2fo-7tHhzVJ~ z(;F8FV`tfMlQ*)}`;cZ-j**6l;7IT|xQj=_?3%L8w+%)9{i|xV>QhPz!2ip`cOsRP z;r@_@vr)!Al8{s-)IZ(CD-2`MlbZw-8eOd<*8{gzV&RBZslqeNFZPE^MzJuBJc}BOqu}wt8U|YI6HJ_FmksdtGyJH?D?&l4K>DDEXKT8rV{rIkFv<2o->B(Xg;d;&l40vF zl=BsK->4K`MV^vUEZAtaSI87!ToF*qOIK@&WSlx-0r$)_$YUtioP>4^u-(aeTt&HE zMV&i;gyco)gON8Zc)-IlU+GTh1Bz4Bw3BwZf}|}!)t+jOrHZFri)>!CPt26+)({zsDnKdi_x|K_Y)^WP zFu22}eA?DrOWPs~Wr@wDBR?@QgOq=7TxluU|0XIoTfVF9E&di%m81r>PvG+LavoUs zpnN{0KonV$F7hbSdkkEk#3Un9S<9ln#784Y`AB~0+ZsuWOz#iGEZDCrCLiPZt%sk# zG@G>(zdvV8>wMoY9`F+{w+dgXio)L)npvMQGOmIgDCkk!(&alAzxwtC{sMHZCS)q{(iJ5xR=XVuq9?q$J@OgM=}jB8HB zXj`ukNZp$D=(U~CCmqX3ETtGMB{<<46_gN}>dcW@#DQP3?Tl%~SgH&x@y;%a@xmC1O-g!f}Fxm#Gsr z(!_s~{m`>+I?lfJ8`12-4-Rb#rf|8Z;^6T3Z~^ZLInfxh@Wq9uzf&$wC(aCPYKwZ25-x*CBZ(GAk0-2F80$l#jYg8b+TRtK zsFuK4Ja_t}UNml*CZ4{=Lg`{)q$j#F4s3-ISBu&v&*THq6uv4dzNS=e%2Di8qGe$o z_dPb)hPSC4HrRGEyPql*{nXd;jl4K$3C&DL5+0`?NGsFc0Z}V``cH6rG32!FzZ0)r zV=x0Ti$Odb=J(2FOIpJLDlKos0%>o(j`ZvP;z;288~tnQaw_P45;43cQ(Om*RGD|B zGo@WJynIJ!=>^9%n=06b9nMINI@knQ`5YEH>#&PoXGnT@iT0E>EgSmQ%3PX{c|V>k zAp{euYgBhZGK$PdUugiIwmurD@5hGt7WtdBFn?02{#nEc6p*$%IZqENQrT22{ZC`v z&jfX&+f-7s& zj3s9m+={LG%Nke$seeG{Ccgx8BA%U*@uf955Zgt}6D1Wl&0Z@* z2x6ANU(TfFIDM{Uf*$yS!YX=7%VF4KapieK$M2JT8!zXco=u-304Ci7PN9?B#HR>3 zt2(C+{Z;jgT@Js-?|)E8?T=Tt3B&`-nb#4AkD~)15 zeJ13>d;lU<-f8ggch;K>934C*Q~Ai{{v-N$$q$=`;Hg<8_YnoV#{t2GLhIe%X$Bf4 zg*twoWBHqd1Il6LPwOof{a|=-wxs%Suxh8@7WxwQF^ZeF{^!NlsHQau32uH$;i8T$ z5e+c!9=@=IczRuzu5~*X297I#@(^5wX?!uxpe=VeFcpfHcnl4Kie4sQ))jcVW}cnZ z@m0=6Wy0{~VIO1o`RlJPW3sU9-`}66Vy2x2aEVvW%n3Z%{QPnIwlAcJhp&=A*0Qh< z4|(%ybb8zDY>Mn5U0LrKj65!;1{j{ow&57FjL3Ug|0)CNFi=jDpPq|0pTrasRiU<~ zZmL4>)!X$1e?DX9<$H&DZq?Y>vTP-_L|9K1FEt~=JFX*umdutS&FR6Q0I`wlhl3x4$;+;CTH%5XCLYa--ch}Wdyg?hF_(D+ zslJi(Mk|jh>K(U`qT`X_(IWShR@)qJQTocL%o{i$a9RFdEU<7{8u+6OHhwrw0tNBh zw9pswUF;|&tO@PP@D}!fnm;!d4_+HviB~8Id&Nw^fq175{o!tGrDJ5O~EpD*xenvcEe{J~>QYB_iYtdmT`Zv;Dp` z59cUF3w$3r2cKLevxQe}DhSeG{^m>hE`4yY1&C3OPkcUl0=~%ed=3F%^)-hX(W_S@kJG?nTAC@ z??%2mX8)~6)$G?*Q6b-0E^#tD^VC=?`Jb(O3AjZ_YTHs6-{q>0=p{Y2{rQa45(pn* z$_riXzX+7zvkJGF-xPY4RvN3^&T7&Iu0G)OS{4rg3H-7U_b+X5zdX3ho0&*Pycw=Z zF|iwR=o2&l13S7+4AZ#&>858I){@rlSB_3s^>Q`gjMJz@l(>CkvK>o$gOYEbmooAH zmW93AQxK@4j8As&p^;%0lDfU%>DPKu`hi;Pj0zu{Yv$-(MbxpfONxilQz7-$#kC1e z12u=sjiCb1xE}>6pf%|_69(_6Zf0xW)SsK*M##HrbMxc@oE{s&gOk|LArHHl)8<4CMn##DT~u9+XAT!6N>H7x* z?&2LUTuzM#;lA9eHaJ$dON8L2zmZ1krzZ(}#HdX97N}vVk-URP@~|H&x$+wI(M1;h zgrp7oOBVH`yFYdki&W|5hnlCgQhz45GDVn^u=9U?+aws2$riXGk5(eK3dIFQq;LmI zwI~W?+GU%Z<6XAIbfj*c`fy{}Jt@Q{b)52YORBF6-BNp7%_g7gAk9G^3FhlFOqGU%HR z-#7ksK}?W9Gzp5z*Dn@HOR;J&geXlgkUL+a`oGrY^2yD81aZ;Gw@G7^cL_iaU+$gc z)(cigO4=0+4(tJA_i}>z8!^cP0_UlK<=$X8;>%D{xC=N?h68ChoLxX>MpM-ypqFqS zlU6;lMT|QFHrBG%cj{zl9DdmoiTiMIJW);Md(|D~E731-mCeffazZg~=<%_TdPfzl zUuQHuCY+Z2rs>ed$DDw$>VEL>is_zksZMofu`prgHUPUBjizm;GIg2MO>k8qBtsWc zIY;z1_9Z2k@Cv##ngLY|_qo29klC{9%``xLt~uF^pFO=bAG;vJ)kNuaTs?FtPjcWJ zLBxEL1Y9S6PtnOPzGj}H^-E#Gb7OrbJGYa0G)!Hm@ujn|=+Bs4Tdd@bKGI4|uV~}J z+>f3?oV;fCaix)inl|9RTR-_W$war0HZ=ngLc_J;%*E@NL?a9V4-SQ+!OowOntY5_wT^-1Y>F5|durLX zB%vBTHL@RF+w>f7P;MMPx(_7_TpV%ul3~%S&pbAd`ka z`-M=^SH`IT>bytv#DtUaE1~23_4JF6VhE5SChi_wHK-bFIqm162|Ia2`{D9eOiWs` z5olIG-q0ix@f|1G=0yU1I9d(;ZQRahZI?Xr9RpeSAOXR4BMBy5+p}+ymFo5GSfK6J zdy8GZYQt?!zdtG;(}mHcMJkKHV3O_Ip`4^vEU(NNX4J{+Djvl0c8pVn_9<83M>kZN zx+B;#yXYqWNiiBUU+K-FWs>+U9{hxxh_~;b2pv**KZ^T5ONxOrIc?!8U{q;*6(TY? z2o;ue8n?zE=aeS97)!}n5JcR~*UxZ~W$}=u?q+DD89u78(&$WghY%v4&ymv0-tg%8 zvIkHnu(V9{22PMcWMK&zxC)w{IuC; z`|%N^VD$2;fyLoX!&TBWGNw9eM)?4Jl|p9wmL5HHd*eVY+1bkZg)#rX(AFfjYx~M( z&qAPdz0B8k(9>Z1@fuy;iS5N$*Bh7cfRN0$V=u$|2N8IP!6c+rcC8JA$i7FUPit0$ zAo+ZiI@lMnJNzdKlc!!ZzT2aF=?Au;&;65%4An{-3l!D?5opv*5fSp7z}FzP){2RH zW}g#-g0as@TNny)o=9*4d5#}B!ma&qAvBr|H}ANNNHHW!w!?$Zpa*HcHGl~Nv4Otx zIP`3TMzZ-6#y^aA3PZGZ96AHdc(&Mhthw$`Ig@ev+q866{-r&ypxwEXb@GO?@P>HRk}K`T8q~ z4ow|5?d1_iYywAk!Wk6#B=m&@8U4vV*-;$cQ5#oS7Bj4qJdYkn3b$!Ro%mDHzp-0P zR3w2V6JF{jyb_P|GL{!+Zf9=jC!snP)FTc#IkwpJ+6*~wPC||A{QE3eA4WdmX37Hi zEcis>lO(pFv$LJbG;&^*!&j=K8iKsIJydG>IQN!oC*LL zXh^``96RgY`@b`(-u+nhw*!d&0vyoj9knS>DCp5$Pk%*svvJR2P&{;l{y0bWN1c;S=~Y&x?Giyj(?_b?^rq zJGj?w!9XQOGpzF)0f3(P2`UU&w;b`_s4)scB&!h^s4z^Ea213OW^Xu069X#>9-UV7 z{k`f|REsGTjst@Tbxw<|MFl|hO^@^Xg)C0pG)IcF`y0Q34u59B?o2<=$0EbI6|9TYU1e)?Ye5VcJJ20{S^|KfQ1DNEO+9uH%nzkbbEsPwCjVlNo z0glkaB8th@8U2|6odDhC?&>E|W{vRpY<&?UG`rH~{l<8raMaP_ZRq$KUWc}!UQ#9u z7v(QSH#i}n|5iD9*=*Wwo(*1TqbE0U9y)>uDRDfhv_HDweEUJ$)WU`zQtyuQ^>}>P z=C#~}Q-Zw5LZ}PidH-+Ljhh0Tz4Q>QUlHB88UD

V%R)LT8!ZzQ(Gk&p}u3B@7ud z%Xh6Q;C2!6iZN&p#L`lUEHt-@4w_Fop=GvD&dvjvj9Ht&3IGTHkajGu>SBzo-CD#5 z`}O);m?4uAqRv0w28EdbeU}#V73ZgroKG@3e-6H!o6lVuKs@&+`vJGMwL%arQ{CaQ z7uTl!JpdU(5%wQs9RDGNn&}7(N0(Z|Ks&HS?Dg$S$aA|0J{H-@UDkuU`FWlKHRhRk zQ}+{*Z&#cg?XI*m0|j$Ti5RW)0*S_R58KJ`$1`U6m^VLGo4*bJhPb75C}re~4Su z2*qSOQjnxZMook3bg}$zN>2#;FJLz>R-nzSoxE#a(03~CTk7X&dfBW*lPvZ@C2>a> z=Y#t7KHEPM3p<`qCx%})|v7PX>oVp^c7a7ZK1EMv!%O!`wqc>B6$JI`4OMVA49tl zUS@EjQFi2STnJUK3cj!BdL~g*(+C#5EqtXA3mb@aj^DJ6htNsY1sA-vvR^s**GNcJ zDSG*M4!coS)f6+Hbo};wW9WyrInreFkx>c}{*6=RkoEtQP)A{6q?^{PsXtlXRwtiZVv&up-4 z4tB))$AhRd4}C}eBcX8|i(kxEqSdT6!0!FJb2&aP3La4_X(^{JRfMmj8s zU}jFj79c}8bsjtF@Ap^9lc%_kz{&&E>ZI&F7cchN25?`yYI(l_bTU3Ut*MGx+<1YC z*nY9b=IijMv7eRi?_F6e)qrTsZg@BfS6FFpwO%rn@GW{6e^&@z2Efq(d$pjoqoSzC z0f;U?Ih0-(jx+Iw_lBv^!j#4((j*lB|0kXGKY6Umg|g@j`~QM2&H=m)#yvG^-oEF= z9J$0{fZD|;P6ML*5@l8H6mzr;_;LeYlADylTmX{O;o&)8>Ua0>6M%76w)!3pMpR_) z%12zUD692!;#A-z;Wp)Cr?WN*0B1rr>40vipAPG#}h$T}1nPkH|By>KW?9{dovqVtw8LkdXgB zgf&v|xI?8>D*`AR@!R?Ql`O|kQ$<~h#F^JHA@`(@{DJ;IY_l9MvYb4j4fNGugl5x7{yQBii~BOg)gWr#{@V!I(j9h2nUCi$mQQ0XXE(b_6Gc*b1j@M(LKwM3;Z)-PV7iXixYWiQ4KKe607A2$h?x)@#V36yh?8*5}1$ zmxMgm=P`=muIE1pJGA?)xICq|6&UmBWokOCnp->L{nlOYeYYd~#giX#!l=jR8vm|J z@RP5u1;S!N^CwrxN;K%E0A+)<&jJU*(X#h7Md^q8EEa5<;ZY_bzkiW*k zCjq^F)GtlUqu**<{oXyDj=)Sy;+wzXop&crD)uqR8c)jYt1rphJw)3W31P1^($Y>{ zT^3UJsHt-?>x6HXiY=%$v(3FxZ{ovt=f&AeE=s5v74<2oso;JE)quQdYSB%SMbpZ* zi3t}VN+`s}QJynCFsN(zXrVTCc$F}kl4n8sew8kH!mVOSol{tF_p@;MDH9o0ime?9 zlX3j>%khn1JaLTkuJckFWVHz33?zn8N=nAw*9JZy`lGo$$FrbSb*c*37ThGkfMeWZ zE0>+2;~m6XTm6k?c2AYVxp{uM-0KF$*2-7j} zGtiV-y&2teQX}|_J!vyXxN00@H+eEm|4%GvW(?I{N*ktK$u|6ooHTncn;(ox*f-VhhAOU5Y(0t6!eLQ2zlDm0Pd2?lo3Zes;I|G})Y zT4>p>7vM-ClhZ=F4YVr7YW*occW-U%#bn~PSqzx?0T6cR6QtY$aN-S4vRi~m6CvcG zLl>}1#GLBNJb7`D02W7SWn#-`tb{)z@)VQPQyUkpe#@@7pbWMH3%36ms`>sivN8Qi zWvy1x{4Sr2GtE40`1e=pik8nI1(yAL1PpNmaS2pnJT`J@p^u79pJ3LYLqpWFbYO3J zZ6E>K#fXqfqe9K$kP|)249s53y=Oy-ZZ6(#&<}ZoV~cF=q)H5ha&SUTOQXEOUg5Xw zNhW$p+qeK0VrNom3;5f+yCdBiiU&2211ITsV1&PN3IL|;jNr3S)yGJmbp8fICqc*> zU>qbhUk$N~f1R~O`wPIM-SiWog>Uq#%Kdl;3eJwmv8Jt}mGpzv5$n`M#4R?f-Jt6S zv*we6nGTTuL9q1w_9P}`%uo7bX1cUAIqy+eD5nbHVk5Sn&#ZDt&8Vqi6W|s%yBZsP z1#&_gs&A9NmUJ9{zyJOy+-Tda1>udI)^Lq0R&n`jm+2?-Y!m(9qfh7M{4!bqptL`+ zlmHI^m=qw$cgGE1N{Zd=(&nrzp!WTH2;ae3NugGnf7}8POFG7FbQ%P_Q@cgcmV!kL++{ z#qb~cpbjFEe}P|7wuzd#4lzxiI-xYop%II2`0Ym;d0&IkExr6_ib2lfn*xTV<5k+{ z`CuwfdykvdD$#N6sHTt{PLUQ)ky~Kk0fTYz`ytB*Dd}drbM$DZ393z? zBGAiQ`+DSA#~Y1&ikdHZ&y(_Vn>ZaIr_K=ojV~$_zRQSSlqN*7ej1}8jQ}7Dzz}c3 zZ4;$;zt_jyLy8v4K+)RndXOiroV-(*v|AjaoSIU5g`;vmx4!{*wjMb8EMgevhv!tj zToQca@X}7;C3gWZx>W0Y|BBn9pgjDtZ50JV7KB056?8C+^pgUPN8jyCG3YeU+%{ga zB>|hNy)oyJ!lf{kxgOy^nLJ7el%`>yLWazz9{y!Z#F7!vAbm8SUuU8-Pibt=YyA4w zfNG&_0+W{io*qBx@G+AOwDY*~AOhq)cyj7McO*Py(vnrQ5vi9p0ZbiqZa*;|HcfAKKH+5=GIhbk!Jrj*_$53{u!Xn*PE}%5@`kK;y7*yCd(4}+u&~} zFJ<(i6oxriwY|;{ct-$Lap>m7KJP&x?z#)wo-MjAlAss)+7)_9tO>Y}@4!^C(uD$}!&hm1k;&zXSpGIOoa0O=li(@gQ!~v?OMNGv3Zi?zR~?6sQ)tdH z71oMD*Yq~;ilH%Pr z%Fzb>EWDPYdZ$*NPt64o8kp{FpOQEKHy9GawTm8AzAvelC+aUVtC#&}m)-e_E zLr#|IedeiDp_h$ohmi&ZEOq?+v(;MZ_SuTAk0@~)XkgUxQA|UU_p?Wfs6I%!cVgSW z_>57A8GF4D48hH5{Z3iVPh|a5A#@YF^F2C*S<59R9gl@W5Ic_k<<)C7CYw+bluG15 zXJjcBO*hSq54TGO*?Hh-4g}R^QL(N_a>}$$-y-{Mv0daxpcOa}zH_)C9~xcvKnf_? z9*sI*J-h9F2eWjW=k~aLmPT zjRHHuZP&LnA6mfypdV_UZ8WP(eRp)Ym@+D$?@xU#{74k@F$DZ0D2UH-yns+1w9N8! zwT4lEj)tiO(92kr9lol3^*=)%KPiTP-`BwwGNcMp1~Y(=AanF!g@b+?A@Q;XJJrGj zI1@Ls_>sb^>fs!8vW|@ANw=b+#Jr)31VJEEQ$e|ptVs!<+KYPCgio|87C^)=JM2%Vc-Tx^RqSdG~lNbz>( zoPfBfP|ip8_cng{tUnz; z_yO9DG(A#yO<6rLM-D8nRY2;@xsl_RgTDw0&!K%KITq7l}%`3SYfKjdikYqg; zq=@ax@YlEt+SuJET{Jyx+Rs)B{*5xc-o)PB7_y|9_Py<=`E6#pj+z<-3{+-yR7n;> zArYv7z!;6 zJHcHsp3|r(QZa)aNL@iR7-FVGAwAa6VUP7YArg$jpCETPlbWb0xD-f%W$*nfkA zmZZx5s7Ayf@1 zzP*a}&*UL1S;MrgtM=wmP`{|{7+lfYV!}orN)rqO@<;x_9d$R~sWJDQhp0^vYX4ei zAi2RO$ky<1&5SSVj zzhts9a9}H-RB8_0on0nXQ?#eDW6pb4}#S{6c^?8fn% zt`vWffKDH70XpaRvf_}0-QuSr>#-zuJ^RjFYsHX_{}iYLm48QU{e6??W@?*6+9~la zKibm@e|Fbsd?t*$8ZdL7W5 zQzeOCZ7!r3^Oxrn|C{Ju`{tacY%-7jm!5#T05M&nw_V4TyioaU$MdlQEp5 zrNdC#?vS>?ubbKZw$}tWr9?zwVJLmJI=@Dg`UUHXevna%EF{H ztV!SPFHM7HmC$8r&&j@ojT)VH#epqhc7P3-lmCXIqZvmBWzSeoQ>^N|f+5Sp;AOS_ zcaMW(Ba;d(`!mHCsdYx`g%cGjArRMkemT)Zzw)L#a^91AZOTXuFYh%;I2 ztG8}}VK4lRHU4+#iti&R7^cMj_-8;1OgPY-q`uf4Jf34P^7Vd1t~F*@iY6iEgjasWa3LARCMW~T}x!T#MLkk!rh{RXZ?^bz`)Lq zLnpfODKH|}##URNUwUZs@*HI%rJtNe$JrUJ=kN+_TWr5@B3fGvI`_thUyTVzmGN>A zJ{lgwf!TGbpbKU=072U;RSFF}t24rCdtjJ}Ug)ND@5HVp!KF|Kn_H{sr+(j~`M*zp zcr{w6t9W_2<>o_B&$eO~3O|WcBan^TH1p48l7^~DSv_@@oS9wOR^TQeO)}GCcli>G zO4IAY1_uCmF!Mc;7ERMQTGz+)r!+Rj9}pqQ^M0YRSF7j3Zm@!8ZWPrwvIE^>d|IzD zb`*rZnb@=_lJsMI+Yx*biwyX;pdE~nYNAbCDO~nsxvE$cW{*DhETaW<#1-}!1NO%U zYCXD`r(N z&87!R;*AB5>-8$GPQzQFYdOe4)!i0F5VBJ^kmp)*nRe=(T<2^Pkm&I7XSCaT=Xf}Y zc0TvZsO?ZZ;L*o%Dy1fn3@09Kh$mQ{79vr89jteA&5YY(6Wlh6i;O4Kh9~4{PQXC=!FAN( z{F1?Ue$Ue{HJ>ngXIGXv=EoCRnqoS0fg60Xgw>6SPIGrUX#@GtyhvIrtdvRW1T}M2 zb~-nVu707@0qKK0AlIIkVIl&}F-aO30S%4%Wnhl%=~VX|J{nU*0;@UG=SxHyg4k6_ z-!VestRcZ5`Q_-N_`TLQnuOg>Zg<+hr;kp-a)ko3-TIX?H z`~_Dx8!h0?;g5Ot#MS@F!!sz9e)e{PKE`5*)_ma}aCy}(wyBK_{1#m6JQc71g2 z0&hg$WsFIMneniu{PD0oK|G^;%Q0$t`41hncC1jrz*>qDh z_@kx_;sYcx@1KIWro91t5K0#EPjVdi+=alW1Mjjt8!!PXhhS8Qd;|Su@KKvK!@YOG zmVa@dmQw}+_c+s;()Vu?SLnt+kuyL`+sj`?JK018=esm}-8$SPFo6SxS~5*^qjz!P zG)dc4pJ*_pfF4c&%p^4VPIyHBO8!E6EZI$yyGkv;QQ(T(b7N4DD7iM}8haMn%z%cW z%8m>g1DHEfh_%2=wP$$fVrUpcs~{}rZwQm|HBIHJKX@|aUFw2*^1mAInJY;8y8ja^ z>4cVC^2R|&5L;*k@EG6TA0mhDk`O`sY0(pX*Bo5`B@1GrRyCo^z3iQ#2AMg19=+G4 z#>Ui}Z8R)z(SbxY&IrT(+mUR1hRnmigpT`54hO8PH0$gnfYn=y? zkp<2}|Bl9LVsDT#2>Gv2K#-6nd0ra`a%st*40~+b`V{>=pFt5PS?JbbG}kHu9NEVt z<#qzX^X7P833PMu3V)qlTAiNScWFyh@X}M`hwwJM^SHuf*|}U9-MP=Gzag0k{EaRQ zHis=?k60*L278lvlP%h7t8O6*_67xcSYOm)VfyiNUXK%0=?!-u0-DNgL$D4jPh3+A zu0;ObhcmW8X$QhC@ytA$Uq)z-9NvltDE^ZT}iqo->TVqFgHvMo#eIIy{^#!^Qy4A1s zR#qjZXO|4ur?nPl;}Wy#&ERD%6_Y1d?U$!r((|Uj5vW<`9u#IohhLa&|y!xhQDIVWU;^qdsP7Me0TPEM} zRA~My4{#}^FI2CzI)r#KRJXr7KQ6q(5v{kE)$1&H`Y6o5=N9W92!M#Exa{>0GA#?e ztM(+9ei`r$C@`p?f^ zoMp=Ku8w9AR6K&6rseP9R#Y2;*bse@UyQ}iaZXkgp9HrEHq~>c z)63^t?o2X4=~?icwGhOZ*`e4 zXyNF@|Dx+Hz^d$)_u-9zAWD~XNJ|Jvi8NBu-6$#D-5@0`0@4D~0@B^x-E2a-r5nBl zdd_)&|LgspYhRnq+E4BEtTi)h?wPqIXUlFi$BJju*YH7N>Osk8Mh<%&V~{ipa#nkg zhR?D(K$#cr|G=zncee?nqChK9`{!6dt^I#P1E__551Pg$8hkm?1 zKs;sfb?>3i40)5aJEn(vS+1wmm+&-f%BqIjJtoBDNb3HvBu*8M7q63(F+3+$yPFeV zdR)Z4MegX=+$F*9>66UKrBPQ-goPB=x!SdxTy|n|pE+yK+nSk7Ukp(@mO7kVFO{A0 z?H~2W&htt}F0b+3be?*ghxaMqj@dCae-XE9aS9f`ypq0W`nelodi%)drHKN19Go>r)owqLNr5X~*{#7ru`9!R!PUH_rN;7L1!^`}@XW zOCCpgYa$()!wQ(ZN0U6Sl3dJmr_Dz9_-sxlb4;oPJtkI_wv?mygKH0O9{FmQxHwxc z!*ytuhus&R1WMhb1i&~gFEqxnOvk#xGlU7G-qYgXWO4qj2z};QsGNrdym8bWqUO2u z{{;|xjYNRQtFU#$W`@WD@{@ZOOZ-9OXvhu#WkGg$tEz&=sjTVRg1g4^`vMXwN9sx< z65Bz+QX@E*AaM*V;eE5Veg`$avpDy%0MS$Hx$YdmE)g@Sc@L_V0uTGWCkpf7At*VM zR#yjR<}ARdEy`NMG+#F$RC-=c$NQgHUY#-3peEy`B%&7+bo7tcpN*#;=SejD?&|oA zsq1kZtL0V`GlIKydoVor`Kouo{b;fEY<>QEX{WwP4)QgzC`_gw(KI=}JWNUw)@x)1 zj}Y&+Z+>1vDg^qo`U%8eg!+dA!kftO-C6xn(~@Bf5@=OUEe-cGHgw1d3C}>`do$gO z$vAZ~4zkRmvYHEt=eH>V?;(vQj!(j*A&`K7KRad`#TOtR&9a-$@Ti3L8*8=Eoo9L17@QI5Tb2F~Rl>1FwsB=D711$IENa=folJ z)OL+LohX@kFP`6?cyo^zLcCCUTvUJvF*Ul~at(u4nD5~7o_}pK@mxuIR*`#Tq5MO+ z282E(<}=WCdRTR|M;3MA&P}31qM}$wSjT~&3~;dM?i2IS8yG4`7Jz)%+U9o5xmip~ zFuGG2vdQB^bx^=QY}wj*=v@*H+ZBBDz^Sa z!*3;@=hPUD{DOJhJgB`q2e2l5`ijzekekq=ncjg;hX{4&&VHV3Ro-! zXm{3}B||qA+y?!FlYph~^)%j`x5bE8=U8En)u};<)bBMWVY=vVVO34Y#uP4n7lx0z zpOf(mR*Rl7dSMgV>i2z0Yo0yw?O;lNt#dkFAC-{Tol@!fSO85_T1h1zunhD*@FLPs z9viJl%D0e|3F345C9m{m2&$nB!*8grDcI4@RrV?bnc zu;wq@_^L1bKOM55r2NpXtNoo?GXcvlEmGXG;^BImGZHb2 z8`f)RpSGsOzT*OWpLrFbypY@JS6a);XF04CZ7?6YdL*uAMM-dG8F5H$;E^G1erl() za&08H74zKvFMh~Nv(jJo>N$1@4OCntwP2h_}X87dU}Ll~-D1+KrIp4^(`kT|A5dxD@hY zaBKJH_F+4i=3I@&f^6+iE%MUD9&z=GCQqU-H=zrs?J0Pa;{_)z$=(h=O*vlZ5|cu- zRhW3ZV;J=-eL#uh0l#KQm)Ypfw5^-Ffw+`Vji&UW{YyVCV;MfTwMYdv%N=fX0)uJi zwfJwZ`(=Uq*vd^fhuQ~)u`pccTTCJ8+zoEI(e-aN9*`r&|!$AW~R zobc2%S3MFJ*8pv%0@PDA;QB<~w$%!}shZ8`{f@9e4f6x(O6sK6g9 zf||jZ0X>OeRXWJ}X4p~a%W{=4B^P_q zpeJ0M6ymLIUmpf^_|d|qHTbT6*=+d~@=)tIdb}uTqw?uUEbsA0<@^U;Ie4aW78mVf z2A~dO(y7e#N=9AVIo_2hN7O?3oA;{PF^-#><^s~y+F87IzXa87d^DwFvGf~?F4r|K z!{>_%((21h-E?13KjUI-KT4(E-A{5k4X&BfX{a_+v$m+r*Sn8|uJVhZKsOjIvqJ`` zc`@N>e^YRRGIsmdV-QmWAl0*{>G$b_;p|&5jrxOjs3D+$Xf=sqWwnSsq{0c5*uc(1}5fj zhqID9`y>l;X@KnM0&Bn8A73tFcKI59UOv7(cnX%H6okA=whL!%pNeb2(&MVtwfOCkJopBB<-eBK+$ zSewn4ni#fU%szL0>Mte!$@OAr2l7psmiOey{cb7M(cr9|A-_Fa&dBi`8zO;Jt5oJt zg9(wxSkl##Tr3Z>1oVVJpv|h6=ijHwmFINqT45Vf6CC41DousXy%p?BLv+;`pR;*P zn;>`{_#9QBBm#n@C7bwuiO^u#DJ{9r_8|Qoqy<{j8?k&)j$VT_mfL5zhADECpRztt z`I7LOlO+h1_aSVBVgp%j8{(+MHz3^v^~H|i#Ev=8H?^BjB_EAhoJC_zq(Mo^jXBWJ z^uPc0Qmxg3V*a4$`}V^Jmb}d=*NgTzV*ht-hT$3?QGcz52m-_s7G4n8PvLcCF=}>6 zzC|Ruogpevz}>WEi8|MB+UAy!(>bp|z1r}D&R@6L5(YeR=|doaCMU!_ft;FY?O0Xc zoLzzXWI6J5$QONrknx%h8S~vDk)| z1?ueypG8)a^YcIr+g)&nW3J@|^`4jN5Rkt(NGy6|#u#hGZT$RN6J*G+G4f6bBT z#rjKNMIFtWUanPcS4UG?);sDBq?T~ui9_96=%RnwlDKnHGCM%KKi{Ml>D+AC`x{`} zT;v4oR#GxzQ;0w4k?_F6G`QNR;M?MXvTSw*l=C>;5;0bY<{u!)IEWmm@ZAa|KvR`z zg*^F8%H&mB2#;C*_^m8nQq=*<#EHkZquE&Dvt`pOCxa|;q@q%vSoz#A6T;*E!*Ub$| z?(A1JzFSZ>a>ogeQK%uN9LM_0)A_RgZ->+@nT9_=A2plUzCQe2&PB!9xc8%rldxbg z15HqYRXJT7ca{RNDP)Xl?$ud*s5K!5YI32E<;{_$xV2o0(}i{=b5a_0Rz8)lgLd3c zu&9_FVm(`t@$@3~dOt~Wb8)`>@hd8y2glh(snmd~)I(@~cY(8N|6;YlO(vaRNM?a& z*wP(Mko2(B4dXuni?)j18Slr)Jbze$jx>wyImN6#E+97150e`2;aThw-qlFvHQ*F` z@%EYEu=F(?gt6eV0#L*}cyNU4F^?QsE;Q}v3mk*AfM>w~P*Z$d7jO$E_aTL600dUv zJ`;Gkz$=d^4(3Z*T~ZBjQq`b~)Oa_aTYPKWZXW|KMBqsS0Kr1+3WsaQIUfwa;~4JR zQ;MH~)2;EL)ivx&>SkfF^RH$Hhx=q|hiA_ZW&+F|*0d7n))Jr)2!NY3KanCv2~dxz zAqbWbK)xw<7Bbh!%@4D^cv)_~)J+h(^papLDd?NQXh<8oUeUfdVO9^r%>|ZteCUNn zHqqxuIOpJUX^f8{t(1QR3B8>izJYuq9tpw|!yxZgz%lafH(&u-96|kf2(l7(M856n z0ZT@(+p#6qJn{(24|ojtr-A$B#aECU_6Zn3ay#UJ0D?>u;&%*P5Om{s*AI9*63NuN zwG*3n4d_E(ld>qhc8e3t1 z?70C-ubPhGB=9gjKQ8bamH9}D80}Nc6{kTq{|!e_>FFP1uCrAHPZtD*bH01=mZ6C` zVb7nb#`?IP;3o~>+X(glz9-UITr1(D`L3QophMXX5@Uyp?G1#20xHyb*JdPR8V8bA zT>H+zc@D!$=nSljBYX58n-@wx-0{5HiekmNY(0`R`?4SN)Vz^C^p{vhqD}QwLX})b zV%kp_KveW+=?Po0EoB5s5ce0NqutkN7y9n#rLp=yjvo))5XgM!AlqfuT_yJ(z%gU- z4a^padOot$5T~cju zD%#*Nv`qc+sokk@i?T4GL{ku3!Jn3#1$^OXwLbtD@NopN>sV;!JHP^&4Cs5#9{~Cu z+XLuVq5Cv0nCh<}8R9O_1khplw+?9>JVGIEkry|AS0EbZ`z5lprSB(Ub)*TpAmu4{ z=^u09&KILGMx`t!1c(ZLqkIJ!G=F(`U~KoH5Lz%H9G(H9RKUY>7l}=i&ARL6b{C2* z@{T0t9VqyX8Vj7{-vEn`E*KP=5qlyZZ#aQ(&bx`9e?(a@{X5r3RUBse4yy_3c~Lad zXX1Eo9(i(9~q zW&t8+LzwSeh(2G?D?i?wop%z{J7cdE#sl{W;-)JL>K$K#(C_Wa^ZUR!A&?vg1RTbn zz&I0e(%QX;j@Q6U0qD?&_xcnqBTwgw>_rSg1$eIf`Z!S{y80f?S+aPUgQz%z$7{6b~&Io6MtkF>M0r{S-< zaY+TsaT9|dv9qDO<6Du+ib7$Z6GMBBj0g2L;JfLsEs zRlGsE-uF@luYb_gfF7cR@&PJQD*>puPbmh-v5I`vQV5M0bti2_2Mbr2czB9qTBISO zK#)WAF*cAUffU@yZV zM)V4t)n|#l{WW57cF0Ym3djz?AkG6`b+95RIk%X#p+-r(3%mHEGQpo&CwRb50Sg4u z{~sX^069SF+1>i>KFg;uA80$DP4|1^)Bm36Cl-;&+9nX+r;-A9)F!~MGYgW(ep6x< z0Q=S=X76D&NQ7bp69CNU=8L-__#fE-o>`1rvz|5}=V1W*+@%(G9 zQc}cb0_l9{JFO>o)GuH2I(?$xU?9Z)ZK8TzEhz>*6sys=9Rfbj;6xE0B0K`G)fmyh z_%xVzy?XFX_v}F)J0gL4ZGDILqqsB09C7?VfX!Y@(Rm9!P!uX>i-Z11_8#}MgJhCdFFwu0nr{`I)@CT=4nh&+AMit)y z`oe$Djf}TRF5_+6onAEbm_qg;9i`)fNUCp3pv)FoSb}^#L8__9 zM|~8*X2%wQn}Pq=FTjKa-HO&PmSVfQZN~)pF_zWKBX&O&otU0WaOHndKoroJf9jaW z5X{Vhh>}`f&-{^}GM0Av$ZbB3W~Ee~ObBt>Rn$6!UL4J5d`^y#>?t9|R}DgnGjBM) z(2wB}^kvRT%+S6f9Se_vE@yuEJ9W9f#WYGKmqR)&tB`p+5+HM8wS-3y|6D``80NH+Zx(6YRAVUI zTNI>Y10aEHredEH_qZ`XQ|L*V_&@@BMmSyvg|7{#J30+-9Dt|*-)C^XzHqkBec|{b z7P2D6&<}h=@@;%fDx|J5FC`;t`K$jAeCE%TY6UoHtV-@E)&S@V+^H{sPbGQ&G;zy8 znofKQb-1GcxmW?yXhr=o!&PwGy8=J&p^ZwK>-_0g;usX(+tTf;Ry907w9{*qHspKl z1D0e@7h2c9V?%VMO!C#m<*+aF69Q%o9g1-&) zA0db*il-|*zZ+JHe;zjmI!}g}68>DmhdNz6V(TfoCtWYa$;3$z<`=l_mPte$`T1qN z5yc;xa(s_L?hkQdMb{4;@cXb#Qq3nUR^WYPN_iIU>yi^F#UVI`1`KU7`sdrIctEeP&jVq;axNKiS-&j7!bJN` z#2^b2S^tJ%Rz6B_U(Q4}4bt;791a}0k6(`^M%Y9V>qF?zdjesA_yHowgS1KJS>!Vc zQDgSO?sNsMzVacSXHs18Un!!A$x;zMy|WV#tA5QNxc9Iy1aS~BUv=Wb!mIl~Kp%4S zjZJ{F9I7FLkONk@1D=eU(7;nsL55!wpCK@CNS)aqb5)whj``owHP!5T<>CN<9u^Je z#vrmZ+!#b6dHl+V^S=Es<=XZN4l>_6d1Ym{s07z_Oh`_qNfpqfNq~#*B4P7+VO+77 z{3BXV@spO`Ny2mmlpBQnFFmCu8Pe&4re8`!n%6!QEu8$ssTt9=Roj-1O<1&KEfOh{ zPXE%SkM%~&Z&HSkLII~^veY-FK)Jij#7{bZFc+Is40MO;PCs74h>0VYJ35A*;#Q%; zM^&@1NLuRKcV0}-&RBeW;qJQ!-R2qj@}Odek%r@pDk|iAZb;7)@t&i7?Dj8D)nPrT zWrkGamk@oh>@oIpDJmOtkvv#Ib%7-MMoVq{QfbCkHq8BLWLf^w55RwvYB0g0vxG&P{&nOioGg)N*6ZOm9CuR}i$}(LP4n zutz;!vvTuD^LAI2{nmldMD}vCNGqB6M+wTfdcZ{zE96`Hazi(?YAC{EOu*;PAdt3# zn|+}gV_!X+uHcZB&_-=w{OyYZvq+gdSr*Nvx&`(xQou>W${stm*feoN=_NrH%$$ui z!3O3AoQ{Z9!~!YM9#uo=!)sq}3U_@)sks3k2)@}%12;Z%)8cNc(EnWK%eC ze;UjnNFy(xV1k{mJe!T!6pQYL2QGWp`(Y6TL}Y99*I7m`Of&v2i6bo*j|(>%>5*Py z5iw0<(HyT#e;lh`me3kLM#8u=7p#0*JX;p_@Lo4#x%uGec@oZ9CW?Lq=lUa^fPexY zN=ki~@tfNDp7st`wf?rZrVxJ!rTfjJSCrWLjiCLwP6qsJbfBdX9^I=opx=5Qpnh(P zT*x-vr0MP>6`!R?@~y%%MsW*J#di!NuucKW_D-pzfUI*MrJoX#eT65c_}Pd_h|Hk% zD)bc(B{2fbLt6sv4==zflvD8jUF^l(egu7eAEW_aZFq=Ond9kFOX&a1Lty#f82hA` zm7qe@Yc9A@pif=jSaCwp4FRDQwtNTBVNMT!HZ6+kdN!c_5=_|$M z{q?45N{+WyZatLTjex^}4c8n{TL?5V+C!*n&Iqwu7eK}h_ znY+C{+yXG$BA>+Duo_oe0~Z^L(+HC53%`ri0;?1Yt%|F#3_6~z?ysqkI-Agn?V9OU{RpTqR-d5PRNVVdCL^tTiROoJQ(I(PxZ>}P5v#n&d8U~ zPZI#VyK|C(m-FZ<9%iAns=A?}nu)i)HtnTKp%P!Ip3p~lE)?K?o@|LN`k}6D#lX$} zl7*Rt9hCU0c2oQ3f&)U$x%%dBuS>#;mZ^REvnB(l)V~KB!rn>mQJI|Gj&Ru3TSGysRlT z0&wT&61E8b9iEr78YwQT^#E8L+RyQv0Q#?6FLiu9-8o2?#KDDgw#K248{8kJJ~vAUUDL#VKbgqzVG zX+wT$xP6a~%cbmI;|K6-Zg#eSkNQ)ysH261MBpkKK7QO; zPp~VRkL%tKaztI-X%=P!^zo|-mAO1k<=>Vh9;CeOSC^i(3NwQ!5cUAu5Bh>%I~J{w zLnTS!G{zYQ`Xt9q*?=Rm)LhT+3~;H<>$vZAZuD@M7u<}NoH9Q-jGC|SwfxYoTcbK- zQ&g}LCt3~#=nz0;Ip(>8^oag3w*Zc)A|>x;CoRGPiJ*v#iy>9aDRnqLMh&HG6CE%$ zx7_Bbzg*bB3nqdP*ScQEW54+&15(RWElk=0mpzDq*{v;+5RtnQWv@9Dy*(8K&Ju-z zIVQ;vFJ-{Rl_+4Y^ZLn>U3I?0T6gi)L7G`y$Y(i4YwcGMP!4dP@w=NuM(K+!-*Agq z&BGRM_8)olFkZ90UlxnHo@JRzJT7V85pi%Ceq-A+xGtRCmeaDq>t1xz51!Y$Z9WYw#4Rd3tZsaYubU;qY^!v9D@Tz2sdIc&>P^Za$o(j#j*$TvA!n0Iz=@hQBoUp*>W;l|MIgOFmC zlYaCUrG|ggTgF+X`@iM)Ls-rxbYne=$fOuhQDJa)4i*AjDo2#l{PLrm{iSC z_K!C3W;i^qCaydBVfjnNQ6X@PBx~~x?pnt0$C+-Arq|CD*I#92GPwJu1J~g^kJSZr zgDWK^^U2MQX&WmV+8nJ>C^_mZV~-U&P^?`}t8#XBh-bmB$_RQ6T*r19 zRkmijE~ibbWym{uvA7TT)olnNz{@{6*=nby*U@#T^6^|RUFw;h!kCJ>Z!z(!{AwDe z>oLdha{J@(YtNHime-&1kYRt<#GB1x{wkoLpg?=c3FnBoi_&K7O>S-+T*@DeOJmUl zh4R3Vw?efXIP&Jhy|3lTkq}4`}-5)cv#o;SE0|G{bo=S73iXQ?USseU?KM# zS>t{x*R;9>WpO~NTxR>jX?6U)MCo_WJ*y=5tC8ED8&W-Nxp3fg- zR}idKg$N(Ij{CvnM}x_sfFV}+LBF>9@0M<&8PvqLV*MY6D(9BbdCp(&5)8#XYN@8q zGLq7&G#n2nII=H$RchAgHd<)f^Ktn|XJS`Mtp9A{*&g1c+hMYTttZrNWjtyw>A}}3 zlSskTE7Lvk9O3a&ZzJ~s)UjF8hM%f$6@GhDi7+st z+i(&hdrxy`k;Xnp3VwTJZ?F1;BQ_TCjZ)~A9Cn-}BV*JDVjT&9`mAlnuMlWK=`f)F#$4#5@7!A)X>gX?WTMPnf#XxSD?k8qag2b zqQiTK`stV&&fG7u{x(7eJqZ?mvUAYVqLXidoZ-98i+6;PPLe6Qy1=2+)J3h*p1FA!rW>|9zeI!`m?&)Xm0AMB;xs#`SY zBye}xF_RBMIf~uOpVBbotc}&;B&lMbV*-|}9+Bf19$7uCOc4x$ zg+cKe(2i4-E=ebT4SDLaw=oD*w#Irb_bloM^?zNg8eJ0*lM z^x^NnbVK^&XCR;R1O^52t-`!sPL@tk`TmQ>tn{CXS2}FJ_`P7gc;}yriqk$^xc|mW zM$9_rDFY|OYpxt#G)^(>$KPhrIN>lHLI}Sl!IJE|FxC6kv+v0Yh`u2Y?*D;6+;{m} zZ;WbIJxY1Hus``U>yi(TjII7eSB1&;!y)X1yWg!b9mzcr5+I*bd;5}{j=d^dxYJD> zCm57#+gSauqcY&vrn@-%cdkR+yJ1jLv$waSFOB2445|E2*jK4UT!gzP2C_%z>Q9W#Mn@7Yv7Q$&P$lk9K`Yx^wj5RKo#>kjg_I=4^Ghy{Zv7$MOH&w^KhwWYGHz%bvYY#^@ zwe}8oFces_n6zW#BM${m|I=SbBo8^s(=ahVv#Os>jEoIYq=o#bHAm>5tHgC#(q0eq zU1Kdi3=~t*DDm^Gt86Xp{Q4cg4NIO?s6|hxIjx7u?dipVv%Z^+iSqG`;p#GzW>LN( zO*>%1x!*|PI8A6?zE&ocRXCOum+X7VJWMduu+*4r{^k1NJ9hX`Y4t6yfX$clAYi6 zL}zZq=+R$3p(Ivbu&@WUELL*QoNP_YhYskCH(1|J?H~+{l-QWl_ru`1d(@JgyJfJ#mO#m$yMJ`sYyvlTM^Otd6P;jo)_jpQT~m zPTG8pgPycs8`Yp_Sy`7RvlPc>C0rM@;3{!Lt$)v!)ubj(zl?uTnjlGaY2M;p>+|a% zKuf9Erb>53r)kwt#FiS>Y-Tn#(Ek*q3(nhMh2@26XInN9V;(Fc}>1L4TSYY$(JPib?`c)M<>UPJo||k zoe+I;GZL8W-DgfO*(Vk1Vvp3>$K-;Spl_)A&eT9ec(=b?+v0=}B_R+Csjad}D`|&8 z<7I)$L>nU&Z*-t`J7t!^vLxXgv}LM1xuzxin=}Y~qurPiwmUu<5jlps+MDg_8%^;x zGW|4wHOwL}THamy2|DJ=eKv6?p9*D*EJiH(bvT`8uM%ZKk_IVObeZ|CsfFQax)3W) zu&{xFCQ8RdPg^Jd>90^xVMRsy+FOb=EiWBp{K~)b1FbrH6rV?nfjuE9No7H?AQlOI zkIAf0?x$v&i|$%Mu7lEVJfXh@D}R{z0^HN8z+8bTZ|}zSV%VMznv{Y;KU1;&sfx z8ngFP_JlFeA7`Uw$wUb{RoB8=q4Sdyu(;3NkhJSVR;(t&!W>Ae z#!`InRnM?QEwlY%W5pju?wBM;Pq*=hv0BI1sW*lW^@Uls=dgKnYJT!LS$Wq-Z|tPC zQ*(-LwjT+o<3BKr%0%8wuC!XaDhsF};k6uV4H#JZrR#^P;)Y58&zo|I5ez!xt0vdLMur2WF+4bLhlP(BoHCf9b@CTy);wc;%3 z4+|x@bmzV#U}L*cv9HhUQX#ZC@$q;BUlVR_W0iPQCaU8Gf*w0oYD(v2@>a?(`VNnc z5V6`sXcko3o;Kwu;1csXxm+x3V=i&DM829<7YaC1TH2qds|NkpoTe+Y=anjS!F0Y@ zQ^BLiftwYRA0HiqG?3Czyt2n5E}o-tqwdG5IyAiEX$CFlSYE`26>=xfUE3I{(wjlq z(I7LrpJOm#6-&C7*qA9U2g6CO4F9imOljsVnoSG6HXWpD6+u9z?oy%^G9e(9rBOt$c zzqsum3d^Kft*ol}BM)%5o%wIidg>Q@r{4J6KaXIz>!IK9dSh;O0~M4Qu{%62YIIR$ zX4^}fXNIv{P6fd-#Vgqyz6{!|Nf#9)j6t;H82%XXjV?++dOT@Nx4lgl6Fm@7 zxtuxql2o{{;-xR)*ATZIqZ~eMDdwp{QTJ7ND?0VHYMLV)875CER zq*pwt2Ia%}XoFM&4&QBcE^ra1cqYzRHh!?TKTet%XL+8&<7qH3*OEG*?NnKFv^iC! zlcG}Bo;ziA8RkCYup1sOGt4oVr>8qyZXV2@pD>VA@m)OX;p2vsHnW@MjS}ZWPm76y zmEH}^^%N~dpNnJFdOP$I{i{|rqkb)3d)-16EshNNDu?Uw$FT*}RFs#O=OK7JrSE-J zq*9QAKdBUGdoHc=fTdKCP@adoD<{_!D+x9hPX3uYG&I3+g+;9-^M*B3<^?MoSsKqJ z>fSV7tb%lCVU~<44i!0Mh zD0jGI2(m`G3A^pI6LGkx@O+=f=fuw^*R>mb4CmM9!B&orv3qL+M@LplEA5#L4zpFa zlijms!{3J*7_WuK-n>bb{V`v;Ga1CXVH{^+(XZF>#C*OyLy~H1*j&~|!o*rUCpZ{3 zplzz&JXDo}n9tf_rkugB?`x-`0Rg)Ox9yDt*eU(tv1mB{Y~w%xSMyW}uKQu%`cQ+#=VShS^V}#=|^XOd_rzh&i-rP z$&5Xr-b+pK=>z*Rfx78wjRc+A{oe~YrWGW$fnhT4c(HDmi@^&~6O8k2+xkY#*+$$= z2&wGr}MBx2U(q;IWTXJv|EIPx5_4%jyiGAnVafWzk{o%XGz^;Mh z0L(}+3Su_H&GMbgV>|o&e1>wf8E)Mp4qaG=DrKRO;z# zv*yr*Q}qgy_C@On%QM&ZZI#IQ@87?;o{}JwaQPLsvli+(oX(|3rq|PABL&gW(OH1o zTVvF;FRf5gP)T92w-8yq?RcSGy&b;Nkguemus2;Lq^UVv2_kj*oCJlZU#Xih#slV-s7#URFuj)`e9J6rlZA5);JpsKpOwPb(23Vr{KD!{*i4g*X6G{Eh5q<#*-(bIgdT+=knEGx?gW6y>@ew zJv*Fv>v?_?n(uLLA03m~-j!ZcepR+PyK$XK)efYQI%BL#!(!u2orl^14|uZ9L1%mq9aeVkcG zN6&)9yJj4>_a;-1Q(-k!3N?#8_g3Xotwv&!gzYwa{lGItA;7mg8a%11VQ18S@s=uz zgv%p7P&%dV>`a{IaLBtZ!Dt{6i-@R#=`7nshXFR8aJJ!ivgRn3bdcImi#?S1t*pxLAp3>{})Ez#C8)fpy+>?apq?sz)nskH;rfd7A zz2`VRD+h053#_YVeJ?96M)TeZYq00PuJqg@Xvv|-`fd&_pBNdr9g!Jy zzlnlH2oHE8>^x?lXV@Zfyfx##l8an(N*K@S(Hfa<)ZI-X6mXo?J@d8Gk9@yR!!c+* zz|Ynn8JRpSA_7;~Znt@CgBABhUQW(F2_F(=T1R*ay4<|B*4LF5e-KcU&AT~L!g^S) zGSL6rL+5neI?zPNe7f|V_R9lHtMl%@@qE~?$__Wk?x#eY_?QWUyT?duYKO+_w&c^b z&bTFp(iXhvJZ^-)7T)#HZ_E}UAEv1(+?q~UcC=ERoxAWMJE!KPGJn&NSxx_T!{d2j zkgKUi!TkL5bgjKk1y-f4TF4m@a#6@`5+paoVd04 zF@gL_dZNkc#)x@G|1}UrP+T`v6`2a73hC&ADe`ao2N}WANmZQI2Z;#bDPd1}y#kRQ z2M2bJwyKJrj(tdn^>JZV5XQy9MUO0ZpiGaziN?Z=*&K zhsR0Dp%X!-#-RIiW<>KZ^z(Fa(9CX zQADM*q{v*yBn^8j@o<@RESL98^~}|%Fh=;OTM8tstskKq#{_4ae8@J^j}gx(tdC5t z56e|Z&dkg-IS(^8l}@U6+Sm+z99y`D$~&I%_VU=1QE30(Ep&ljoegPRE664F^YzUy zNZyU29{8F{{#||p>WW&WS>RY#J!UB;Y_e%0OhJzwqr<8D0S%qu+CmNd&pt&O}Do=h78ES7tGPR$`0g2G+2#-KY+EmirP=3}sXa4Jloi8owG80gGKYkkjhbixBI zpdQiGImR19%=^jq(6L-1bXsOEgIn)(loR%?8&#LvaV}ik09GSLrFh=E@dI(+2fo6E zw@7YJ2xj*N$`S&eB#biu>>D$!0Erhq)S%pEgd=mHR^gw zC`8>^9x@<#kR0pgWai?409@|Qq@50d2Tv(en&>t>T$7OC{4%-5 z>NsKJ5DL{iK_H3jS!oG4DZCLYWqXNxUD-U@`TMeJM9s`W#4s!e)NOi5RdjE32|h-F zoYnTlGg}|D%Iyb<^IczE2LJ9vZ}IiGv9^$6Up{os^StaD?6lguX_2gX)E<(v6qGHs zwaTs>a~m(Vr>%t?`XnrgGvRAu^P-i5nZ``HedCE1f}v*(CnMR$M9P{Yl9`b3s(tUt z-gytS&!DfG;jM?-#=^VHwN0HTp-;YspX^Sr@2(ba6cTwBK+R0`%3LpBjXfzYE6_^7 z$@93(sZ>1MnI)O{F*95lIbYszdo`i`+I$9%{?a}*lmF-YrSb;$J;ImYDonPOc-)~R zxP6gdqNU<5pub3B2NJoOI)C3rF@_Q{{}if;k&|OiDBs4oE=ht<=(}<4NlAJzqgm;6 z9Gj7+FMke%Mz!OX>UHGPr<;3||$w6=C-WfS>opXBeyTndV^)GISsezrg0 zhTC!y9TrlKB7XE2A>saV!&`Hd@0l416U=$%fdoowKb@w+k}glTRp)D+^;|lJ{cVwdlISEQH!^)j9G-iczuW)Np#OnM|Bf5|10wn#nDmdve;j`_1Cn1q;P83$^p z*yuP0=S)JZ&aKCXka&DcGufH5Qx?*&4E% z62ko_tEfVH>Sr}2YCo2b2!j-NKbR_eMAiCy4%znchQ@DfeZY`Ad}!hFDxNY!m#VR8 z@#pj1KY$qovi=;^O0)jbr%l&De~lw&??--)w6KT$PD{Fiw5G>*GFjWAyuWqo4%>?u<)9sg7SwYwTg-kH- zChz?!W$JOP@09-ExrSJh9bxkI2`Y77BhK9Un~b2Gsa`?ux0vL`WiN9oJ)9&Z-pl0# zL@6~$hpM%HdfTrblXvJ0dZ{<1dOA;=0%bh&*=6bQ#28i(<;uwi;@Cv&l+VBmy`3*P zFE&3Zt3nsGwv5Yaxq{R-^80MNmV7lovYx%9H$!=CjC8#Dm5RN!_CHyG zryfj$(vp{p)?Aj~Ex+X%yf?AhA1@j0t@TM8CO{=8ZU~$h$9R#_y@E8RjYZ;=tp4}+ ze;ddM?ygs;2oifM1RWS@8s45a(lQ^*-aXey)$lC@=rMJ|tA2;VRaII#baUi-!IjLQ z44Y74Fxg%3i3gsvG%Z^_ zSsAgk{P7BMwoMyN5gVmh@I@kMz$hmt6?E3<6Nv2P*n>MMn}XqNX14K}@>8#5AN*sh zk_Y@cx^N1#QAKbMa;;hA6dyyf@nk_{tvYFM+5}V5jph&%BKt@p};V<&=ydOTjm*|rJ<*zq0!fl{erY&<9xg|p-*)7 z84Cyd876N{@zs2C*{{#?MU_vCP9FPv!jbsM=k)eH2R<;5UHd%(9XJzsTr~(#xq;c0 zLGw4+Ib@vmwhRF+=bYTpUHTfJx~=ox&~?_pv0W)F{$*d{i`m)U@8h?JWxH%X&V5TZ zJeo<>rH?;g4xZUIFv+>ok{7dZn6B!0_D0mx<7~n1>~BXWv}E;OZk@Kd*TCoE@Vevh z>J8bfmX*gC@;JtR(@uJ=Nth>|)$x$q%gT7NNX!sy^3n95rH8U z8X%4Hsg)px$;Q6;646z&)T}Q)-!*(sbEYtCA7R%2RYAKEXGy<3o;r54-!ey+)KjsGOvvH7GrWgzyql(e zb~^X01||8Ob^<NogcsN$Ktq zkS>X#2UMg5L~`ivZiZ6n&Y?pj1{fNKhB@2!`+nz~b=G0YAF|fW^XzBu=ic{yUH5fu z*7|#2lhF$T*=?!Z7tq#s=jQLG^$qMVSCF>+;NV#rK|gm*`(K<(D(SCE#QV0pD^Ghi z2b=Ku578IsOLAIMkG-p?-*dG7{`<%04W`!t-fo)gDMFZpj@4sx;i*^?*R3m)v_M%x z!b;u9x=AGpPXdCigXNoazh_PcVG8nrkvE^Pz1{WOe3zRLEhN|COrejC(ak8hA~lbc ztN|*(@8Ie)oh;^u={3Ck#)~72Df2EM{>_)7HJ)?QIf;9EudQDb)Pz5%_P1U-rLAvs z^}D)mVqi@diLzd($pi#|&t7yScGucE$%HrCvsLN$j((q#V_Kp=-Lz)sUq+@muTFFh zi~b-yq^qhZ=xA%ruMbAWAPJXlYFtLE_-M~xg~=;O8cP)w7a~qw$O?)b=E>)6ew-l* z)%a$#WetjLu+u+w`Rz60`wAvFEw&xKda)|KdXt?mKEhGAC%!dOAqnu1qdGrP0?dW+ zBq?OE?ZS*>XnVd{Ks#POSCVPisM&YtC}d;(rZrb$G%poL_+EqtwIm(^dgaK?!*OF} zW~7^kciY1F&GVz#q1h_!C&N8`54;F%tjzV6`bAj<{AZHbjqa(ial9<;tvlh5zd^V7 ziY(ZzJ*C>QPb{At=^h_PG+rpx?TQhTB=7IUj_!yZC8CiQN4t{X31SvKYBDN9#0EGy z@bQFG;GWme8^Tp2nd6*48yLvC5l%m6RHTA0>A_({T=vS7_H46-lx=GJ(z1EDfcbLO zYw??#nbd^Smz{gsr`p8S2~P>BktR#knNe1b#y5RP!f@X^~m5PH$gU#t4)FO?3mp5B> zX#)7@m1G_-;v=)U8*@kHlYY{n6134klHjj}nNJ~pSJ3vN2w_KYPl{>yOq=7{_B)^5 zA11YsN8{ZD7Ll2ZW<)UnH>lT;fx3&=`L`N(bp(qHIR@OC%$ z%Up$U7I|FCemLH?DAe5AT)$e?^K>)JifK_oqwH+&Cnn!1)SRv9|DF1?+doY>ZWsx5 zXWCehKM@gCv5V)(4)Hx^bw7h0Hrr^-d<4%&Wv9&_A@ zlI~>C$zM4K`iRqHB-r#O)8~zaa?+`W^w1vG~|JDz$Omq34Bg+X+-wY0330cIyYr;24Fv zj>h=t;ej+O;5 z&7sLHG};_aGh>LpkKdqQ`J%iYtNE%wBwRz1Dc?ATT7}b~_0cKZ^@ru-1uIyH^7q5^ zSwV_dlcVAlN_)}$Q;sALrAej=S;9Gt+QzH8U)iPegH7UQer|mvpO>@?rXX#V^A|w>mSe!*E zRr7v#!omM$zDh2@HcX{ck|FE&3Q~xG$_b1T`Dq1)y9ahc@I{Jp{^Ue^v`>kr{n@Gy zx7ys#aqg|HuJ^yM%Jp|Vu$!8i%~yJdsZ{K8oG09-eVWtvzOtc2tDKNNZzwpb%{QTl-%*Mgh0dPyi~5X>yo zR*E<-haGjXGpsDGjI?Iw&0W;lEkb&7DLwl4j=@XB?(?X+WD2gA@RQQxPH|a1V=9h} zR44kWkj0M%J%Ti`Q-VkO*Hat_ZH;vfn?=Z5H0I4;)a1;5TiiRoeffB6zRYO~-^_U? z^k_o zsIZ;aX13n$L%;NhuAwa;E^zN5wGdyW>%o#}19u zWtA_D8Dj<$Ul}sSDBU>rcG`I){!q%*)4vY&Ay2OG-I+|+aoFO0*ZkJ7&hz929m`7+ z_eT^7iQik_b)A91-n5+d%%|(<9OdS5>cU-CBJ0>G{Dr;Td|l*0AXp)a3AH}W)L0t0 z)H7r}w;Xt9P9MA;z=p}2+@#bWvN`gBZ02qjVZFjN`nKbb@%_g3YcM(R12P}YV7d6H| z(HO%|gI7Q?m8Ne*x8OoMuYGN2X4$2PN2Z4-XFrF4{_xpSNmjbPLC%mcrN;?zglbxW zx$6iW>FCjeKrmySbR`M(jScj)l*twVaG``BJ+0Iwq&}; z_hp84J+J0TOgK*qroSi%>^>fCEUwQsBia@BBBeO_9-^Gm*0=WI>m#(kK^qjLH|$Bg zy4)VNYI1VvYU42)Jn%Xv!i2=b?)8NMXBr_0*Q%Ek$}-{x&8wv``8g_`k`MYxA~S`{ z6dXZE%Lo0r979&5qLiuHvvvs5HUoEBMmqmJIN!^D31>Y`dkH^NH9m_*^W=3?PV>4Q z;XeB+o9<5=4ILZ~*eo>dX#q?+nA-4j^E3iimm?D?nW*I22G=H1QK7n4=e>iCP27-z z%yP08nvjn1!Nw#>B}F-5=w?@e4eqg9tpgh>!)@H>IP#I0-%xw!Xj7S8RHOqKW?mR) z2jdHZWRa<^v8z*BOCHP&=FF=M7OIxZkef8FKh>G}$-{{55bd%znHiUvX?*T~M}pNqeDVx9gSQ5=NT^81V&9q z`|}8c$#_T!JIePe`AdY&pTmiRwKjs<TDb_Y$i<*@T4V~pdKfOgLiql zP@9|D8uVJ}uSuLa*M9Jb-1B(` zR#?mG>bk5{Cxn`tt2|?5;onh^hNHVpn&bl|=)zPK7hTV4g2UT`X*j-&NC!s0HK>d_7e(!tmbX$F0bEp>@0Z+A+R6&F;^{3z{i)? z+PWKP=V2@*gQ@d$PdH%@eajM4HeW&iVmmiHfSqtgKWR_*k~O^Zun;v1qD51bgn@t) zum43u3|SdSUC+n62|=3#2OA4N|3vv#0X~(mhN`Zc?Xb6HM<00qhJF)?`w5?G)%Guo zhR`ejxrFCW;1pSnHUy4JNsN~AXTu?y?~!XK`-Ka*p| zGV`uRm0|TA6Vv-Wb>avFq6>ewdUp@ncsEeW?efjrT)i!wVe^iO^EIaXuLO9`uY+F~ z34a$RkXU`_WqqbVKql+pz)trhObX;>2IXbNuuy=!2z#JU5Ob%Y1!J6AhU##hGpQ($ zOcS7nA8nHHy00I&>f}dI!Xd-Y=_RkneFR=%_W15@2?wZXUfgXns5%4%7;FmK3%Ul2w|NB=x+yK>%hwl223(Yl_{29MC?6b>&_mRd!wz*1vaV|x42 zJBq4$`sNksqUCecp`xjfe$t*Cbv!)0Skx(*?{-OA8EA)BI`=g`l4)h)G{o%SWab6k zBNTn)HCm)6$w=CW`u*Tj5IiEzi*M@5k*q*-PF%TqdA=zeUN@`prfYS{KT{UM57d@_9o=@c1frE zCTCs7hknb^XxW5^=rt%`gQj}Tig~wE$FZC-Cqw9OJknhTUl@EF5HBf2OTqHwJr$RFZsJ+ zDqWYLJV_yGBDfmN#7B7%5ci5W)>tA-%)9p)!^oo|mX}(olXdJ#v9VzwsLy7bCx<1V zQiD|_+l`BcT&iWzv?5+<-{WnrhZ{)72Xaj6|5+FGzcxSG!BI&*pUStzDbiecF|B7n zGYtfgE;0MzQ0UYWGgW?nsTlt0pw4Gn#xqKA6r}n;0OZTf45^lpm&sS>4mZ`F&S+gyI4ti z-1s|64}R|#ex(4*drKF?8hac`=>5Hyg!?riVesIS{YHEKvRux|&?6mbx`XO{=DcXH zLRC-HP0Z@VBUapMp}a2qI&Df1s&DcZ0=r^=J_ttmwuCbCvV9M+WH+w#>@0phSj)=? z3PYY-_$mTS>r-m$UA#QP`G1t}-iCNs1tX)mw5YXu!r$`owc3hBUZCfPjT^~nNRV6B zvQiP(&05$2!9mi5YUlaHbn^0Y{wwK@|CqPYTB;_p|Zmpn_FL>j=0{`RC3Z~uemfvn&+R8`R(M|l)wgWk#EU)ct{ zCmK3B^mO3*TeJ>Ze`AiM#xrK|@`xZfd<#M(zDI56&yZEcE!Usceh~#Dgq(g&iyT@R zso0Az>Fe!Beh}n_DeA~3hZLQub4j^v53GUZTy#R2{4Gb7*;uNp#(L}@w4Ka&5W4u` zhevx$*+#{Tvq?$DyF&x562FX}L_4+U1mItIH}W8Bih{GgkwtH9*$!M&5o%q0)K?;P z0D#t#fc+kqTUZiB8`$jo$%c6OdH)&pqYdq~@t_HMJo-J3GGs%~Qxi-Kzz}X0utS+M zqL(r?$g~~ifhr>LTZ#~5`yE};mcE&>!2}l{_k>knYfP$=jQegIKSM!L#YDwL5%0`J z+OE_w-Jw>~0eEd*N7n<6=(-L%#$5%HRgetr8%s$k+ zv$WzRH34vg;=%(AT2V`DQlHmmpG^erMQ_504ORvLS#VR7WHE-?XXZ0`JgFt*YlMhl zYT_u4Z6%uu&FgoQe@Jj5(-npXzQ4^OlDVUm^y`GLO;hNeY|B(MKBos#m_X9y2$yXu zaq5)il#KL%L>%5nl}R!TPSJ~FTbtRwujPYmh%ONlFRNa zQ;Q(l;J20B*tJJqU;Eqv=Xw{x{GnQcBx3JAnrm!V^K2gM)$ROT-B5?Qea;q89@crw zq7m|~_n<|qWG{(5$HBPU6#(Hulj!i&j zYr7H|4^UaS5aDQlqNkRtA;6V(->XPncne7pQ>XXL$G$3M#n29VL2CwdLX_TWGZQOv z+@%%IFV0@b)EY0UiVd0MxV|w_$x5PFnpxxrN@99eiuik;a9gJy&*<*w1Rb}m$&Q` zs?*o~+IiRBg;{mlZK6Aei;DE$$)J7Az4!uigAh8oP2*Ej5J;6Upj{j0rS+ZSQDVWg}ZrgpMhWF?xrx3|29bmsir!Sc#&UXkxS~ zDyr(TtTv*uH~&KfdlcKhrsf<9Fh&GH*Gx(D9_7zKeYXApZx21VW&doc4`>8Oc{ONa zYUJW-*e%)&v@6+I(R9_Hq2ec$TRZIIcqL317N&BHK6#e4UoZ^N zd7qMlkLAo~*ykcnZ2aJzoz3;lUEhaniVl)~>4m1o=b}crf;TVAc7wJ` zw-)PJI@w737dk(M{L20#vXD|-6kRl&BJcDvmD-_v33|r8uEl5Uw_RbP?Ih%}HVK0! zQ=EGT%60-2u%W1A{lF8%D|P@FENiTjCB%aL84K*sQ9q*@SqfR;qtg|U+3|~Qc^?=> zpDTU&q~0p@T|dIHAmjyisN$#X>%*KJi+MQaZv;RF2+%IvAV+un*QFNu`FY=6%#|;- zVh$sk*eL|g-1`c=#=D9bZE*Kb`FOaJ8a+EJc@hXxMV2ZgF@RQJy(#Vd79L|H;j*Q| zDv;9X8xYc(E(Q>3uRk8*N&pW6h&Es(pnp=*-@D9An_h<$cue8@iaAZkdV$D$31WLY z6Q>($q-ZQ%-N)Uw->fo7In8HzHkHrdR7haA=7UXKb?&S_P!P`E47Gm)ZRwiTJ2U+P z$q@49_lUf#KkDmK_wevO0X8R}|JL8Hv{?%R(s}%35gnz7r6vVox}v=`WhvK$5+U!4 zF%T|WzbZY;lJ|c}J)N)MtKRozMjYI>IoJtSEZISAl=kYk9L`x!^;5D8rOpRK-j$Tn`Yh>^x|CVoK2vvdtMsQVN`s;W*~? zt|z<)Fk@h82#Rreb;8>W&{S#ZCLt6VTViHb>|2SJK@0DS0{eq8yEM}m7pcLUu$kw> z^k8&(xrJO#7t?$BQMB`y2!gK&Lj{BuZlt?Z%{x#HHxVEz{@vC4x=6wSE(_2XfUUZM zIlY!qp%sN@7UimIb>{!cJVBA3G4pOWrTew{uI$#Fx54>#Tn_)>F)mt}TeO1R`raZ0 z5ARr?&!K0{B`3bq8(%8R6?i|O4Jd$==I8lZ*{J+sxF zym!2t68l}uW$QFp#rP?|m!rPSWX7V=;)#4gXH`jA8NZ`-8vs!Tw&x$v7x~6Fd_cSJ zAGi)Ifw>Ux$jnmq6v*c^V#*TtOY0`C&z{3HyLy+~-X9Ki^`py@qrc}X4!r{T!Pc(uKjjJcqGO*I5K$nY?QNymlD^!XQ>TAvqp7(b~UQ5N}^`q-(5 zF+7=R&9*wB7Cjp8!)q&DD$DC~n*Gs~L{Yd7)41u1>R-cuDsZ{iB0K3YC$QO+u1Onr zUwQ!R9Arqz{FtdNS4&R}jW=9qYEP`DzVeYh;?cjUIfoUamZ5ca=21jU6l20tM~`or zLAy*)x&FIZo2|q`yNOqX8Juvdurq8afv0AniU(y-d&|7Dy*6ANJeF;QLUfvO z_)A(5XX8T66ZWa`WB``#j`0g|9LQNe9ml@9SO{(_y=;t}K=sUdJOSSZ$*W38td&~30kDhsHa zBn_@Bvz#@!Kpagsy4w`0^7>8w8Ehgr-J@x6?#${lZ}me150{tEU)Ew0$;C@_r?NFD zEqx=31`=PTbedgPU6k9_QPWJA&yTcH*6lfsLN`9GAT3oWdasV*7Ko@8c+FhJ^$+ld zzqP1pp^W$Ofpg(eUqVnHkfuEao4DLnu3ZE>I*3Ikd;S3wHe1hJl}S)LRPo;xOwOG(PK{jHBkn5|q# z;|b7FRPq4&0p}X5lUW1_HwnXR@r^> zZ+u+j^luOrPMNMPyZTt=v|o&@^jWC-{(THY_tN=_77wJmxaKtA2v*na+uS!#qa@n( zPibBwyO)IP@t(e}&^gDec5wlhd>9rs&f^M@%rFJ%LL1nFUK@$ZM6sjI)ZBWngM!m&@a$Jfvce9vJZYjBWgcE}obb zEL4g3>H1?sjd+N%jZaUGquJE6onGW{wcw>7w=WFG32FmI3NTPv~) zyr1*mrb-`1O=dF0*|q8b(N888zl)XhK&WsCz>{s`$0v325F1`1H>j^$uSL` zJNNIlb41p4dz97k3KZwb6nU-3wjInh_+}bDPj9q7A1>yH3VX#CNiG2gM*C9s{2@$k zf5rol%@zx-YsxEVtR#;HgjoODf2PQHeJ@^J?@|RCLu(?(CQwwspCB;ZmD+A8O@cJ( z@#G5}mg@FKnM;)3osCIpK}@IEsFZ6x3MoN5TxYhmy=8k&_eltI9rGltPtd+DiGo0f zq-A_$@>f+ojfZ66i%=>3b`fNS9);~Zf!bY>|ELN#4xR;SvP8)DJ*N}*KzS(VXDk#8 zn=jDIZea61ASp9qZShYxp5mEBO;)0ObKd;+H?FlAoD?M#P}xGE*4N1HxzTRDvxE2| zF;?TuEF5Y*YXfJ~d-Qyw8lXzHxvhVoJn@gpX$0*NYg}ARadvL*&9KRyUBQ?GXqM5J zscVEepFe*U@|Gozl$b<^YArKIlR2jM*bQP^)eUxwuxyq|vv^Wck_13ETBVh5DagGT zo4@)DkchZ4C$;XJqBL2I_fsnT{4pMb!jySmQKOwL6%Q@F*!bw&{Or=q=LKxU&#YRV zI?479O-u|f#mh)Ta_XJJ-FG!D+iYon65M~Rn0(?~1Q1u66Dt0-AM0^D2Kq`P%KRtb3m~k~$i*rCkg38nQmAOPNeUa+U;D@X7 zVErb@FD7-K9-=2wsHuK)V|4#Ja*8ec#jDZXLZN#RF?~5?pX)1TwgH>xa2c5-3>ir2 z&0fsUQLSCc<{>DcMb1J0V&*rLt;0$ZgH8oSg+5Ew#5!8^En4fbm^P=3e1n57PEj6% zjIMGyj@oT5HZF$i&It1)T1(HvBu!j|2o+&;buD33cX8=wNzBeus!&V{Pp4M*zOl?D?qV)zuHp4w3$yz}?fJ`{3=#^iF{anT z0VJ~4h?vW>=r3yU>Nf`y(w;S6-=q(?nO66B?%lx zM5?fngehWP*GW4J=4%aRn32eidt&(P8bB9Sp<96jO_a{&(|9LHz7_)8z`>%hEYdv} zPqp|$-B+x9Og5uvvi#h%8F9g96K|qLs&yn-1ivgf`@_TFb0|f!a5gOojfxPK^t8oFF4NZE2a~w8y8`MH^wK`m@yX%|f8iMXR8+xPi*Kwcb)@KK zZ>nOf34)Qcp6&<1+}7-{HcCWk8-q>m()gC6KOq+Ksu~FSLRg^)wO7T8#A>l*M&B`! z(XkVXz&nJ1OxPK=x_PvL7LJUf1g79=xI-x9X_S)M!c+3j&R;-)ZEbyp>CQrVq%C^w z+v~O|gTfmWfD8V|e>wcxzA!;y-=B5SZLYvl!V<5=D73&!a(G68A6U)M{W$P)?=CAl?^+($ zF`{yimzOSLAdvW#%zy0SUK9T|$2|C0m6=$Ix5lZvDaxdSDOanWjD!1<{+{6R@tqYw zV{YGEN40rqn74zjGeANy<>wjbO%yI?cwp^k7DBe9q-urfR0a)b*-Qjoe||kUkSi3L zO#+37AayMo`>ciM5=b9SY;``6;mjpoBE=2~_DrT2R@XYwhjerooch^kh$By5E^w=nDkk8eac^jKu$uWuV)=Z6M z!U`JP{n*!?wX$tGUgQAei<6&gutT-2GF=vxS1yyq!OZg7^HBf2{dbD=sgj=L9H(gySU% zuynFpsA;Y36i<4(Mn>v1@AV5Y3b*QBZ}?^VRvUsF`Hc)Ho?b2~(^Mfh?s|(J%Q!k_ zN@VK7Ev?*@Kb1mKm#>BF?ChF{jejdxyf26vxrY^-Uz)qQw)@pLLx1OqwROhnUH>-_ zNUaAY{R1&FfJ62D+J<`b-IhP-e*bauJx1$eb}CHC%~>pA5TCv0WQ?zBd}1N>shTq% znFEy0*7m(=0pm0wZTulWQ3tT31UwApjzASkulKk>C8AMppZ z%Kg)bpTHKuXinhgnzR#-p>?jjg0$?AA!@!(?)*$zE>x8zW&w^V@iKQZau__C+T9cN zHk}`#*=r{IPcQ60AG3wnvTi0hPF=<&ajQ!CYT0>j#B09ZGWlJ28pWl_##duPy7oZO z$>Z&7uRswFS;md zaKdY0u4^-Uwn3U8DN<702s}t=fhMyt+_5|~bMZ^&LL=2zv?^|7N@E`A_OGh%>t&6V z&&{f;0+@oOP%eBIKXs1Z)LS7<&_jbU#^*;l>BPjOuT8^_l+y#0Zal~N3)hXwo zRLW_=NT}xKe6!fmb7-f3zebANCaq?>bj)e{vgk5Yz0mNmyNvoLvXvYm{FD)c2e#cc?}fEAaBPF}GWwA9Np z6kg;M9C!^<+_a@DyjT3*pvax!V<%#xQHpn;I9rp&|Js!)&TgE`S;|S2+5tUPEmK^4 zKmxeuOmMQoe;SZMTQuz*9#-V|mA#5lcF&)yos#zijP99C(mvMWYuAcg{n`Y0a2<7*kBF>V)6xDqeL_;wY%BR z{5!j=27TsRLqj^yI`#}WU5U_Dz2X6QFGJS${B2wwdOCIHSfCMKw+!+Y(wACAt(D|w zqo>j|s+sPzaJ|C0vNKPYZ;E<^!eG=&qS9Mz-WSZZT1e6rnGCND1z0&M*9py1=s1d2 zRhDFLF=$>J|7TV}Q?;i78TS((T|w^+3i5qKI@#(g+_^-3)WJkw{qI*=YzbVTM0#`d5ZxdpZ&o z0UQMCNM{eEE7NnjkJWvSZ^iRxMIl`KyoSnp#g=0P{vAfFk&^y`O}lmc{i?aMgJ3|xI0mFTa*E|lTM+g zHkY0f9vZfC>9F8qxg6Fu!&Vp5vX=PCNYI|2FoJe$XAj#dp?rxcu9wPzU4~$zq%cz% zWF7Q4jiRiUK7F!?R4#|%cJltNV(YslgMFq9~z{&H-k1*Vd};w@ztJ= zhC%q*j0#Idw{<5iIdzcwWm>kN-8;(1 z2Oa1@OI&JriX)aT;P+MlX85nK;(g72q(6@?dRx@$50;^UQ((Jgi$)WH`}sx}&g_40 z%=bcUj9`|6$}vdSlb`-gLbnHEQipxpYstf}e|Vj8IEv?~V#pspcu_Hm1Dpt@KVokzSaE~wj*b@VV+i-rLkrC0)?=(z zmcY(m>X}c^vGy(Mepif+$PtqkF3OOu;e*q>C&pN#<)~}i>bqJzYn@10W$Dye;tctd zi4VgaxZE6QRKp4{b2IKOx9QdYcLZCfDY(&A6E1h5xo_yJ6;60LP)E%|yglnl%iKx#RNs)0;`(2pMx1zp|4?8RytO)7CrAJdN$HI)R!FR+ zlZa+phM(%0x=InrV@F%f78O-o2& z>79D2rth&gwxof}3kHZ+Acc=I?$Dj$@+Kw?kGcI%x-@Pi$NI_7UNt8%p8MhPGGg}D z@7$S~*zglp1Xvf@F9-aysUVB{G@m=4s`}uEIFGDGTR^2H2Kh3EQIo#*t2@jN7 zj1mJ!}t#17r$F1ecmrUj2eM6jw?v;33(=}r>u2`xlZWr8G z`G@v@(9CRI9O!Sn9?+e28^J zM9^*~EKu&hdUy>aWaik^fAeX_)zZsRnE;PN_^uDL>^%h8TLs2(r3x^^2Oo4#<3`x zRf~cwO2kuJRN1gj_vSf^Ih8#-#MmL?UY}`o&4gEo;|SS}utQ0Cuq4#uGT4->=z#m* z5o@*6G9L4cAZ(YB%bV8M%xovi;fY{UA~q2x%02zx5*|p!!VEl@l{Z#1e!NLd!ZB$` zjxkxawwNsRg4$`cKe(Q|gwN)_Ur$QjNLWgZZjDUMeMuPDtSIQuTaMsabP`7Z3Vq&OIN zT9bl&U?o$Xx3@(5!F7$K|aHa zENrB$&M&~rlo#Z!Z5agD|J*R4m_qS!*!$S#JZO<$2#ujjk$QgqQy9 zw2#AU&WqmLYNX+wRCOPR5l{BP-|Zi<$(x)d8tZul;>TNZ)UCfHZ&aKM`}JL&BY0)= zeQ9wi;ct|&Cf(|XX#(SpW5>CkwPg$e4XW#z6OomPhCs@TBbrBffLHAP{F4 zvq`qTX|T*RaBpv%3nR7HVnmmGNDA{7Wj@EAK z=A2BjtUTC8J87kqVv!-;=eN&vZ$;{wc=$m0S_5)7j}l*4n!3m+$9Qu9Bel|N(eOYs zu_yzr=MKM@t({EGEG##W%ij`{IxVXe@gRB~+&mNGQ={rT4D7-xhKxJ2zf=??MKf9r z^4G=aD$h(n06bIqBEtZm*57Y1G!YQiTKX1S(tNRdB9!zQ%S1q(#mi7x-#slzsLcy1 z!2Zemod#`Y1DkO9w~!a=HtBUYaD9p$$|+W67Iu=bh+{|tRb6IU9T>_v^#VThb&diq zlv;_&t{TkzgZ@4iZB_Kbc1X|ELMG{DKTti7*qAlipL}9W<>}0=cO5IUV(gBibgf}I zp%7wMEKQ<-B^TNK>A(WE6RvvJzPG?Br$jWxT}bJU+{e*L6nk<~zPREZM(j#3!y7iC z-oA-_Jxw$4meW1-f;~Ruej}^!k5tYJS0Zf2yBdw&Onzsmi=?kJ(Id$8AW0zwMC z13Qy{w44lZ&95g)L~_;Tq#$2SYR}&G_cft;4=+|etd}a5eS2%+OG9Rb_d7s-sAsT; zy@!>#mz7x!dE_V_@jfZU07edmI#U;oytW!uH2E%%YjbY)Ntb4EjKr&$Yp=9xtK{5OhwPcD!fb%-1%8{2(m zHtj;qB1bVA*^aodzS~<(K&eeaj0^im?oFtwiEOxD@R7F?l)BW|;R-w1dxiJbNH?`{ zY)GQ*8%@TD5QUd9ZxLrAOei6+3AUcU_%+&R50VZ9vAXhL8s9O5SD_z|8W{e9zLImC zIC)m)lxH8KR9eO!9D@0xUf{s zKTNh-CH`Pb8Za`ZngA5Sf!}T3u<0-_HjIaSRbZgYOJ}2J;acdNq(a{R4QwBXIyPyu1YUM^6$_xG-=d8YUq z$-)e2z*AJ0W1w?xJBes9vKQt%opImZib}@sT|ETZ!-4@{28)5iQ;IEH&I?jZ4YPV@KCiEv z&qI&=`>PsAc3(}(E1E!O`it`=|B?w=j#AuTPy_Q>c(!-)pP1wprKV;Lz z8S-HD#apGNjiH(xDnmW!a+K%AdQ5ZH_lXi;1J`WA1%n3@2pP0>%k#6(V7oF6{qWDb zaa(jfr>#yN`#ZK%?fkD^Swhh@n=VJFc-Aq2}KBl9K*5yVhoE_&aga-eHquc*|u{A>BIU2Pg0j_+Y?dq)1JywkFE>)or=@_IJAEParV>@yLH<( zGbxzIUP~=qt8I4S*J47SAFh5E9b8 zrcJc)&hoB=8}@JU{QPW~fhrYwy1pSxScnSZNdfKz!nXJu9sJh5o>*I@E*$V)zs$nr zr9*A>yrgs2DE&9BA1*QpJy+F{bi@8Q^7pdW=U#%bau(g?qTk5wo2U;3MU+hp%&il!KrCN4N=Rfpeej{}tD_JG;F%X0EFGMu}x2$WMv54dn4yAN31K|5eW8cmG^Q zT+6%j|L4=>CoAcl8>L?OAKY%dwQpg5;Q3#xfeHEAf3MG^b5~clfPhj)>N{#m zj!`lQ%ePX1)z+5J-ubT^03SBc>1*Qty;Cc>78CKvfPkt7UGF^_7a+)=7^?9V`yZ*l zF8i~;HUwtUdDqBv+w044euwX}($B@QT6ulN6f}tb=f=xO#YE=`lDzX8j@^}K(F3c3 zrlW0T_T`!5zb1+bqZ0g+2UG~8ng5hn4wxS*^B?QN}mL`#Q)dw=y+TG zfBQYuccK4-;Qi~51CSdB(9$;zj@XVOsBKfK9A0DxB_~cywm@glpT4uAw-#YfDr?-c zDgUO(3LWZ&il3=zVpW^KXlo=I8OFxNkkgbiFuKkp?fKVBX`FnwN*&#=d_n* zy*TOiifqx&GtC4GI{&p>*-&`+VSaef(>ydaPniH$mYoKZU*RLgJKd!u*T*-i5?YXu zYmRH)pZZ`~qH#MyN^A)$Sc(p~cmVv<&=diV2H6{N2d6rO_2=A%+$76|GEm&+D}qx8 z2T>#hRvP{1R`1`6Op+^kWz}cxGfewyH?r>Z{bDQIkPg)C1w)s5M(vO6(Rr)-B9)vm zL5clByXa9lb=bh@WR^+2Hhi|0A6r4*`{V>0x#cD3<}j6WbvS>Og(n;-JgavH;$(!V zW8zr!x?m6X zj`yRKfy01bfH#L9+VH~7CK?u#9-XSwgu@xrJ8axi?wzco3cO=o4FzhYIm*karY-CydgGPQ;5asx5GnyY@FpGAzO(QgULcQFn>`ZbLc0EsMx)Rf4vK_ zu%5Z86^50!%0Z#y1%IwW@zD?8Tg)2XG=BB0lvr$xG%}QXQzq5S^E@SFOgeXks>Shr zzR2KknQ0#|6H<`;mXucdH@gBR?#c0k?`5K6d)K;$m;8t?)R~{m>BI20XC^1!riaLX z$ubJ&X#T3iK@t|)Gtlwu$5Jt{j5k%Y0jq`6JZ9po8P4GjZK_#yF_AX#6-{-T_nEA$ z6(2ue8;J9{4dDYm%SG)WD)Qo7Ba8TH{i(`YKg9J5A&!}`UtdD*Y}o?uUL2KnrzQXR)CBPYkKau@|8)bq&o0Q4 z+pTdl$upBc?8VK#YpE<>s0n|0LY_V-M-;dH_CCsVS#YY<)Ih_IE{v7^ihipwy%ok0 zWwL^W1KAtleIeowP+k?2)`Vn}oFsbSO+GiZ`{j6V(zdI?PoAN4o_K(5sSabWR{7x~ zv2`Wboj$9pm1gj|Marz#DH$I){}KhGHxOLU*jP-D7Bz}mYV4NtyO61EC*ML2al?Us z#b{w|8<6A#5QlZJ@>9K zdP&Ix6iaP#0r24A`39HEmxLrF34lhW5rbyG5lsNobPU1c)?bqaWFJA=7xeB}(U{ts zJyE~tr0DS~IVj>ur7oRDkDQz|L+)P1e^=RG25a$xv3*Cx7>`NrA)O0?D`nR(eR$nI z!vA@E{}YAqJNA*cOj1MS*VIW{I-h-ufQtH^JJzTebAalO1ir{h8{ZaM&JK;zjfDl*S)i5x$w-)KKtym&$HwC#Up6c*Q7zPdTk#X86Tb; z>yoBqRsgf65Sgw&T|_elMS*E4!9GftNXAsNHSF z!TdnX>*j7By`}wK5!dSB@ljw;Qdy`^jFp_5Frp7262L;By!~{1e3Ux9KD;Fa{b&mL zY!hzAmAk$K-?WGSDwt!2z$TAMJ?bhfEsV90Ur=F1OJpL4>71O{tRY-LW=@g{>;fv% zQ1Nge&T127h+KIl)N?seOtuBwmcAQ>HiW0tDJxTp{xcImx^q!T&pD6x>hM3`AVS91 zcrMYswMih<)BVBNZpQv8*_vTtkgG6MA<6yd%&b|I-`yWLEpfOxpl(dQUTD7_nDuAj zolG|b zKhMYzX>YQc8WCUba*D!dj@bQluSXmtq25csCwu)J4U1>`OF~e@^Z9gLS7qkA zR1+L-k{lLNf4NbcQ8c=9*$)Di*yB2-9gO_6Kb|jx(bnQPbm2Uu?1OPn7T8L3)HL;A z0a@=Eng6N^gS4K`qaoHb>9Ogd&UZ53`xXVe`VGoeMJ#6fvuL7pn5r^gDKJ)4I(Ws! z%DrSN&|MnCqh_sj-z$~!ajOK&iIw^KM#VGU~5#*g+ns; zwwL`@#5;q#CneyieHIAZU0qDCUSD{%+{1h^{YhYYm*4)al)}Q!;>5tT!)mqx=h^_u#5#(%z+_VCpO9Y4pObeq|{AL8l!0)1Ek44MGh; zhMvyIfLZ&esV~-Mdfs~ki>%wMy(g_P+}li5-czKF0?AL{wgw0#lc3KA^p+qeuQCLReUn1cJeOH>Ym;$he9er#JRZj^VGi+{2~T*i?mq6?TwX_54L z^~I+3Fwl+-jxE4+9>Ks|jdMq^)^-s3cj0;&rsIi6T5mt6I!c`-{Mx@ox%aEQ9R#Kp z56#cXP-;0w3z7uJ4VoBM>=N`U0bK@UmQMFMn8Ot=Ux)p-D8Kw9n)X#POHP6ZP=u|n zwT%}C?{6ZM7}43@mS~uCVeGdF^W6>jXZv8)@E_Xl@=WMexlotlcS#yc0SGEX*XYW= zX613;PNNH@OA5x2s32Y)pp{))i zejAT}zL*R1S^0A}$9?l6x>~=G`43*OqBYs7@z%lUT0NJ0RP1EWgsp;fZr(+~pWnUP zigusIxRFab&f~)m+2-G6I)-GL)t!>*-%ykw2{3RFCMsPUnN99-ayHf*M)}-p<15ud#IaMrcq?J+5(+U_` zXTO=b5yiL80F$^P{}0rwu!({U(pWm&=Qw$@8B0GVMJ_A$z-(LDs;Mg5?^6or``aAv z7NY_Lk6x$$wU*q!Y+@Jkf^&Pr$2=kmE~F+K$vY(>B%t%QyknoM@AjH)Gt}1*wXN#x z6`MmSc6IR{&$}~~M7h)xRn>s8<8fY@XI-XZyQ@;W&Z-xUX=JaV?X`rQf0I=A4`km)yF)LWYOsHARblC7`7 z6Io-j^7@9c_aC}5ha-0N!^;4Y`Nt#o;u!Coygq&Xk8*#1jU@ac`ZTU|$@=!EG;DJx zsRAC~3HzPyHQTB!lH;4Fq(EUe`Ydz*xn8-d1v8o@^S>W?3;H4)>pq=-&>8{QG?vHR_VG+!iEywkFG@VD0;imeDRc&+ootqCkT%DOVYu32$ zS>mW&bsPD+&a#ysnyr4VLzb~7<*rly*45eRbhtaI|5I8sbd^c7?AKUEcQ2o8g!Nrb z@Ag)HHcz?jTl_)fPM->wXnLJ>k{ZZKnEpY~%E)~3@~Ly=#LMZM+u+)sE`MR|MUeAG zT)eYs+hUzbt&CtxTeW?-C&M;#VlVnK3_T)K$E_hs_o}8W|`ZaDBgTw zg9j+7XUN zEztL;hlHm_BQXa3eQLcD0LU;l!!9LSltp~PHJ@(tOwRE9P+Etv{MH}4arl`t`G#gM zCDMpF`kl6bT=SFgO)U17_QrCj$a`#S#kj%U0VY#P^MqA|`4>d&W`gCm8;Fg26l;?% zj+SGdBV|g{cT?tQR9|!r^w~PZMA9R#nvuQDVT*+X8RUE+i#y=g(9pp5aT3)ygTyML zbNJqLoIxO94l-T1==;Qo5N|o8a_i^4V@x0SfxU9mtTn0@Z)tKO*s&xIQ+PJllvd2ix&VIn3v)yashoNy&(3>Lv-kTdt2;nO|ZGX~8B^}+t zej=huf|x{&udyoJo>MHvO^w8jZs5y_-x4IC1><|k-1>A_y|<=Xpef0OLSLrO%zO@H zi*e=LTA$3F&y1I1Afa7xQ9W81oaY;X&((FGtrj>v@h!2X7HT#b>dA7rzI5RL>M3Kl z)g-)*iz7S?ReOSi-&dcB?~&%CdDp%#*7O?iI&OZ2IQ|g2K|cs#5yRoYHz%23FCVs6tE0EKDugzpE(7OVar8|9lJW3j+RR? za2eO_1w~K&J0_f<(Je$bA!aRsX;HIXx zl1YX^Rxb?&8Z>SLM++3Ou8!uTId1UAU+ZGB+VY-pK#9}hXFzRuir7_yNqT&q?s-OU zA6C40b6yGT)BI1p-ppE zv%HT%mLmq$cNV#a-|Kw$%b*AHG2DLb_YUa;qb`H8L*x@y`ZV)fg8mkL>hMkY=I(yC zwHJ#11)YyM)o7I48&;Ib|!26#*j;xS{r#30~&S|h0 zSexs=hmxps?T)?n4zNX_W~Ae^85)KXxf&X*Y|l6a@!WtuDJDw8X)WLE-lR11SN8i( z?|gwlPM)6MVb=(b=P4$3K{CxXIPz>;$lcTC1I;LEhM(i5XP*fqC{U)(5q=O;iN@<> z!l|oBHeIK+H|N#Pk9}L~{$4=Vn2qg0o}%aO;cNjH8Ma)r_D%pTlR&*?H3|r$a1{@6 z=p|+<3oWCd#|9=Q7c%InSi3V$7delX<2@$T$0yIn!vRmXqdQCEcGGEB$b2?^kqDVM z_NzK|Ow1GCK#5I~X%3()_!@Hv_>RI=JdI7hPnT*%ZcJp(UiLGpy((3to%7moPmH-i zu417|?_9p%!X& zuJv6H46F}Id7T+u<<3Dz8uI#m#C7TN)W(#Jpp>x;k3+R>PJbcvFFlR#qd&hcGZ_l_ zH5-s?JgzJ=9XeCH7gZ8Ygc!^m^e~ntxN5(6aAB`n=HC4)<3%FJiJ;TwdpX$V!c8*p zXv`%Sz;oxDnjRLVWDa&FsMg=hTZ!taDgtWzK#!_+u3V~MPGIWUpl|o7_Lq*Uo9-j# zPrZTfAkl@IwYg*GpFgK7{3_V0Ac^KC@S*eZAiKFjekrI#{Zm(8IJdlyO!J@~0GUDc7UhdH! zI8wogW*51jAG^K7m~iG6t&@}Rcbr24X~nbO$=n`Vl-NRUSdAcx+-Yad))4_KFH=L) zuEK@Itv?MmPL<7$@KXOo0jz^_esQvDoW z2W!%RQ86F`^lP`WTQ6l47q|1jcdMD2^*96C1%CYD)aj3pbwrWX*^ey;k8VXiWoH@Z zWEtbgA*cnF3~dqZC4z@GcCTIypnH&JUF0fU8a*H9D$$>*6Kz?}DJfB9-B}ov0^9&C zK2GEENubF(VeR?;eJ3zd>T&0KMfzhj{7iKwK=n*$RI#@C(6Qt8o|xCORwno{R>T2XGl|dP9pv)O29S_`Q{vT0 z10iBStS^>=h!*erOPuAVIqcGyszcW&xJ|1kfTy1y2`564 zo`lu)t)$r+m=rNFX$yR*ubYU8mQd7Jg+klPCoPP{6UQ%Ig9%56W?J9qtcya4v3U3< zZMc*E(1^=xr%1WD>`u-;khR(=tuD8B{6U>Q@WaFi2e?pgi$1+B*YY+SXMWH58YUq< zk5j8j`aBVkH36SpGsz-=mYzC7jg6nx%6eaoI`=J9IVO90jDD9a_ zeL)SH5Sh~p<7p79N%&m@dySBfH$T9V%{c#N4DReIf}_7BxWKL6fe6b?tm9-czt?ec zos#I>Hu2}PU$nyAWSPr|6D zJIJU<<9xmSdipeJTfhLIcDKgMcbYwW-;)5#0eH`)ZZZ@?GSiF$jN|kmUEK^|bgzNI z7ujCi2niJzL^5GnPB|J}$N0pn)!viYN{lD$i>uz6=q&IL(=r>-v-wy;hw5AAe&OL( zrT@P5V0au%vcKQ%*E*32F5A}jCZ4IP$1$I|w2UQp+)Oz-FZL5z7WF1_o_JQH6?*kM zhNt*>)$fOQkMGJRm;WBE9`7u#&Y$GNdW{vc7h4DxK_+bvkx%!I_!)uN5l)c?`>PUt zO_(niCul0O<*F8u6j950k95=ehyxTlhMS2=uxz@zg5Y}HO$6`mv%UfzjRffp?aVs) zj9~%e``orDOwz_&Mfz?bYe1lzo7E8QpcFs}%+-Z}OE90Dv4;2Q7uAQzzV9O@9*NMF zDZ-WlV{Y=TQQx8U8l%oW;xXh90h>P_m(3DBsL2zup7X5m+B-?SiMv(qa9`N>MH%)= z=J0aR6y9nb^zhQ+4-6pWI=XPX{{1Dh!n37G>#94OR7;~+l{Hk&Yuc~v(@w&+fV1Pw zNb2xVc}M8Bl2R9r`02H0-^TQ*h`7wn!D8fo8=^gwbS(0Ym;U~7NmX@aoZ#tcXL(F* z{gk!3Kx)Tw^t|J457sPiwp+zA^<>97D=WRSxz}`fDAnwhxy3xG zC0ekgrj|wgJ-(!53+nKlTT1pahu8z6YSIKgyDw&j#x#j)^G_utdK0RhE#)Qsnwt7L z9~7V;If%c%fE}%*_Q2zar)op`*Bb{3_4;F|fB_qrWL-BIIqmIQdM0tDoR{T%RsoYP zu;2)<4IT%zOns_dRFrjK^&wAR9F!A@xz`YAhhPz*xTHOMeiPj_LkcoVq*`Z0n#|DEp{XzjYH}3;!z|vg(L8v z{|&dIjHA+?Nc&d*rKA6M2OiJevAv`)o9TivWI_>avs>CMDnlou&d5HT#(d+40>z~j zmO{TGRaF(`)#>w(#E&Hn4c7@b;H*MZK=@oFH|e5nll-3a1qWALbnG1hfdnCY37 z{;ayX@{SfpMn;z8%0>-L)mx4!nOsn57Gm!S_6k?wLiR|;h^Unv{mC6D#(jh{BC|@X16{L|53_Kg5 zd<6DhmGGB5QcflA<}4_smMsiFUAJ zX-E*u-2;SlH?P%S%!MUC&U;k2u39B(^!G55M-vk_>;J+rqTG5w+1=2S@v?yyZja0; z2Tad9z`)j5GcD>4nvlMxm8Z%GwyB6YgMlC<&y&ULSk?Rbo*Aiu?_zARY7cl4xZGMp zI(_2eP5$}^ZNQ(}&_;F51}*}8fO(Td(hpi@K?@CcRUL+$U!1^r1ubX20N8Zg;Skc? zb1)E;kqid55C}#h)q-6?JP|fhJ}|8V?@#W3t9y}9pKB51aiTmJdWb|r50!!3MV8QgN+Pbj^p-a(qslo+PF3e zW5)|qMvPh|Kmw&d4m0?!VtS7=Ih{R2d18g#cP1Vj!c4-)=-%`dYQCtjtSbf?DS|G{a0Hc8xf9+3U zj|;GxL*wz%vGddg{LacB*53Jg7eJk$h@F!wNYg0H029Twvl%2wIU?KGr(uw>#8eH z%Bh=W(rx>2(2fga-!2_2H+K!}_9R+^LN7)2P>N|>OYXg8AfV2usW^gdNCh5^#`kvh z2|1pKy`k9iEf=dY*|xiy2?Z12h#Cu({Yh%i6ht;Uq8MJW_s6%4zW9rz)8B6P7dRl3 zYsU=;G13yhd_$mipJI6ZGcITcdaCS5+_Xr&L>s-oUKOq$-&Z^cOQ^r(E-WqaSEP13 zgj|Rad&!$Aza6|4=Wo2;Zwqxx%lOQTzB^ki=Wz;h4j6mmXT+1po*7 z=3epAH!b-jAQhWOFbQA>MB`3-BiVx)1F?2nj|cWW^Om(^sZuzgC23 z0#|XzUXR8Zk^ov>LBsL1V0~mK9-Ae4|K1eNY}x-4f`LZ|QAu0y7J&*BjFe^Idwi~g zlfUTcIct^JbVMEqK+Hxf1j~gLHNU<2ZuIdxqOab&|DA4x$;r@11qu=>u=Sdinq%32 za%|4pBWYl9F`H8w=~v-deJ$u25f_!fm#Ko2^zYHXkW{y+U;`BKK1`Ob*+l$vT9$HE z`bpf&Lg}=Z5FCzBa!1k^Y&azbRN)oCv5#I^TnL5kkLR@3j0difm6?g5)lhDe8`S<= zex9hXWIM=&R+(+F8S8y5$^x+}?sXMQY)dWdcCu+%CE?Pomw3D%u)PwR!zn3^pUF9D zFAkP-O)`!Fx+lDrkC?{|p#~-PZ`qyB%1Q}~@d?AP%GzaVw;92_ zAo9VyPE!Bf=k~7;W2!87vI~pyZiYirq>PR(Jmq7JBk00YXmUq|R~O6h|lAbr%CVl2_^V zPPGRlo2$S^gMnG*e2x?vFo9wP&nzRaU|VXVESbOw4T&auq3I?E@(? z;G=LY=Wi)ms^gP-A5O)#%=jVnjMzH@E-dtd!=t|n70_51>>iB1&%j}o)y7EXu6bTg z{datE@6=K}p=o@|(sew@)fXGphD%e)QP~s~-`XmuC{)f6g_`wE6&h510P>Z!nqi_O`hbPYwP*`~>b_7)Y$AO~dSIs(hZnx}WNfc?Y3-w6 zjoWhWS%_B0Zrwy8mYgR*NX3hj+~=R!?zKZmaqiUf*0|{-6Gbk+5UF}RpTwS7DV(NR z4=;-?Sp7;Gn)-#xlF!}z*NWAV*-iFR@1^z2y1zYqU+E!tRLSK}fZaM7;Rs^v3uo-3 zf!s@sq^950U9^F4#K;tWsl;%VNyfmIKFXPwW_6(qtoj-4Dvt zaFUG$cRnQf!!;J|I9Z{d4t>z~;^-@xn5x*Jk^wIakNiEp@iuH)KwM&>H*eIRGN~ zv)bir?uhc}DxCVMb7a3LbF7?@MGOuL=DHP00@xVe9SB6|MSM5E%$`eOMp603R*ncX z*_=wQ8+COw8%&4Q3~DVTc=f)6ey+aYpn$|=&BtsD5js)u4>UH&a~^}Fh83EDxnb8b zOp~POxFx)fM}vxL-n`DxI?XL2USny^B+I&e^`m)8w2Hi<{OXcP-n^D#K+bMk7M#E= znv=DaMCosn?`PY~O@51>`rSvRpbkra#rJ2XF0}EoFG<7ykd69$ghhpp=}ef}-{mt% z6}M4o8sk&b_vkc#Y0)M0LvE+igpU^~U9QQE%MUpcb6XnfCPXCftuFGP7tLXp=9*9A z$7>$!btTKkYcgVEz^Bu8K`9QFMCBhx`%-V!<|{3w`@>|~Aipm4FN^0r4VL@#>t4$= z@+Wm*!U4S^AlDA=hw5wFJ0_weUz=6CxiH~~PI2En+tdt_!diU$d9+^eW{U-ax(_20 z$n7TbWVYod9x@4O;;4`nzlM*=P-t)j78XV&BuLu#7c8cEf_HcwnzPL7r;jeUvkaee zS}!nQp?M|<{lG}H;p1UK0>ypD-BbbnIyXzn0kAU zWZ$q+V{%9vU-0=Hm&_*Z7<;jI?Q7X71TvG#X{zf&@KDIMKg|~?lmn@cXeCAUgn2SW z4)*VJ%|f0AH3{VzJ3W|wDiW)j%!$EC zkB<&+S^O@FdtzOwj({&+i@0$(I#u;CFgC}>?Ct34P$?zV*$mHqEc`&?#nM4VB5 z{WEE~(o*ku_-t_E6VrMLxBLD`<)NfnxrvTA9~zK@s~P=$+#xF5q?u->*sT5j?J-K? z)fP{cDe>8HDjy}}Q_N@+SGoXJ;Fqgv|H>QVo!7u~yuk3%F$gbs_c6Qg{hLhkqUKw- z>PVlg*hG@8zcbZ^=C&XGi!O)B2>+qX)eE6s=d0J+Y5W*8BI=8lW~B>8dMU!ZojErR zBT^2Oe|t%OFU~sos^i*crTQ+0d`fIxrRWBk@;{!l>V%wX{;^-h3W~lJq$(^?Lr720 z?d1ZS6G*qOhs3htezgI zVn>m;p<14_DFjPdLz_xzMDxl1)}pSeCg`)yVM`_1IDn+Xl-logAo7qu7LPd8f*Ab) z@pH3Lmd+RalxsdS*Rn6x?ClTju@Xu9WW7uvvXRL1uEp~nyj8iGn)C|XJgV@=e~?@! z-STXp_lq_2T-NA|k6c%a6#6l6z6Rrh*^?T@7QFS-qxP?(Lh=#??+OWN3$xS+EDtA9TN zFb-LxuWsI7x^rkk!;fHXg%7RIqDn&o1FY%Sf*tP`F*k#6zhr&ehJ*#f_iND~ zxcRqoLE30erXG81Ff=_{&6S}4uO3K9ji3LQ7xVuwhh%L>$YniC)GF;$?{Sjs-a9*H?g%$3*!|WIVQ0|H zP63}GB#Ac*tLy?Z1^VeyTFE^GxXILEB`1g)a&%ruX=6hPE_61Mb}^ z8ctr#;UhhRiC%4#)R4}OR*%^|UnQ2(X>Uczy8ou+DCEb}@Bk@dtaiLRFwb3qbF{?u ze)sGBX#Z{Iym|5bt|E7@|EJ~U|NFuJC*bGrH~)_Z{}#IS`_)r_-GFylW8eS5ix!%* z++OK&KW%w+htuK5WA-P9@{_8K_Z@GV_ zQ9|yep6VESzwqK983idPqZiKuztTh(7yv@j-&Z5SZ^8v+82u@*pKLR>LZehPVKnus1)?H%_&^Xe-d3oeymyrI zggwHV)Q|)xXa0GRYVbJuaKL@7&ybJ-UH8%6E8wbTX`%WTgUb_vfcSU*?vlYooO*J)D^+3qqN7H*On|}TE;@Q4GWMc)7{96&F z7k1L;&8B}j+bO^b#D0kllS7Q%3MMen9ndt`pFBNwqDlX}bm&n39y8oh*9gMQR5Ink zo>o)%tz-2IvI}SaUa;hUxIIv%l=cPEUg&*KJ<0Y?1Xsf>N&4r;Z}P0)_EsJ`^XSyY z7#Y!@AZ$Hb?ZGpJ1>-)Qj!SBa)9mk^Q-rW;BDS*>)4mE>eXO4*IKPzDK7lz^l(LF6 z{uhG*!GQlYc`6MaiY7^6U_ij@h$lWCv&@up-xw4n=m-YW=7{}VTJ68wZ~E|a9Z_@P zTQ#;O-mhI$McwkstkTa=t=aYc^5cr~GIr6d|0z=4hCkFN2Zz9~lZn<8d(+qm0!iO^ zR#HG0KaJ5Y)hc}J`aV3aZ?Rm0pE)+*exue*vZVuBqByd}q!%+4)A*2dx(*xUkKO6u z7platGZ$Xbhoj}Moc}$M;Knj>r+6o3$Ox$LiEDJjxyqyIIj|&Je}5FJ22J`nZLTMS zWBw&XgTc;?2o1bT-+k9Hf#7il9`TVn0c(ZL7gK79n7f08rkP%jo}E)*54bD;L*9Qk z`3q9VFpvkv-G-0l89Gb2D5)!dveFe$af2M%S9%@U3t!JbKJ!z2=HDsoMUO?ktW%4V zdaolr#!{P*pr)+-9Q>|XO5ZO|gTN(M@xL+wWYzS~bNW1K7!yaZp<3y?cbHFOblq`^ zVn$6W>by>ellmZ-mLJ+Hb@7xlQ6kyd?tmYaa*hx+xqH)|R@21l!NOR;g!0oxW@f zz)TnGM2In#;fpIO{RGkfVlmQwwytW72RepGo;;#P6T|;)==Dw2A+49+c80f3nUjR!jl(U9d^7c zYl|v*y6*B%NJ!fFS?UFD{vJlMK3qn*3n*9LiT)cyf8wCt9XQz$ zp;!3+uYwDPFQXZ-7C`VTTQGSmK^64x`n4bXQbphDQefOg=TUT<+^8+dcx=(XaU6-o z2Q^PPOP&HSW{+xmxg-k={u}k2U80maZwthTWjSODId3a?4fCoPeHVjjtaf&o} z%PZu}Z-%A)ma&vxPpQr>ft$KS6Ai;x(ntMo6L`n^3+D|A6uo*X!s6vEqLK8SoBuOY zvjjAqd77J3H&@ts)zmOk3A;ZjK&s?@h)6Jx-rp-(pt>YDS0eNgv9k+huKR^~ix0%K zLQUQ=h|~RR!hy)!XHq3S?4?r;k@>AcfdTp?zcD?CqLGghDwkjOGK_qFz;QR}0>h$W z8V#CFu7b+5QfMn0exTU{R{{NhO^mc3?m5hg3 z-_JC8 z0R~E&H&A?k-46oRFJ;!=S}uxO!qTg_Bch)RzC{h02m{w!im^E1XQwrt{_fx12OL?N zD%#!OH$-%@RXZ`Q=1TOVabknHDO^ES5G|KO56fS^Inw^o&rQlO%*!xvusWFK2aZ(2 z;`xI9rNq2nJ?>cUqASUzs2d#W*qgR0op%hj++0?f=DoDeT#Hiq?m9=j6~%E#lAIz~ zCl^|^@Y!9Q#$k&$>eat%PkYp{%LFY6_&PStNs8&p?pD_?+y8ca;G9sgpKkFojt zD**vE`Z7U;>#=ySQ0jMOb3H=Q#mu|s!MRv9<`AKZEWSpELq|V!covfNNPk<3^*LTy zSeUfjYX0hFT*Ju^1&mM8A>S_TvYjWVJV&yZ zXOZ!Jmp*nKdyE(3DJnmUXv|Z){Q14A=^nMP?gOX($Ga&C)s_tkii&Izu|dLMVx0D2 zpHN_4IX+(UCQ@fmO}T*o{GO>nWkdhhpGi?1eGi*>@)!a=_O*Z71Q<)^+b+|Y8gxaH zq4E_Q<4cEX&W>#A?9RF68i)6V5<&~Ls}0YC9Izv7+H=SR_pULBhQ>!n>1hAxoEp!2 zTIaFnKXBtr7rW~_KR*~yI`kWZ_Feey)XBQLS=>&L7NL(v zNgAelaNKTmB2azv<$S(c8#nEIv_@QE7wIuP;xw=c{vW z`al1MNHN%r{N*AlW&{fw7?l+lKgC*IEk)&Vakg2py)bV&yvBS8RaES;n#`>8@IOBK zsCT*l$X&fjlf(3zcYx!ba%^jG%csI%c|Ftc+;5ajixJB&yj7$i{xTr6}n>@#w=?%$_?~; z8P8N)5ZR7xwngut3W9jp5sK|Mh-!KPEh6F`f>&Sr7r%;$OjqSGQtfI$zQ{ z8x&^p!$QluYNPDOF>5}Ryz=z!oQ+=EJL>4?cz9S5kr^$kXyRif+PPj%9evj#;teE( zgSI~xO3lYC$f9^K=2jphf*thraFijnq%oKKur}lJp z_SUUKg>_xLXVECg`BonUvjbB{%-3|u6qispCzTbw?Q%ca(nNx z%19gi(ee3}GX@75F&Jm{{X?DM$>KuA2|VL8$AdKGgq*voLUon(D$vV554TgIEH}91 z&~f#ABHrY8tsLeDO_#9Zrh>i-*=AB!_n}HSosa+fC+OC%KkiR3NQ@t&XxBKqT(#1r zMHJQ96V=$A-b?z+Nb1*wQl85Hp0)NvK}iUB!rbyzS?c^;9WrEMvI#M?dE#`z{#Jmc zZ%9;#|`sHMh7kd2Hd`S&J>_JA5|JQLAcJZXTF= z-iVOON=cdaTOEJ@^?8xv?D8}(mPzSkr-SVEXRrOQynMk$@l=qYo!;tlAR@SoP6n$M z`I+XEP_7XQ;i+)LzRd2zByQ=-E-ws`Xr^r0g*E;A;0&i$90YV^G`ci=;NRXjUKOr6oPbNqHp%UW2S4)|0cIEhR}vSEmss$w&wh z&DlN$ITkt*{S%Z$YHHK2Znaq(N}Bh%*AKYyeU`CaL7^#QoRJCDwpBlls>&}L^i_<} zf)n8U#T-PZ7+d2K#UFMj?3P>%u59%rt+XR<`aMf`E>Ep)Rq3`T?1a-4F}J5-z3q(- zC3%A;7-W20Rt9?@>bW^sU$2Isa9JB>XJ!kHC&XX;`jZ>*CIk7h!4x%AoVcPbunawI z%iOEnu(Pl%X_u2vU!q_zhPqsdAmOuJrc$Js1T<3#t6*%Uqf{w=>JWD*KVYI`YBn)M zH%?oCuX{BpOzZK@6F(D#N%T+RGPamib8hM>ku8d7vfYuB2I*nIbTL$j2Ho6@&v~Cp#B(t# zaEYPPX#k`Y<2{aD%jENxV6{eT*>{NZo*o$)X)5f%iScRpQT&+)a@dw*sYgeXR4g_H znahH12G4lo@h|^W%gL$&m-0C3*XRKo?V*W2kK3^adlQ}f!s48_&*C|Y5@F{JE{GQ% zX9q9pWQK;>`jbM*&d2KSlh03f9)N}fC&|)`U&K=D( z@F%IJ=;6(gV-r zu6P`(t@tr9!-|-Uf4*q~f_G7|-SklwIeq*%3fVCI;$(sKv7*byvl41kVc{BGU1IRa zIgx2g1}Rf#BoP;db9Kypf;s43UDZC1R!{r7HNKuAR6>=$Vi4LW&@qO0FO2uc#l#~K zsFkv^pLLzaG(W5#H@OB8SZ!r2Lp)n;S@5`ki~pIRYNMy@@QJm{Lx)OxOH=q{l`ecy zGAk$`rf6z1ZGD>bt(F`5)&8G@`Uk{e3GDFHHX`Gm8@8AEPS?~Ayw3F>VbS4s`4#!6 z%GNZQPN#vtZmoAwAqj_@EM)I*<9EXrz{Ml#UD-l+o36HE z_f*`|s4idXqZv~oBMz&q6delHs58;+FD?oi!Z^REfzNRy*g@2*O}*CV_M9I(5nYXi z?9_*E;`Lp*-h4T29xY*mPd9hS+$03NPi~ya?G4B@=W=^`_Wks0cwnwlER11nJKyEU zIx{7Qg}{~YZw?O#sFllhz0NSg`q$fh+o~nbey7~r4p_02#%gW7T_J71^dfQtl|{My z%+3$6aJx8pe76sr+sj9_>-cWMh)U>V$YD=Z$J}h9d#>!f&bOv}o$s;l#HV9Tyj!VIl2?k5LGW)|)jUZtW4d?F3F zCEtm*bPcOryEx+Z3U=^$K1bF=h-!7LPwVnnrXq=$WcmG`fbGX%-N(Owe;zMUqs2wl z)Jz&HQRDX7#e}lkuDpb(H(l-GHW!RptRT*PkWV~Yee#*sQGE{wB5-Ew9k1rY%hzuY zM4-;O{{9-xf&u|1yQyfBK~m#|SC=_tMmsZgWtNF+8r3^ZE{MKa1^Fz(*Ln-zeCqOl z^Jnu{6TS=2)Clg*3%2JvJ&HXS!sIF+IvYCEldRE7?d1kXHM?0q^9qMzqD!BOtgSf#KSo$txf%%BRL1M|JX~DH(!KcL ze}lXPJuyow?Q3Lg(#8ZIzOFqJ=#I zyd}PuRV@>pI_oQVygXCbgKbjdG@h^4$M=NHo)H}Ni3@2q*n1$lQXk&G`4&AblzhD& zt|Nniv9H~{`qMjN*va}zfR+ChlfdcEwDJtU6V;RcSO92Fx}I%*dv9)Mn*GA8y)}=` z>+~2##Ku21I~oyCW_wtv&V;2TktOihllIyE?b#+ytuT*ypAdjdNv-u4$FwBP{HEww ze$jsmN%!;)ub$pIb|Vt={jejHBYSHz5=GF=X(8bLW)I_9f4aV&XKN003Ba3laqBuw z^R~ zXp}2kV@*X;|GE<21QL+;Ot|cyYC{-pw)3i$*=%bmOO$=&Td`d7=?PO8y zgB;#_Yus5ZfXr5A>u9AFAFJ~{F?l6eZ5}?xjup&SZaXx@R%dU!9a#MqKiGY&$Tw{O!zcV=H(F>BWeLvL^D zHBXIo|j0i|YH@hcQu55K%xF!|w=@`0e=!O}Zp$2~2kDu@Nd9L?*-qAl`ICJKlv-e(mt$W?; zULh2hzajS?KHQprD_IdwOw?IXW!%f67#AnMPf{Ur75_M-JgAPh1Lt{k_};tI3v;&B zdG%bn8`=qu#KdAbAEPA)xjCOR>ld&*qAe}|S!!31P8<_3Y&N(&H2w8Crwg1d@3FW~ zb-3^HwQXoj35iNb&TU1FuHK|PF3!wxwPatgJD{m4S>^3YdFXto1fqOQKW!>Js}p!*}9pkt_GBXWrSJ`H2BH2iSVUC-{uFVSU z?BUF+g+>NOG0`e(qc5vo3}Ma33YR;GuGMHIXZpHMjrJ_|YO^phPFJk{41^5UYcta_ zF|#w!3JPi>PuU7(>BR3?+@k`mwQ8V%3YYDTM)S=}e1=CEsdrK-x{BbQSv?A+Zg9r!+7g;+ki zT#}K*4(-WhTcefwKHx8M!hfBQFNWQmO?&X0xC)_7b+uh-*#uk*8i0p4USl6kem5@e zr3SQ6cWgATy`=c#lHJiL>u7WOsQ5>B_h*9stjr)}XmUMNTp2Zi26VK1law^0n(}F< zBb4in<0RL9ytwr!G@RW(0PGI!;ieAyUlaKX2h0Kkw6yqc_*%HZz!%|HJnx)zJ4EC1 z!Rz>M-=1W8E(K97G&#B2HW@SldxzTSf(uLRT;Mikubs7yXFstXkyQ3E0U14YrH!YG zIp_zZt{PKZJ3B&7ocug2Ujs-IMH=;DF&dSjcZ2y{7B!@W*=Z%8cc|uahesbLU(1q2 zFaeIUS3*O408^epFw`hT~soRL@5eim~X{nQ!>hxxz_b{$vw9@C@?|S(tl8JGhek z^EBnfeQ~jmukXl3dP4)=vyPDH>UGzFlu%w4YkgXRxe9o@&*qV$vkEl4563M-;w$qR zflHnj_Pb>Q^yMA8dpk*#R8~mIA+uo-k>nMlU)1QrGLg&J=J{e4_qqO;1kJXNwzO$F zbua)=nY8AH8uuoLqbAJ)+RGjt@1i{ z`su{w>Mncv%qf^@1-$1Kyk5&=i@(D#52;B!cKUa#?MW$k0v@N8*^&ashqb%M2FPOK z;0S3#p&`Ef=>y+G9S@75KE1q4-K1Lzd48Ys;j)E=wMdKG)F{k2 z)tg>3VI!(A@6)W1JnR|66G=(b=7Xt!Z23gaAJJf!DarCFgQF5i!xgYHu!q-SqGN~P zk1$obQM50c&Bkr@Z$Okp6YWpS-P&c9ZHW-1FPi=K9Miu*c$c43=vvGh* z0CDOSg0KS5YnAjm3b`Z3RJHIJ^%yTok1>hP^6FiPCz?IG-|+EVq%gsC=@-WsjKqVOq{;Kb>JUhVfBKLUKN z!W}|C93T{}4R75zKO?#>aw$)s@_0^;a%j6Rr&;Py8MVQYWc2*-^_O%8%Pq12+aSkc=Kt1Yt_=;YJ@+YuUeE zjy$gNShAqj2e+oS=9|C&)2C0vQus0*H&-N7trLYFl0KMQou8M50O$H*bJmb}_M+PJ zOrfRFN>f>gr3QD|3*IyRnKw{F_jacmiiovwqnX)Y(Kr!7Vd2R3<=!)M zTXolyfw!78^bD`B)Mxdz$i)kBvpjWas-B18JB=4#%z9o@2uoSS= zI-2Tg_No@l*eoomgYv$8TW9BzvI;|Ws2&+DIae_zwV43~%zPH(pY!t*MOWGPFo)>j z`6n_^zdIZ5Yde7@#G;hrqR;@9BILKofADX9*Rv$tuUGHi_7q%2H^-#V7;kXty}My< z*0tuX7#v!6IXqNbwaf4`T(o}nyi!V4r}jt)N}u{2=D0}o!{-_&RuSMOG&-L4&GcB@ zX>Vi!ZbKN0ub!tx z4G;P$JT!`%J#NvX5_wEuC_7N5JhA1jnG$=~kzzj;T;o zQcJ_#IGKdzQZqI7KZ2V5-63m)S8}c0V5}F(%CEko={XHtv(nJ(d|Xw$xt8hIL+cp| zV+*>z(@;vcM5sI$<$E=LASYkMnIUgtW&MHvLKc$SQWN4^R6OCafH#qQr}fK~4EfcRK@O45^Xe$-IpU@en!B!Vd2x!+ih1NG4+OJH(V` zZRS4S4Q;_H-3q73qyo#KXQ2o45z&YhZw?f~dgVNA#B6iKJ_XZ`kqsjVj|iR6l}_60 zBz4D7*E_MQlg>R(BWgaq#BMA2>A{>)YVDP?ms~M-Zf>uQW_nukZ_gHubx(-i8-N{Z zBDxTu;w)jb=K{NFERr%?Z;8uA_w|jQ= zg7dPdRg2BJ>6mDD_x4y()*SqwoYro4ck&UD_G6dlr3PfJFS-*3w${@r47PABJRN)j z^7HuuW4L>JL&TbAB=nn`w~yZQyFrkZcQM?2S7QCUQJOvuyGU`Z&SJre0#4BB+e}L1 zeQCo~gJve+!hUZ*gDa})3gXh9uJ_N_o0^VPY6!v$XDu#u%6IpRRvC1s zElh12xR0~SF2;)w=PHix;)W*z36|V~g6QB#)N;$PpZpW^7>_)2v)xu+Z&vNPvhwoj zrfG+xklS?r4h(5L$Y{rLD^gvC1z%flpT2w?*>YP`+Q?R@K0){J9}i~^IHAeGw0;Pbr)34(WIOl+wFq)I%=LZ z{eDq~Eh6LWVe>zJe|_NCV~Ze6{vDopbjwzBs$C%HIBz|*o{jx@aKx;FDVmAD?t8$w z5LJrA*En^4*{~ySO-wOMp8Mv2AS3X?m>%M3Y9?fLkMtsOpVeb`ry^(KPX}t{id}mW z!Q=#W*5`1`p}n1*dzlJ{BUPg8+LcDllkZ>z&m62n6ciPSiPKY#>Q(>BImY9au5?jYp5n27%3R!Mm&hOAVfQZcj=gP!lZ9MRC6A ztauZ%o$n1rbh0`)mFg$IqXNS1c*jD`$Y8a2#SqxIzeZG1eb5wlRA zI_^i^WD5)D-OnanR;WOcFbm0}(AZ(9y`P>L(4Oz;J}~u`6LH`|PaaNrUvM3|CNfc0 zIfZ13YPv1nNZbtZWp6JKM)MVY|MsnApOnpUefUTnv>jmNsYI+;3TAnnw;F>)@(6jf zB=<_elYeQl@SDj}pXnw?GL1g_1bFd#d^AXZmgMv1U?BAH_A0NIkgg`60Q<9xCh%R< z6(N0K8XB<=W1{2$w(1ysGkcq1XSIQXocB)X9dEXD)fYm6#S_+h+DM5!w|f7^d3??D z&YhO*e${}Qnu#=TZ~R+3o_?kRg8b;o%9ZX3`zq_KgxL6RH*rtS+|#rF;Tzo2w;@xe zjg(Q--Gtvx?Pc?9PFEuD$=x@$en>J}IjM_v(+F&poA47A=B&!k@0uM0k}PSZDblvK zaqpk@%UnH8%r0V8YV$tS3V(AC%g=6ekX{(d#`Mqp#QDa?1X1~9YhlvA!mJuv?@lkc zDe0twe10eBmU|bdQ?TWuYsJ^j^>`3;p-3gZ!W~bf&}vQ5Z0!93tT54 zom*z1JW8C=9Lr}lxDL8h|8z{+uUzxuPRv&z`*f z>cPK!yMFJP|B=konZfbzkj02HGr!tx+zfdAPbn)vZUEB+?5OKHCQ^lI$8+2*f7!+0 zR)HQcAKz#ypjrO6Z@{Y}o6kP0qCtEfv6 zijKSPQIFv|q~C56k+%LFgdMT&v?ju{SbZwcpt$8^vg!H*S~y#E3sL%mzXz&#HZ#CG-6&x(n`b!%_b4!vwnF zfB^OH>;I%%-U6Jf--stCvTS&NKk|nS{GSi}AqI;st*!^W`TLGrnPyD-jem>N{|F!d z=g9v)$-jbtf8YK;-~3-~8U8T6|Gs`x1pVO{Xa47OMO-=#-vuSF%$Yux{CiXXh~E7D z^Z$J8|2)@UwZp%M{-M(Tef@JS;hE(bcYFa=>|wMr<8>UD6Vr-Grkvq5O{Qo`Hr1b$ z)Vc7q`waL09J}K-Ubb!H;=`jSU+{)b({d87Sk>PwIEZ9^b6Etk#elB?I4Yf;RSwL> zEK}JMS%KEx(hwiNFkUU!RrEDK{N^-`P!Ne^R7VAPC7gxVs$M6;mVK<5e+E8gUw_F; z$2o;4YRoV4>PLNA+1mEJO1`qRk{UKwu{uxnh-|RD{J<-*#JNEp9B#bGHtZC*?s3q` z;#?G9h#1?5St~3>x)ZKnBw{f4or`WoOJ;(zHC$?A1Rw{i@OK51hj;|$qvh|$0Mmx? zfuzzs95@-QHnLXro9+kcZLf4T-5N;xZN>XPqj|sgc5n54oZ!7@q-33i$tLvH&HX>XEPT*;*QK@!j#yi-`{^-yBUt% zOfjr@C|?Fe-fajUktcYaDwF3q7J+zpYW+#TyIXS{?il|4v`0VQDH%Hwewv<*`ib)o z)wy#Kt0;=)5Mnw0og6ywLl69-KyyLEQN7)Z%5%KzX6=SKS@kX3IiqKa+%X_q&tKz; ztaTp5J|ZX2(5*3z^n>|6d3`}K#(H`_bSp9N7Y>f%7YWE~B|^F6ptEzt_Fc?Wt!hlt zlqv`lcp(QP`8k4BMbzAO-xKoeFYATJ@{tM(S{e#kFefCm(dU$pU*Ko_oXiLMXg2jq zF^m9uy7hSfw%;~+UCRT!<>We`qt^(vbkEJ?0RVVc7xTtU`hcU?<>KtNcl=bYVdT5Z z3m%t`Dbaa6=R6piVFDcZdvI;>XH(9DOzWEZGehj>R=uk*_qp>L(fdC%3aEvTu!_cu zS#s{%+b5z#1GqH3j4Uj)Y18oY*KgZNNk}eU7_ZPYc(*UxiG{eWP98q+R6xWO4OOYf zUXDeWxr=(w55|?PIu^wgsHv(SzA6han+z1 zztB}sh4qrAc%N^w&khsbjo-%>&Gw#T8kv!@>B#nVJixo5S&15C%}J-^$=8J2pKXZU zrMq_S>2L-@i;*S?(enfG7+FhIwggcRwaZMzm`u_|^aWCY0B_EBKJ^x;Ke$E-$xzDG z)}mVN!KUWsN zNA(W?YkiMu;IY7`eJC>LrYQHl9|Z-W1qF8zrI4ld^qMCu)93S9 zqLK*o%vZRO@EvQPF{_N^;0C^J%yzBg<}1j&UL!t9fwXLmp}BdPabM$B;&kYya}A#$ zk$l;&(D=$NnBHP#pRx3SW!`{^YQC1JX;U^LCQ>$0z}$>B$BFmC{$e3kOr9goV_DWMq@62h zW4t~ZYDmhix!>8oz2`zGGz${@Q^=l7*ZsDs%5CgYy7LB`|Ib&Vv>cqA%1p}Kn0Jsr z&x`A^)9ElKAltQ!tU%?gSN0i z%%G#CRl5EAhpRWM2&s3fYnfPh1dS?bmY1jdMeWCl27D+X`S{d8Bemmo>wuZM+Rlv9 z5py2hI;aQ0Pr#}qt2aNmKUHbzj6Hoq=XXdN_-)F0i(BgwF)^f4fOI&O_MmdluaVVo z6El^FLvOn1cr{Lok|u@TLCTEN;~W{bEGBhEiG@Bz*An-vxVE?^;;k6BLCVs>V<%~@GlL6^FTCmf(n z)bzBLgL$R(tRxEwYSR9v`j8l4VhX!E(E6mrI5LawOvFKVdzVb@YSPq)VslcYy;{!U zoa+UL6qR;-cjB#oQ?&Mu!mLxMFWJ<*EG@>KXgZPUa3l$oqo+%HhUFSUP!koE!sP1yhKJi-8KuB}*6^QzMN@7%G(9?c)A2eE zdzK&cjLB`L9fsR;iGQk_zpI-#cUyglDan)mkbozNmL^rmn5>D`&lbqz!zodW{APEbXkzdr+* zr=)DX<6@gkvy4$+yau==ht^4fBQ;AZLPBSJ{C!U2#lViCAh?$pJU-P*YHjN(08BI!r8mU|62O z(ca#%vZ93F?Y!Kpb6_!xk1|Zp9r|B0#B-mx6D-#0#{vswa-wiM`oI9n?YkRs36b9G zI-IR@b2!@H(p1BH_1iqZCnbytRtDE|;{VA&Z>S#a*bG%%8Ss=M<236q*7X2_!f(?3 zeuT#|6Zk8l)(Pfh=H};T7%HbSnL#GnLBxB$bY7F2y@XX0b8jH5fH^R`wA5_wyRByB zcKpU=p%<|@?wM(dbn;7k**_+yxBrRfWnxvwWE)IEdN`Gip>liL-wkXX)(6?CfU2kt z^FX<8hYhjTxb9b~Jq3j0_YdZ_7q?fDj_)vo`q1juB`=DF@$lPbEK0_l_5m&p}zjUZq>EQ z?ufN2x+KDxlxp+7Ml&B?8UYVl243ee^jlu*%yrx=Ij(#T)^`S`r{SEoqyWv{nLi`G zv;QoH86@l{`JTD89S{brwFGj`V)-z`In~c($VXKO2)Vtc0|4S;VQ4x5GaL%Ot-8{q zD`a7EX+{@8Cd`QQM?{aFo+S7p@eG^AS-(E)_&F}8Q=CS2knnAV8S0m^Iq$lTZjh*j zp``?*K!dBI_ys#N^Y%!3u%3YG{UXQkx-;hXb5ZZD$(p2#f_hK4^JBz0fY99zK#>W> zrnhJ>4-7s@Kl(!8d?}}FNF*-*3>6k2P;Oq~c{YywTLNkzUw&}sK zOckwAq1RjqSZfoL;~_MH=i#pS@_$wV2<59xW(>d{t1muVcPMkYMS;~kbGDwdtMTqR zGu*^!6g|vSFp?(*Yun zDhz$-EP8H5`{SGM4bP)>|HZaDc|5sXh|<$3uMa&^oEc13h^^EFC+f79Vy zW%DW)?aH=+Mz4eH#uU#}y$Z(=>Ic8^n~QJO8DE*Z-J&Z)c<7i)DiR$inJFpD{*+c! zuKjZ9w-m^Xo+bt(mNj6K!BG>JBhgb8B^j+z0Da$L?ZPjl zWNI2$k79kr-RW!>*wKfC_N_J?Ti-Bgyn-XwvBLl&xDX~hoTBS&F`83~b+3Mt-a2OV z_XiyZ{{)}^6QG5^%TY+j{4G$z!O{CZ&>o?w2D9x`N1AgI+p2wbclo&rO0KMomk2jU zzBcPIW$rB}goA=Cf}MI%jmAo!-IZSpDxqH;6RJ$^k!@_tLTfK8&M8jz<)MK)^t5qrYD}>6GgRaP6PnRbRg_5l2Q8J( zMY|>+A&LZ6C4ED@+=z3OZ{1r7cB0PnDrRU8x!;vG5C zr={Dfa@qym#F(@-Zr%C!4iDP8(>SWdIe&akiH)$`JHKn~?4SLyC?hIlNs#}FPH#+M zW?Wnl7M{2{etyup%M%&GAsFYnBWu%R4Gy7JsVrz)~G;k*yrX6shl@Yyr+LV zRdMcNQs7&QXcK)?fnVMffK#@t*8GCTo81`uk-_UQF&=VC8l!?1v;`eOfk49SN8KuX ziK?$2T1$8%6~p-|FB|_;UyjocDk|P}tOmZjs)}n)OZ!RsY15yh1FM$sloce!9I~B} zjaN0z_tTAwMzz@P@3D42ok0^M#rtO&lR~3ZM}OS<{}vn?l8G_S;otD^Bcl#yez0=_ zueFElyJ``a^!IeOHMXUdrv(M1y@BUu1Pvd+rN)M&Wgr)ai8j!GA6Y-e!#O?|0o(R@ zd_f@f|37t#dy*4ixbK(jq&9wC8MrcWLjT;frlR1ZrD@x;9bOP(^ZirW4#mO`tP>7P z9TQJ;wB()NXG-RF^fK2tu(EO%jUy+Z0n#nt_Qp6#Ba5crhZ7tc^?UrSVZ-@6Q;g&P z|6jfsevjn^5q<*Xlq$UTnQFF~y04*nB|6qOsp13_fyRrS8n4FWBOP-y@`E-g1q}Lj zzY(t%`JcF7KdIgz5%YCXmR$by1E+`g-!d&lN@#2(C>&0!9B2AqjC?^RWCa-J}e zD{N9!60fn|iex2Xh%_>^K0#IK*GQ?;=nBNZh_*1Qb6w}{9pIWjBpw(U?k?TS1*3JL zP0rae-PMt&?+nJq`p^;xn$SivAL7%0O7$to^be+r|EF&Q`0{=VvbpcfN(ylc8fGMj z(oa9WQT77^w0G4K`tC z{*h^=e2S!l)1G`#V%r&=yC)eZmd;ItPXlWY`03VJRmPmVL})-}{2v&m?nha6{)}xz zfHZyD+6QY@@l6J)mdPeAj&bITE*WeD@$Q)8P>Y*89~S{;i1p4PhVgmPq&>^)f&mT9 zcqen>cg~A+Pu%6SG^)|}{F{&6_)bRbe~Fv8*sXlpYt5?y%ddt1U*v12>rc^SCgCeY zsab{C?;`3P`P^Yp&D#80@Qw=_2uJvz!r*J1x_QbuN}cPzpsmb$fW|*V^7&G0FG-7b z&%SDT|AdmjUuT_!lAYTBFJ`^=FBFFJI0Trtzpwv=Nd2Ff*Z+Ex{h>7X)t#=hoooF6 z;%yi9#4~ijHUIbZKX~0g-Bfjy@h^D9pZxR3-`;E&X3taqi@*IZ`0IawE}XhA`ZgIE zCSfTGD=TI0HaQDB@@v}}Vj=z=@#`m7E(r2B%8vVcb@_FW) z`hSXladepAtMRb%Z#|L<#yaxQWg$4S!I!w5TWRioccj|OY_e)M<)j~lo!!F*hNetR z)amNJHT;WPO^%Msuo_#RuP%(8tFi?~fZ1nqQFh0sCgjyCp<(WSE(=I_Zk1@joZkQN z*m`M{!H5`uE_Xy8{m{jK{gL8{PaC~;ZW=9WL%FoPoWbKG8@n+AF)~(^6WG!0BWO}Q z-gc9LSh#)7Px^>v^>wa>KdS zNy|W}+29}-`0){G)|*BVhJ1y<#J`WJuJB4&7cB~9FLzjMyPB9=daFzwZY!IjP^inU z$e3&xk9VU$mqE}IPp;u0QA6%AL!XMet8%o`g;^*fAyW4sQ6W1&;$e)+xwC&8+ibON z`bfQmOexod>pOO3=mSY*J=+N>_mik7;6($1e^D_6yM=ypdhIz2TV&S-g5s;vFGfZt z_k1Dal?P-x-0brbH+HznHF!9)=4`iR`;Km^p_qnTE1jPdK!L0o`|~_V=(Veq5Xd^| zh$EbtL%&H7zgZCfol!S2!_}gcrZ=b~s=iJ0=_9JWrZ?ZZ=jit)F!))0CzyR25>M>r zUgjodWrcJTYCY|E@OyXvU}>MyoH#% zudiCI+VG>kAk?X-b>?aa_83&N31K6aDULi(5QAo#*wbylSyIcvOIJZUUQWRjglolF zwXjO&1Cp2?&C=z}F7NY9ir~>Lua@YPy*<~f?gZ^gbuOU+UKj438>oB%yz>&KH{OpE zoT#MWUT2~#mzz23o0T+P`9ha_eWzWL69^B5#?8|lfx`rE5v)~X)-0=9Eox^!SO&2a zM6*)hx`tfu6uGxqeFY>4*JD&`yBrRjQw1o6?M=7ZMIT)Vdecv=#oPJr<>|(t1lurfHn()KRjBx5X@}(}SZ*sC`3xK4L#Lk~Gjzu*&qH<+%{U>ixpn+VK>r zYV`cVPu*D1t7Z8V)&JS;G_BT)Q@Eo~vEj{N=+qO;jHjcpdL~>bp68b7eX8>SX3^#4 zeXja52MeTXqrP&Bx65O>E#+=bxRD6i)Y!m`228s-_T6rFThq~fFCAFx($hGKXH4+;_pZ&ulaVQLe%zg_nmb7zdE32$ z@!M2AeX=ULg1KE1Dq~5vgzeH7g1VUOIThWW+>PCwiIL3A&CV__FQ0>dpT$8iGXX48 zr`4M5(IbuYMXOuBTvj1ZpT>$qREu&hFI00se2}K|I;(s`9d6WH_%yBKmQGCX8$xF* zSAO@4G_xL!nt^O=l3;wuodSPc(ima5(y@?^+D}zm(~}a;82>}lhEMc&jO4e`$eVV>85UIC)ooAQ;!F9G8V%%** zfe8#;4^D5b>B4tP!D4!+b(DNwUVT6K>=h+qcwP=1Vgs{_t1W<1S&nllTsRT;(9GQ2 z@-@V8Svjwg@_l{uqq)VIOqq~`GGrq$sf(5sqU|t{k-5s|>_U;)?~pIXrmh@bnw@d( zW_DWceDiX9+YzXLA?q)PQ;A6*5!j!ekCeQHSx&g8xu3Nq7luJHK4g1cIAf!Bu{X|Z zQ?B}nk2Sb6YvY-P8nw1zNr@GOk(8%Smdh&^S$*DJsBYAmoE-Up;?oC0jiIMa(M!%^ zhsjkAp!Xl^A#cac`75;q$pg52PSip}jI_l~Ke18^p@P?7RkUezS;R+_VMAsUBro-l zlibf}3!vIn*d4Ik!Q@26i@*DJJX%?7#6Kp~EkH1BlDS4wIPLNHM8(fP?`?xsfmYHM zUQic!!t2ZE^0OWFKsBy>Ib3VGRkP>_&=R(&T3u1>*=*Nz=_*9lOFqE6?n&L$h)Siu zoX)iSffi_4N5nrd<-u2nQehcUaZ$C6g)~H3A|pA z04cX5k$}(}M&qlXI=Wcz+}$CkoKj)AuW)!IXb75K7FTeH+MPz!g)SfKAqi99E=(ew zjWcHF{b&^uBcT4rt|dWDIaO$+z#XGh>p_qNkNuHE^KgT=T+ZE3uZt;{q+rI8fm4-9 z5nKb8t|^tyAWEbyBQaIKtz`AuRww1}XO-hDr?f@ndC{mXNapMzp7PMm zCqR9YUcZ4jf4cm#DLP6rCnVsjhwu!=kn<6{l(F2S98Eni+CUQT96oJEoiqPX*u1MF zEn<&blaPM4>%hUjKdEh`Z~{mq4#OGERwnv8?E`BGlj!|4xCyMsgqYUblB&O%r{8oK zt*hNu6G~|}M?R%YxwUif^ppJe24f?qF9U)*HQzP?yyVPbSCsk7_jrtAvKG5gQLDIZ z;D5s{l(Ju9%wQYr4&t&5Aeje~fYh$YLjbs{YAx*Y@+DYg%=_-KO3o2I0ZWejSSfA6SQ^`*Xr6Nej#A&p2i>KmdpBS9taw}w<+;%Q%A^Q4cHCyNvz_wQF$yYFD{rQ#3ji= z3?C}PM4r(bJ_NhuZTy3c@zU3?<=6K@&rY4p`4{U_Ich!u)kV-;I10Aq5GR(So@>D)6h0`O z_LL9E>s=&ZC>ea7p)U)kCu;5Y83L@ zTxy5kFt zat#J;<|ZX)U5)owpZYSU@?3-UtbL(}Ev!=4n?r!9`?8N-6A0^zrAxe*?0L?ZygO68 zc6x!YvYoH~-0z{PlEMWh$P%Rq>A5h8di7hk+AU^a5Yfdt?a7D6mUtR_y+{mbyNfc? zGjf|7Kbiiz0L&r5#)#AIBobDqD=jVaUK(pK_;cV|?Uo>Uk@*pP|M$9^mF%o6Mf0*< zSW=zE*5Fv8RCVE~iLuNhJ!Acs#%M_(tlAnyBzwe@S4Bxn3q-Cd{4@WUG%_6#pgSFi zn)c{AzS3F6(Wg}{2?59Cuc8l7qgAo_%C3TLGJL)uHQ32nwdKuQ;HFA{V&2ALR!NY<+m~+{aT5e2M?k2A5my;J1 z%0Vw)9jI7L&w}xhV<4r! z`jQLh;J{}0uniy`pS3XjDLrkv@{Mx(_- z{nO<<9-08DY8}xI&Bt>E(+-c9os7O08OwSN1lk9}!UHoXoWW8lwZ|W`5MDAdrdrx8 z*_?}GzBI)M0O=wZuQwX_td!KxLq4r{+_qwsZa61_eO!^(Sb5V4nDAyS=)))zo6;;$IXR?ynRr z1jgzh%AcFA$8Yiuudiz$A5%G1CYEv>#mr{tiw7gMY9PZIC6C#4Yb|_34A)03Lu>en zrxeRSWl9$m8nXA;jx_wverIR5TyDC8Px4}P6p|s}Bz?M?LSjDF#cQcRC1i56ngU4c zy-@5~(P`V=K@*q8#-^D%*C$UPN<1GwFQKYVST*huX=-VS7=^4m&)Q6*2C8Vxc?QW=VJUUIA5Z%KebLWS5Dq${`7D zl731X2Orh51)7zoj^;UMr7jrF__!7bEeBDsgS$0wyqDP#HxDd&7VW~@wIB7TJ6eio z$-T}|Ks=PJ&=`X2shNBxMV`&Cg|{Z0Ia)8Tue>Kb_^Of|BnPKqbS}PqaQJu;sQiZG z?bD^Ly|}c$Jys`-zJ!jX8Xgq-7z1Cx7?WCtihuWrr$S0n7XQH3n5=CWve!6X-%C)* zR3Sjyf-%xi`JU3=dECM->V}w>{$!{ppr=Ndqh+OMrC_h;YN*^}SLhlmMySOgSX68T zx<4y-J(NWD9kY`AYF9@jdN2<)j!Nbz9Bz(A^esA?OnhAZ!l|s_S|Rx|zxpi$yC3e^ zhF1y=<2&bwm?Fa7PriF@rj58>WEV_vqMW9dG|$()SH#E6L~*!QSX<w95HtvXA!QGqlUv$v2Fiw=Lm=*BvL$=OEv^C=2Lo5@-3#PnUUMz?~ zEaSzF&#LYDq|0umY91wK7hLmxqhMx`t=k;%3fT(Wlo61=yrDB?=lQN&UNY`c@RAUXWXc6$Qj-s!lF|svKENbH_ycVPg3e!D&8V) zswxgrq6$zJET#KFg_#-aRd`4H4&_yC49|sNH}ag!)OqLx8zdZTf@6!j6Tikgf27^p zvl*>02qD<7jg1}5*JC8&4!R|c=%!06BP}{aO%9GuHjPfEY42z6$3!;!c*>^8o$f7G zvGmA*FR87thJRZ0YQ~Pj=}%p2$aVI_hK8-F=N6OQ1c&+%GK>#gss(0b`{wsu!47`v z{=mN(*x;8fWHV|4Ri+u{Ve=?-;*V(S@u7?r<1c{_CHofyS5n4a2=&{{=j=-eQ9HLS zrShn(7_(`O;MUg(YrVM&2U5{X52HMenwyq1V+g;ZJ1PE@#Wb9VN*Z_B#9lWRHPTKrOAzw6vk79Y=1SUAne z{mjGBcHYRqMD6GTUaZB&FJQw_RvunYdR$c8+8SMEv@0YmW8C{R^+Snc-a(9Rx7S(d zOK#7hptPUG!<{p~Cf^w2QecbL7#0dC`ICO8M8C>WFkU7(fQ?-Y^|mRDNe?p$QUvQH z#bYaN(jhFv++jUktZ-XS{jQjOG&ZP^m60tkI|{}(u~EfgaZMpo#JZxS^u@k|Bis%J zO|Pqv%p4Uq8%=tX-tl`_P@S`0cWuLDDqUak&q9GYpnhp&2HrU=c$t{nW@F(B>Od{i z3#kEkaqyE3M6!@KjUc+bd0e(Y%V~4E_PA_=9 zPgC2ScokQZ*<8wABwQSFRitmSD?d$AV_&MEew@=DZyH@8y<*2l;H08nOtOBXc;;R_U3d{SeE5>zt{etrg`5W6yY0)n zZNREt>)))$MQ&+nya)Qrt6GT^n~nj)a^VT9%&+;HQ095QOp*FUM>TR=O*3xaWqR@x zmst4lj@9CZK^9?ZHUAVnGCLQ#8c+HTiL1Fd&G#8$8PE( zk9c{)EA$J=V}uZVpoZ`r_Y9mstxePoc!gSUT-Zdn!zHN56IO@*=qwnM6=35Ny)BUHIe zYHaMyU1)4mB*e0O?~Jy+JqB!!YVd1=l?Pz;jjP2G%d5>{O==^3dZ5DXs@5Xe37PN4 zRPtQY`yHpkpUzayXjfpdq48>%GmT%`eG{`r^4Qfhf(uaJI~F{FSduFN6Hec z@_wW&^(NgtEP7)o5WJ{JR*@)szOCfhk0uXD!cSTgaeiRyd#o_MKd6 zNmnlcRzt0EI8n3z+WnKw6yLnD!lL|qi_!AVD8gs8wKeq}#3dO^Pf7~DVBgu@a9=Pu zjBJ@sl#r=wur#EXf~>4ia*)iqtm(|%P)rt)ArDPmt#0InKd$ufI_TNBa zvra=)4XK|cqSl`!6>PScsjeQoZroy^u97~ok$gYYY>K5+W~f7ReZrf4c4dCU#88i9 zL3g|ErRSY7iTY?gzSdtF>7bLxRS~(_EqF$Ln$gTgf4=-$&hb-s%{-OR%`uNEBRnBC zXGlYskN(uNr@wl2VTWVvvrp2*=D%?G+94~OecURzwI-Bk3n!Q|er-Nqhd6+6aqa~t zwhrk~^vKV2Oz1S_p`bvy+2eaVGy#y=>hxe5Dq+t+`qSP0+jp8R#$A}Py{vRQ=+ zV&f+3sIVBhwn=$nVD_ZmsF01PvW9x>X#N9W^O}!D0KifxTN$qQ{3e6)Atax*$4q2o zN<$NPDISzTVI3(nCR2rUz0Cpf(c%NOP zY%@~A2cTFFBu4}}y@rG-Kp<4W(k;oHdq?cOYZL#2L-8bNocpQA;8wU;(7Pt)F>C7? z&*`<(DSpGa{8sP(bjJiqGP>yJ4ln7nDO}RU zHBeTH8uF%m*QI-e#^8)=diFgcHURS?k_VkDSP?pMG7XV&f<`vHw0m~WxsPt&aB*Z8O4SdzcY?@K)%*j%{Z%#?coC`0rYmTxow=!@*^Aplk zr51*v3{%V*4yC;c;_dL1Is+@S!O@S2VX*BdO6d|~Z$Ki~KKD@W39UJP*};}a zs2BpIh|%vT)S+1YT_ey!HIU8?I5=$TRpM1}TZf%r+U=m%If&7Deu`5d#Wyss31T)! z_db2v@S_sv-R3W(>3{H9C+j7jL(?R_r#`yr=1cu1i;HZ-A1_Qb$#6Us`$dW`7nTTSYu(W&)nw$X)f=?&Jdo38I)9;33h z8-!g?ySv%zb6NY)Xsc#Ff>V!CRUiLQjXERkcZLr!GtLv?B5@_wmyLa*NdlOvONq?E zC(Ytu=bGsmZy!>J0?N=+0Bg$;VwBBCXEw9!v1=uZG6^mB22h$+Qc_ZmtsD+ZCia|V zH@q(=8gx@;FJr6hMl@(8rC~f~2gkpEe~w0wU_w!c&6i&4FbjI3q~L}fEHElBPLjZ1 z9+E!nIYGC_Y;akQDBK$gXz=irR!Mia)=3^6J-RTpFm8X61{Vsc*u9@~dNh@5U7vHh zLa{zw1E{Mr@Xr0c!FRk$wzff@XI%XJ@%gopi4vD5;#GPhRkQVN%jqAofpZ9R;I4R^ zceA2kadp}4Xn`9E$+aad0>S1hO!QjE`gQI7%pP}H(0)V?0#u>X2JMa-KgkZpHhBArbOyOARxA#y{yqlAA!~KfepuCndH9wyUc^&6cWTkCUN&o z^XH~88p~dtY86aLY}|W?xAGgqgnRW#KkNbGmmcs_{CQBt6aiR9iG7Rj{7yk34)(e` z-Kitoi*s?QriFoV2B4O2-KrA!;8|$hSu55)daW$n_H1WoN0TA0uhi$!GZ5NA;j|cK zr3nqq7kB8QJNxLT`)_>OsNn~^gM4?b^OJ2yfM|xYacT5&6P8t8W1vlsURc@suBv9o zKo=7LFzdpsU+d%{LXw$eB7`Zm4%!&0#nzSwS5k~E^J|wUQR36uTcXK)J7pNZR>;kD zaYs;|{4`DQQH?34&F7=~QGZ}Cq@}d{a@-Z!7p{9z%JuvtEC)hKwUUKTvh)x-JgS;$ z1-zG9~$3=h%5-e@s5lbdCb}$Hk*U0&8Sh(-{hnXYl?UJ{7mG>Uhm{ zMiK#t$NK>wUfBbh!<@u{YEKQ+kH+Jq#5i@;>D@1bMS)}kFbc2hsiT!SpqU|CSDPJI z*d~WLeq8|Q&YQ#bCz{mA?+LEpW(!4CAfqs|C__N9zqRWIv83I2t^3J8hX9cy}xhY@7#07IG4d6j6qgbSgg6` zoX_)n-={HQ>Uvs+;44P1$JyX9OkHoLhMSUjy4ZU;bdRJ46#d3;uy4ilL^bo?o)v`Eygv9h*?6F*Qu*In@3uAW_o z!l1%#0&A2^PpBCtZE>(aU7y7C&EAy4x-b(O8?hDJ@m$6~Fdltjx4%)Sn|mHN1f0p! z(zj12-<|Xu!}s9_TjZGHL0mC>9eeENr+)ae?2Vsyk#5z}Vfvf>of-x!zfHaLku(bn zq5)=oZw8Yt`z|naAtq9CVYqDlM`fkutE5}%$%35qr#tZPU;XPP9U@W_(mpM&%~jiw zAPf#gx$T#+sScyHL!+GsISg2$qp$y3rhVl2E#GRLx5-PekdbvWbBvP7z^X6nnApP$cY5ixeZ}k5A3=`~lpLMn%1!o+r zQOKP2?+;A_kFU{=#<`L=Q`$&@t1pEPU2SYeT4$0cb*_ikO;XFTOsV=?IiksKJB$zC z^cu-jA946YD0`wex`T2%a82+Bo!Hm0BZPr!x~eJKuGn9KP)V0 z%4JTIz*KGEJOb~j1XJ=j^FUhiAWg06Vyp3yLzqTh{`}lXmaHb@{qI>l z(QZB<)bfK8J1_)0N>@%#^u-Rd)Kwkpw3Ip*qD4pa4TQx;3rBsw6Ivzfi_1q1ADezE zb{h!&y-b0#IXPEO%GAtttj`mNE4*fP>N)s6g;vq3G=~OM7rhIC$OS|mo|tWx`9t%^ zvTzSV^TH|(YQ7mCSC4<|1W65|PM&>0wunvMRrNVM$s1!~bewPGYqg-%6A4O#-*6yX zVZ5_(=n6ks&rkJwDt09t zRF^2VGMa$crw|qB(a)ULh^%+p5{?p}Q@ zqp@W_XO;}M5Bdw%y7w*y^(E|-U}J)M-^nWhdOh;1(k5@BI19&8$U1fn&m0#D*i(PU zy~s)b0gOjcrOUikcZ!jknzg+}o*G+OnM;M8?#%qWt?Thf8sRwbk>sf>3{7`$?L#P} zz>sgZZ=XXcJDUk%Vc}eLv_vF5|47Rq;NH}cbvY$9!k;z1i!!|@rOt^o%*PxFx{_Oc z|NhCer2X663AN0OLj4d%)lN-!FvS5oC=Yer{A|fNMs|P1zyEznL^Apw=+0EhlNHJW z{I;5P<@-XQS(8Z?2Pene@un@BKz3jB7pM^~EbP5x-{ci?bA>5W8;R#Mt~yX~4$lcW z1c!hMh-3M*P~%3EFfs2*~*INY|Ogr|9;>UJ6wP!=rGCW$ddf!hBW<6V<4R zy64lYt;<82l}=^8eNYR|8DU;Nt3(NYK8R&x{Qmz?LZ2Bpeu@;kVxTUq%F~`}IeD;){H=14`t9UaS@u)z$PVo#7&X1IbeVoTNI3B~TGZ+OLJ3e};X1 zdgx<>uiyzb`qI^jRDRVmgmvniz4l2>&A#P%)*rTUES;Ph<=B<5kCVe>7t=(VF%c4}IY~~*Nm{}_W zgE7uICX^S{2DUw|6)5JD*tc8oh{-n#QwLy5m(a@L%CSlH$vlI<#A(RA8Klt-06*tx z=&)-5&%3LXQk$1#g$D_BY%?xiZXxH;`W2;$**?`H9vl;L9I(*`a_Q;2^?Nfls%>HN zGI5CX6MZvbpAuzgU3dh&&30xXxE`U)37!)R^3rbZTGLJ96iy`fc8$FLriqDzm+{6v|US*ACLn|PcM=dMWGPJa5G|k%H z4ghyKh0m|Rgj)xNdtq_S{XMdcV4j-<^^tmAa%Ngr4@+@Ycpu)9TEU6q$Z>Tuvf zbU?}kIdP6C&IGoSI*pkLXQ(e_i$yd2Ra@ zO~z%E7K*FaVVsdHc^yx02&F`vrG4?6%ln^t2H~=>zh5_w~FC*UaRF(maj(hTBh4 z3pl#-k00y0pkV~sC0*UJ6b4LG1orSVjtu1WWUn0q8WrF}PHq)=>vCYzW;GveTV=gz zmyne)D-k??`i3@mpz2j~PDk-{WC)s*r?bDQ{4Xx1`a_m|=PHM07+5l0y>OINB9ldI z=I$;#K7hJ->STGGIc@}V*~R-8rl^BUxcMTKD(T688W?Io4fQh^0-~CEG+GrRx76V` zZq~6ZsjYg2fwqYs*2k;K*H$-bB^rldTj%nqC{XTR_v@ZW^7q7V)+7cz<*wdnJVFX2 zHRo_$+V`eb5OS>(CMN_4nO^@GA7PlCTTlR+@^y6Nxtty?XDsiAt)jgN2cU7xXTXDu zS6MZDnFjxxnzj{2q z-E3!Xmn0Cj|7%%9C|VQLB}pFJK}e8QcJ>Gl%rc&NM@9c2W!)b(R*gWt+U~gG?Yivz zNMsvRMN(8$d}L@CYhk?!8*fa*i^-Iun0Bv_(OjVcpDZ_tVMV_h(s zIem(cO^tNuZjfZeT13TYq$s6MGo8EloR6jaTxTYON)yZ0KfZG(h97h}uuUEoA2mm^ z4Hv{pHA1KAn?^|jCXBq6Yxb@e>; z9A)9p1L=t&dcg^XF(JO1smWL|pg(eF8n?y!zthfBUVCk;J+{(&W+S?*gZ=kW$v) z9Bl7Ofyxw7cRNtOWgvHFAQvbK-TTw?#@PKG5Unib_-rz4rj0_q9$O-$p`j3QuShFj z`EhiSr61hHW|PsjrFGwC3?eSf(n%WqL!7EGJ-s#i)qxc7Ky}NlrR6dw>g4NuCXL#< zx?Fo{qdP(^I$r;L_yKLZ-X>juA{%(CBVQJr!2*EefIgqkEU}0x8?bXW{$;kg>6&N8 zKdh6AM*N7HScPU>S8B=3@Ee_>IPWQ6B{CLCKM107w!VFA+%z9(k#xO&!@K(7_0lpI zdwY91#_6nGZ7vp$QcM{_-%3_(ZvL*Yn3!`_Ut(twuf6G zdb(QX_7>V@>zZ&V79Fd-{ml~Q28F(jiD~|@&W_M3cA19|=Oo)ULy#Y16OsN)3vF^^R#bx&e`Ihla1Z6fNh_>k#mMV ze?H>pY|Co@t8zc&k=Nr1L~=Wh{8;mEWEdo-v`r0#ru!;q_|z?9@|jgG43V;JaE1@2 za3ATMgMKC=SSd97(ta*jr>OjW2*_wMlhjD!dBgesfV%DW6}zW*5;KGvlUcG$8v4>P z?x>aF9;@$qtzF4tp2Z_g=VEgHJ`SMrs*GRIQ;-x5POJ3S1{wF-it^65k-n8y0F~TY zL+wkQpOVXR_Q9~d+smtm!jF=YA+eA+-It7_D3PXS7*_?Im* zVY*wtR*cv*wO$h41$RSU0w0uB8)n*i>yCu&caCVu8>1{*`9MBg5#B*Qag5)ryFC15A ztolj{gk-FKs@qcPHC9pS>!caRG{>x3^i2zk(R8`@FeDh)7Swh&jnCHSpKGrB4GAYQ z{OLK~-C|tr^vm!kbIc{l#tGZF4P=)!5&IYoKzUG+ATCS6{ta_)5_2z2{VWu3a3zxb zgC62nyT}&rDOA(BA=bRziPS^#0e04t@0gGxeA9#r5-G z0=?jyrk|x(;&j^DqNOSn0(Q4x6b>26$o+R#m6H`|SPXj(fty$d;HO3^Oat?Z=D9{c z`|^<{-=&&tPW+- zgWCF-TIIUYauF40PeC_c_39C!DGQLWqD}x-5c+s+4VQ8CFF4PL#Bx*TGNUND2SSl) zeWdg)X!`jd%wg!2O;py_4O%JxS=V!2r2xxZc!McQG+?YwimvdR%mb8DF1J)Ly>+54 zYpmbtJS@>rgw)n5xosG{yQ&6(qMb=^XASPr7v4CoMgw|)&v4SZ*FOPM{X8Vwwt_yo zbJl1~5dNbQi%X#ucY51KT$%tD>o`DVze}znS5relk(=F^M}BQ-zRR)#(8Vb}DIksN zk6!>2FU~SMb&Nm!H%kH3%e4Unv9srJOz=Z#32(jQ6EC$Q_utw>`VdI-2C5zy1E?R~ zEZZt^m=F?h8QiS!vPygHi|-{uX3F&|W z66MRz2UIMjWNN}aU6;s6&!uQ-%?~hbH8rgYi}kSAQhl60DgY@6NR2?evB-)wKy5ss zFhM&DdZ$H6JFqs(a(@c-H>fn}4}}6;f-tl-k$^SWP2u(?-k0!)k9X^q*wo8pfJOCJ ztF~-?PO-yyL|M+CgRAhrkx;MI@q>@BUzAElmot8X+ z8TjT{m11V~lxEFOt*8R{!*yap3{vGG@Q$@+Cx8Sfr}A@i@~vz6GLmx|VeqZEHLyp( z-`vqFw~WW3Tq&Y8c4@|N@LQ~=s#wGG}Wzs^{}uxWd@ZHrFm>mi_Ffy=7kVxVjI zyJP{C{J!tN@vGcpaW}~hZt}1f{J^2%is!R2?^|1?u|=;id=RP;9({A%@%wLTeQdhvCvTPrYtd(j)=Rgse66LX%u<*S{<%HVjdhWH z|9Nn^<|*TD;lRHCk8njRWqQ#sR>|51H^x=^aI3D(y;(+M0yoIEfSA;Zpu8@-j-@|5m#P=ju!Kr1bwOYL$GxNWYZic;eh3dub70@7*=x~JLEGe7O2w7Z1hUy zQD%f#Bo$S>pQx90kxCCRw!!#943+wG{8(8s-yLdmxOm{r0j){4=vbgnZgu9y5p^+CkGp$%^G$$^^`aJ$pdXrFK;c1O&G zGXZ$MP2FCQ|EF~_Zx*v~4fiu%O+FuKZulc9Uw?6@ZC%U7`a1AVP zk`zLy*G7j&-?hz*>L!Yf=q<*z$X(nYc5!nrx2L9$ic5U{n-|(z8PR$$1@4-pxY!&V z%odJtVUuL7&~(vZ76Y6LPhibbQh17F`kk?=s^qfN)Cgijn!Sn?wQ(-17)C8aZF{l5 zziIrdwCA(HjeyZ%ai2~7$wE$`@&GV-R3NgS&aP*i=`lhf_<+DU&Ba;3Nl%^nx!Htv zrGVO$cC`RFi~w1ky=DR8(OJ~q(vP=bBZTIEmQ z4XH{GLQ}8(eZW6oIP~$Z5wkKUE_XV5)_(+KJ9gU;oKg~KF0 zu6DPcb+{yCb$D20v{L4LO~R1Y0nDfaij#W~e|ugqQ23aqvAZ;Aw>c`o(3^I5VMY>onwqzr=n|buF}OO%;xd)KUS`G! zh}eHYOgO3TF+3M!$9&Pru?$un1xYcQ-^*k*2{Lz|j}?r|#G#NwCJ=ZAGA0#!Ha@w` zs6T=&%NE=U;5#Y#WoW3bvwOKf((jjg1X8&B6$@P$N@!_m#X(MUK4ckLsz@I{SPy|@ zHrM4qp8L=k@kJzwc(srkzg#O|%QpvJ`E?#DOQr+fLG(M2$$B|CDcQKnot=}k_MiYD zIYMwt<$Y&*f^D)IDA0zgYkOQxP7D`XmyGjekLjBSST{C<<>aZVT`gX&$QfR5J1 zH+u3x2jn=SEe5u>sjfn(Mm97KcXsv{%!TO~5QjN@*8(4sM0;UbL6%l#KhX9wt+pPj z)DyB&ZLfORt)Oy$DB4ezkOIU1>9w>4VMZ>KVuxP|SsFz_!loCRI#@UaES@`R#3gyu6-!&CK%ZH7nrpMcYvA$d-c25#L+>HXCz(zh6*DvUPB^z;x9l)v8 z_r;rUtJ{kd36>ynDOdJtJJ}N7jEy1#%tloE2IUIW@;|eo1NsImUP{Sx#cN7j=ZIm4 z*oku6n5z;l2!Rp(@MIf+pKXq*G(vn!T+>-OPfO&a-blVRNgxx81QWLA?GnH~!1Qi} z;OJ5d3%2B?1RPIK9oPbA?5m ztKBIn)L-({_{5)ka;4~YSd{QW<~fI8zPp7>X+EGV(42V3yILepTPrc~MGND@u2Nua z^rI@k#Mx65N%E>~SCaxzgbs@>*CxqX!e=u{Ca+&25*X3}q1Yn}8;xId!2J{LRy_?s zf$&`}Hr66e2cSbD`bTv2ZsBk~WU{a^wuZLj-{bi3&wqQ@Clm04AW&FzeZz^F5xCGT z%NVztv++d)e&rV6d=!0|olCW2%#ZF=ZN-lwS|`Vhq`tO~+J^uWhc{{L34nr0ohrE_?jnh z9|W*W>-W^fY*yGAKE0U(oT}xdSz0L{J)K|$6v4gHNh>PkLm-yh?U*SPRDRALO6k~^ zkA}oK>dD8V&=;GzH4={uo5+ml|K(wSxN&r}TMbUR#&rX@Az*CFX{oaw|IBH14(j}C zGDjSeCDChKyqV^#z=pS;ripX0w{oKk`dxvfpXFs`UKCv#4rmp;JMn&xuSM+2@zWDf zoeE|UAarR#I;exeWCZ*zrp&E^qmSS@VUP*ml<~ayf3os23k~hzt^zbjFxV8ssO;)1dOcd(>SVoF+ zCU2qDYBC{lI8q$EE-4!HMoAXBE)W}P%XM|bDKhNZ!2up@{)~|pZ8uj{y^SI zV}op*Y~&~J_sk>dS1)@!TpwBT?hB*^p=H*ZT{@j$rl;}q_K zwkClZIhnVH8P<2mqhcJ6aD}!t3Gzsfo)fP;{VXsUEDq%*sx^Quj?`03MbD%91B=8k zxo)B(*ryKC_Eo+rYu7t9=m*Z%>psC4g)PHk?;PF7pF3w|O~+_dM$|oe8T8@cI<)mc z(++wjA#;}M+sAHZpCDs3xWR8X76ttmhhyd`C>1TV68x3Tqi{p!&aGhW>MlrCJ^k-G zrtU9=;0nfu%3Ba)1AWj$XW^Ti(*RF@V^GPn?H;FGn9DG0kq|O4AEV1jvtryg)|?nR zLH}bpJyuM)g%JfA!`Lbr?S?1$_8j@s!!n!pnN{)%jkF2M+LteGuFzGge54J#S`9x}$Hv#>4EhyhtX`^3 zgh@WScT#}TAvxvFQ2;GJF=;wxXolj--q1NJH$S#b&&bN+HR{Gkmma|^yRG5(g1xpD zf^kcpTPgU|m}&;=zcYBJ0-9m2e9^G~?8yC#LWx?SVyJB=q7<)Obi*`Awr~ za#iZA{er5fW|MrQK-wFm?=jMhRMQinjm_2^P|!%*#DjxO|7&L&*uUkZvClm}(+~@S z&;M!y(ZG&+HE`w5xif`^;I{B?w)+3?!+Q4b5NUAO{}Ou-8svf({q^-vlLHXB{(q1E zr{nAY_R9Y_9BLwd=WGKKG?)8sSX?sd?Ph1+I_f{*Ffi!o zwsv&13a-YLY@S?Vlc8{I6=1B_Dq_I(Ke+a|I+0*9sdu&O<8xl#rg{^E=qpd7CC7kv z?%28Rg(Hkc?u#Rg{S*}&;qQ;&cL0g#&#!+TUI-w)!Xz$v-{lB*Oze^#%TowFxm;bZH|ElZ1N+CY6Ci|yf|Cgl@P&ohHum4@wf0p{M zNpev*B{|x{2$qag9Opzfnf%`F#Pa{t7iNIc!_@k~YVtc+*YjbawSMf*do3ZML3{)G zC#5rde6w!gF|Me--G_h1x%wN0Q(>aAC|RU9S;SrBmOfhYQV~~lOz!>~X55@ToD_`Y zmF{yh?&)zo!~{(mdFwe~{k&F@b;l&RnPTqT@$u0@IG?#`IN!s#YYM!%BUAj!7m5+` zL;Zf+KfnX=@<4#wW-5>?YUPCW(g=i>Q@csBDH7GP}bY`51gnwpw;u~E&pzh_82PdhvL5U{Wu zcuC~QRu>lLMis|dkLs?Wkn>&I=o&pF(SMIp7sFZ}x7zhsA1JH(3DD1u)v#_GAPByG zAu8_YBh(W@s(L?^VoO8gx${ zM;g4@ZerbbV*Pbvz?dRBdT?U)xN$zNCe6P`_h9U`el|tuCz`Fr2#dtlLGq&L8HP}P zwZ7CM0-o&51dnVJ@;4gwz}F&Jwnj)*ig%@>gKln6ZobLCK?X>|YHzlgp09;!aaIQp zY_e1m^E+(qZm*mjb6c;L<&%2C-9OpnFT2R5v|KF)IU+S;qN9`YdY(#|?#>M=+P!Gu z{MvD6pXk7%IBm7e27Zn|PtAR}J3k)Eq#k_OYn+l98g~@9YtS6|%@JX_A}yQ9zde^< z8MC>GkJuKaKGJmlTNQfuJeP@pO&<;yp&1{q6qkt;04ov^mt&<@%~w)1=3@oFg0tp# z`0}5Fx%!4Kxz=uk9C$feyFF;SzH+~_Z=4U^IjvNr3H!z#Y?ji9gAItF?yHWLm6xAE z9Gl~lE+t|hOJHOq#s%xrGPjNJzoZV7UZQ2>jR8&-z zRaEJXRJzZ!8!2$U2RwAl09pOmxqV4GJ|SLe_iEqR)cRm{X)W0P>%uR;AXZ`nut z@E>znMyo1a>_6`slvh);z5be!oO3MUA#}P~7>Fy{)veq3(iIPQ6I4)YRp-X`6v$#= z0qRn$E7QvZQyw%rWPmtc{Yl^QPI|gRTU(5e5kwr^{vMYH*PJ)*58#({H04bCUre{nA-Oa3ATQ;1sGll7;Pu!b zfONSLzCW^3U0XZUKb%d2DEQT7nw6;u6Ig0MxxZQ8K5n`8R-^oC5iRg==IU5Yqgt|5 z_tJH$e>}tNV_JQE{c`1TYxC!`U!MloNBCVb9ZNrYlg03|VE`pMa*`4QS*c46=KyeZ zYfoTZ+JpSh8iRNTm{CT}&%1b&b%z8Zcm=MD0d2dL2|ea3aB+%Q?q~m2grB$kvVq^Lr%){?Cj2Sj7?ix_z(p1m5z93Rb)md zObps*uV~+sgu(7A{D2c!gN3eJwIsFK1=Kp3)8hk;BO7J!!wx*8+yurL#}iG4<|kaP z*GEs4y$J}$k_`Y{)m>IcAIBF>4N7ymc7HJc^$*&~ zn;;PlDeN9Kivwi4Dg}*Ja*iu0Lce{!DaUo@`FH2+2iCShypVvck@&9`Mst&IwOgI> z0p5o}VF$L+VKhvvt833x_;DdNAeb)yOIH@~syLIpnQH*?DOETfdVX7xBvIl1P8MKfGy52@saP`tWxwzOTbtrnaCAV>CQ{zn0vvyOTIGCOc6ZRD<-T3g zY+GJ@q3-}fe&JkM_y4?Z;ju@E;e~5 zyJ8(K+U3>MkN^jV<_Kih4&0Sv&_N!5*Vi~zk&W%Yt>bJIW+%YY_d(PF$qR%unVC1* zO~7sLzYRN#;*YHYzN29?jI_4j4M_9L2{eMnkoi9$^7|uD(cZ*>z^(p{WQ!e3AWpl8Fz6|6m-9 zh)=V0=Lq;2t9#Ws;u%gkH#!SF2tMY&ztb#jy|4dhhy@4p+`T;E9WHm~~5Y2ygTbyjYEvR&PW#PB$HF>0MOwA55o!v1zDrNL zteylGFI?uB7*9}@BoiG{bTop;+3e8JQZXFaQ#0TdKezxh+-JeE-Xl9 zGgMb!Twd1LnaC_Rx?^e|M~-Zl>YjIY)K4T49iC$ZX=)gHv@G8`!ufcOfeE{fFlG8w zcbAmLL@5KsN`-s~r0n5zAuL6mB{oI>Cd%fxsXS>}S>0@3@jS=VQI6x|)|PPq%wmU_ z*z~HvPq;m?lou6v@$3{zYfyguTEj)`GVjz5er2{EZ5BABkT01nDKoOzV)wAI8@#Jg z9~LZSqq-|=D4BgWc&%paA{A`jnUhS&e#q-|wc)dH6Pk=_MV&kTz;3mqsI2TGv!C8O zK%XWDtM<*pVvI;g;j*5M!q@d+Iy$pA21?I@3f5^xhTOki|H=>Ur!OGcuLb^C)jc%t z&v;#Tj&~O$(=#jAi}U?wvU}OL${f&=s2JrpxRP?%s*$>-=NQFr87$0;q=$a$$`Agw zUR+9g><#!}Av)TgHS;bl6jvj_CU40qM&g?8I_#hg+VU++;!a zpDL;=V*+mct*Q`5#P4R0C0Nwy`8tm*JTH#%@70Lgu55Rfx3bHpFidt?OEr~Z~=Omha$$oVnw&J4kyye3~j_0(M>+L-gg5KQtb*cwc ztnpk|>SF@`ZTt%rtp(5`D>IrbBLb@j8`jX(7pnNVJy3?feX3O<$4~VfCc|9_ZD|P2 zq>>OMVE(>;=WuiE@`+B0r9~8)QP7t~M-WT0F|6Nq!)ZURZx!QmHy{8D9QU$e6G>qI zI;wK__Vy4~drw)zq`W$XU$@wv$~!oel$LTd$_c4Eclj(suQ5&!c2IzWMLRSkB5cv! zrKBU!PHd|-iHLJ>5)BtJF%XilrfI5u7fx?-;4@umUnk@^&g$uN`Mv4rXrX=n9j45D z@#1gi>EsIvC;aA+Fd_rlji2PcvHB+L0vIhcf&F9;j!1im!oV-}GA<+ktCQcpwa780 z*sV=I0`l_m-fKzbD=kaQGBDEF+17;pKwGc9_9)6Ll9U=KC@HqLv%fsw{cK{A$$=F4 zU}a)9v~F5T2Qt|$V_E?1k(-$rJs_X2qzoP<+93r~7qOc7_;>F)e^U1K7rc_99{``O zJcNv~Ql;dq^x~BZbjF&pp_gDu#mK1Z=TA_|E!WjYOJm)Bdc3o`oV4J9(MR_u)+(^D z9wQ@Pc?Skz?-HojJNt!VT_PaxV_iCknG_aUeU#|SD=KhsbbO3;W|gUCE7qO7c!x+5 zi%-0?G%k#oLoWmIXardwgi1q`ke)x4DV9FMa*2_?5PETej)`SxwckCoFuoO&mv_RB zF3jh=V|y@I$K1JNoZ~U0 zre1;Z5kXK}+r3arsPr2jmSdw8L31WLaQ#S>fWXne>q%a5v1)-5K=v$t|ANm@gEl~f zb9RBCk-9U7|jGUSj4|7v;W)2Pm9ogy}Cb`DrzdijnM!Fri zq^txfvn3;Nch@SHBS#Q`id+^9$`wV|uIIO;o-zW>Z-C#+<;IrF?w)|KWMdSDE!%q5Tsf!n>P=~CC8^*+9>HXCTkzDCjglFk zMz0jz*i5|wUh?K0U&^#12|74fwvsct7S^o{pR7W|}!b_XwQz zM!3IJ>I$lD;BaHC4hAOcdfcDqPv9fybzw-YxSILtfB!w?D6mq!jbkV6#JgOy`&{7m zO2$QyN<;tCZpHS>$2yzf_|FCg7vmUGsjkN9%ji~=RIR6%CVjNKgHjm#ukHrNohPWn z+yxi3Ywm{JQ9}{hVlE0R?QC1G_GpYZl6CkfR7*8>4>nGQQR!>_|5kH+$!>*;6!QJD%E-PjtAYE!WHwm%O}Mst-*p z+yy-M+gYZ;Yo(MgQ_>LbT@L4Kx~;iIKaJh@j3R{2vC`aME#>MJosap_%4y3rJq9TJ zvFGa?@I*g-au>tHi$!ePFXe@G7mk#x&St`TL4Ou-dN_>L(Q3(Bw<6dwvQ)dZOKTnB zA@#7|I-mmH^tQnF2uTm;U0(t>mx1$*1`MvSm{O+zkFUL}9t-SnWO8ky5GdAYQvQt&NcW8sPlPTmZp8 zGCUR4zQ~(e3Y%IYigDm*uC#m_wAy0bX1qNZAU(qfnve6mEkR;xzCo}n6cc~LsMWw? zFkG>azw1(aU%AcaxO(zR`+d$Gde_?KyLoCh;3CoOMdTNm!K?Gp_VNN}CVRSo-o zQUYCHnKsuGP*zuVhhC`||>x}%SpxNCK^J=yFV!gT%Xt1;EdP&0m1VJvj9&$T; ze_)WIM8{#VbiWvE#i|$-Bqbi2*cHkG2wGU&_oUt*hqbbMAB{3pZt?XjR*!%30Rc$I zX;-@$u^i^uSQWN*^bP!gqR6 zD{${VgmU?7Z*LylLPJT7MI|lm)^?4TL>kaR`hyx(HMI)sKB@ZpN3dz2qS7uN8WKm2 z^kcYl(>A_$X3oxrQsNmhv$A5=_3H2E2l3A>7c(*mk%gqEv`l&6G3g+?OX1!(T%sS*2c$MgJr;7(SM?kwA%n&U;8n&!u3rY8cRyx z!KI#-jy0D0?RF+|yK@wX@0YB%hErG^FQe)!b4C?YbaP~-IUV^K`6v?Atrsrcp@PFD zjIst|*nXiGa`C)2xWJEB%)Y}XOmvJPA&ohXsS>2m)8$WkN>`Eus<#_U1+p5oiFj<- z+4v$;4tL5~q1M9)@D|WRwK?0lG>I9^OugBSZH*%n71Hk;ZdvIW`(o_bmj!m_P$io!t?0F75x(1AmJ91wP-kmh7 zy1O+AMhcagjgTA9F}2*7o=@`uWH=|fS}lf4x&nNy=H$&0iGBH?nSJ+6YoR{1XOmI= z{dOd_?(sC+%l8yStPb8Bfdx zyMAcj-m0kBR`TE=&tMWNcJk!Lj}H@g65tNdzpML-nM~60a&j9wM?$;dgWWq#*159rtOTFgHZgF`V)-Aca42z4rWq=^+?@ zIOu>cBPXXMC+Damn;z2b`qgDC+H6lVO?kzWS^o|VZ~}os*X{m%r1kC*kUOG9N6T(4dyG=Bn2)yc|HT$3OReOx6-2QqWbnH<-Jq1oXcL*P zwZxk6w0(-f1b&+%#R0kGmXDt%;UYb|UB|}`)uaILa*n4*-~kB=Kp(^O7>l$w%is>$ zIzlb;QZ(Qv3U;a_YM5oN@w?N~3&N?+xjXm(hkE4@u0G))C95Vsb zn_DmT>fHXmvE`K&n%7Nc<3kI8HRue@Af;p`4y9A<0X-0zVbPuy7H;zBlJ?`K>(6Rx zWgp(=n7K(O^Ip!Z%#0N40O1mbhq zO+S*%-?9!pCC&}Czz-Hpp4;AzWpF#M-oC$U_%51JV}N5JE)hrRr|pWRtULv@b}5n}-M%;AqyJx=fE?8>!8yt_jP z*ewU&ZIL9#TYxYFh{5wOdzSB98O@>{ch~Y~ z9wS!Gi6I<(87tG@`{7f>Q*T?pMl#$|olP}i^6OnBV%2@Rq&h`!L9owY9Cv8G7(xP^ z7P95{(NH$P{AiD%6O_lzH6Hdy$?u5|4&%zYATrodR|AhBRTTm zNI`YwWaP$T#p5ASGW)f}S!J}qU;=YE+4qBkMU5dR^wOr&@UiI8d$JwfRW?}Lw*vxX zM30%DX}1-fnPOP=O#AVyX8n#U4=O98v-5NhCY_fYI_{w)1h@dT9FYO%R&YwPD>k#^ znJbL+k-d$t$|&w@E{C-PLzyOuH>1ZO5X+an0+g}C3IvP2D*5sx20oz z_<$aK(KNP{`bfYjsl`IJ&cytD^M|&WjW@VrA%^GI7-sUMa)4(CA75_ zdqTkIAnzsjONgo!fd%f{ip1Y_l4V`m z=uTdt6%d37u(Gl?*!osSZ_?AJlvh?euP2WHX$=kRe5^d2qq-%N@Q=&2a#6pnQ-Ia2 zwIU8bkwwvzScUX+9$p?;`_IP2eRnQI5GUK4b_-QXA9>jm){dlbNoeXoY|daYZ%2a->=C{K`IY;@#$0eNY;Ily$xGNy>@DS*<&!Nl9EF{#gF01m_cj(elu~OAI zJyF2L+S{-Zn;8TNZ6F8{dRD3+Rot8pG0u-VGGd3w3wV=#_J_7wpV}%b%h*bCN2Yc~ z9sY5mJHQC(&Tq}KFOS>_S@jpcv$eYSNasqu8%4*E^hUb(LAoz4e!HvSx8ixvJQ3ZN z*V3GcMZ}E&)J7=IO=OS9&?jt!mX)-F+7XD}gI`Oj77t3U)t9Z+?+dYOGhwxZholnW zVkT;LlLssC#WW?l!h)|a7~JDY;F*pPO4mV+%pY))lI_Lox}bi#926S&efT9IQ`3Dn z2Iz2O;4^vNT|a<22p)P@310xpR~I`#P|46q$&eF>QdJ`6w>_I+^88{N4nk%Ur@O~A zG!RNMULF@F;O4%3kbij8cRz2reQ{KLG`O~QP-k+x0;`pHp2oFg$deg|fqWR z20o*}9(E>L{65ud{+ewc^EjPQ4Vp~$@R%8OLcbC|F;7+EG zs}uS75x8Fkc{20_6N;rJRp+d$lUW+ZaZh$DOEO{PH8j;_T9IS?t9Zc_>O*xHf&~UX z;`wRi7~&*mUg*P6~CkyS9O;`KJ41;wApkf!|$e)RQ)_}P{`pbcbiSkVws8#^k zMtGVvhekO)-MX1Dx8)4{BWFO*crnKJm!^LwbkF%H{?W7Y@BEfhDbAZ4`4}wm4X#g< z8_qySbXTCcnJ<1!-;}~1v!bQ~*{kYD(XruWR4H4KdM49@bi$$9M8MlP)_Z8Y6kYV!o+F>GY$Ik7 zl*uWM0|D!|t!ZeW4$%Or^_kmG&`*L1<{!X$mSY8R6W3R#5Xi=-1LlcH_oImHQAU|H|3~m7(uD`k-C^@VYWtbEa(D*)qqIKex)8*fJEPibGJOGLx@l{xtyu_XZf&oDYVYw@c zG;-R&l18ot2z%*@wO4K}!s%(5FTl-tb2Y3c&jpt8N|naYBP zj^=%}Jwl5AR$a)%n~2XNhSpptZ2EKx|CrgcM6G4xD*xQs`4J!w9?rjHNU|4!F#@-^ zeD95E!07UDJX`!Q?$17rQkrF4^oxM#!&lFKEiWp9rw#+)fe~eqJ|S3~c?SxWku;$h zNJOBG-6fb4`sTqbauY_#dN3NUNGSoo8_B^Q~Z5(^iYSi^KjaX_K|d$w}>&gfAroFMIP$BYSMQl2ljj z;z-tOK#InEiSCMGLKDE&>WTk!dCGc@V4|Cu%5)bd_0#g(RA{Ra_vgv)+Qsv~BEVkSN}$gk z^|TX}c&?S!_=~5jtES%O^++P0{m5`ND2g7$)5yH6z8oR_?0=ct_!98?@b(oC_ZG;n zA-_@d?pvDSrKv9%lBo1CQO!)ro%b&`8*7T6mLG8)9$M5|s1f543@;w|p`e1Q(Ro&2 z=JAZ#-R}jtWzX$RQ1@b>{H%Bm{joQEaNTq%7Eo;UCF|A(Xfu3%OF%rev^4bSy}{_X zW0vQ`>3uF~b9+lRZs4Fe7OC4>FME!dPh;Z17*gW)NPIW{m4gHO2!FF4?6P$h$qohO z=4knHCMwWCOFJnpaT)YG0xnBZ1su7*47e?CA1>q53%G9kIO+z5?hS7j&K&4j!8+`M zv5wSpXZDVQvi%Ifv14q>9D|#usNMqHD*Sfl+v8n!AZHY;Jsu}4<#)W99sVM-@Q$}@ zaJH@O)!+q47Y>tRxo2g+9JJ6di&Xik-ok>7Lrn%(;nH$Me>utN zG$>=1*e1U63njTPe6Jh%Uh^m_Xz0kR5#jFiK%|)cDEk)j35*fHrRv7kSlNS7_4?~a z)od3>mcvI!C0Y|*LLeoGs(K=j$|&~yHAz+91b&Zp3l>mmB71Y%C`St2dX<-MU)*1T`vgSQleoVlugJ5a**;ke#jTdyDT-?CDQYUpu>G8M zyeUjEeA6#qxm=D=?$xMO-(>>KFbw=vAW1O8y5nqxDs5asf)zMRCz;a$Dg-F;HEbYCae z(S}ps_b$!Vgv3{#Nm6~T?5NoDe0XWWZ=D~~Y+F`6*iY|zAj^BZN&&5-XDFO?JmG|x zL)8AR6$ea*@%I&O5o`m~MjRY#ki7QhyT$T<9DP$zQIAc~eqR;VV0|A-ajGaL#)?70 zpQxs#qv%?${$_QEXaP3sm$m#9&aToufI7|gUJ>9EZZzDCcB!BDp)OzRsIFQ&d*x`- zNTTh2VDT16%gVTvR8Y~*oSd1UZAeUw|2ZOEly7wgsU{^N?%%ev%HFo)Oe#Sj0pt~D zAQvi^dEcI@UmFc6s9U(($qLmchjf9z0A<@(c=f{do2yj#sEOpw_Fsn;aTjUdkn&KT z_0|)*Qy}dG4vkMgkF}hhWOHtq!w$lFdgAP_2&@{rzz+uzgS^XtkrO>8;0PEbShW4Ep`k9C zT5S^$#d^!D?mP;7H^JA&J394DMPnZ=Fv`(|pgOHE17>sf@W_G^* z*BXKm*FBPPDxt_<;nqAfuV)h(_j2S5UL|P6&3)ZZoZaL{fj+6J!MO;0@{)@T5!g%2 zl8i=|rk0GlcII|%|b{)HJ*!FoH&AKImmlCy=Y4ilWYQf~~+2(r8reM6B!N^%BrB;B zK1MrtZKPhG{rq!=7#5n`0PQeC5#VK~s^IE~9mn3_X!+^UQhSfJWTcYArt#&8$C4Q4 zk2;6_;c^TKA6LI0uU>{b@#Hqtgj42IY+FKX9Fur#yecyA5Yx&2G%^cJUn>4qoH7nvhnDg{y^}i`J@7NO*sz{2<4*kD*}WH%dL;-JH5GM)WW> zS}OBcvdrGDZH&tPl{B!a@qMU>LG)mE*D+{Q(mqS1ZTr!69ipJI&hBjc(zRPjrH{Rb zO>|g*fsA{lR(h5XRyzF1SlFXbD_m1)tZS(}xRC;Y?mq<`2L!-b6i=I%$elL{(9?tT z>hj1A;7KaF8ktc&zO+a3DibUXo|!=NE~~*s0`6N=2AdQFm}r2LbI5Q%lbu6ZPA3(m zge_;1&=@&-cK=S);No}-A0orAtrwrqzmt_7cvmozgo07*X*&G)$JAlpsl5Q8lNP|) z+qN`gD6fv;oYS0JP~)6eNAN0)lrfS)dPIhMB67EgkS3ldCu#i2Jrfs*lC01*B#Rx` zB^lpzIU|nO(%%D*e;f-N+M7R8hcJj})-w`BeOz0{-erO#vZ21?vv19!=|QAMjVze& zZt&mgHdZ&Nly2M3Hp0Jl;#8SopI0{v_XoxO;x2b`0I*sQ=jlqXr zd3vnmE7p>hpF}M``SnTz04{JZ{Q1UTyDs6CC&k3dK(?Hr*BC9JXGH#)q>Ln3Q)83O zUZ!i4?cspCkYMcR*DqhgzYo3rWvs=B3OH$n`ps%lMQX>kD?3g{h`j~&MJrF`@wK} zz92bIDV{56Z2F{aP>;yB&Y_|rPA_#7~|Rq58eCzDk)dkXles5UH3o1bT6S5b|V zC_^-@I9>4ZV;`66_2n;pKFr)Y?s@3p(;Y*TE}ito%EP3`_xps|+a+1c(gVTh=WIzC zwE-@!^e-OsX&?4rAA(k7VRVq(`b7I*C@t*8#>rjw0&6U@P|oRRtbAHX+^kwq;a9@l zRbgYxz~2g6!X5^dMN82po6$oAE1r{W-#;NyP-6w3+1mBemq5y@iwZ1?^34#vVpOhU zd}47WvlA;V#4H1a(-FNo#`h?;pCPmj^|8~JMuqxs;HsR|5n+_aheX$v6(x|+OzpHV zJ85CXb}|#ufATg&ji5Lp|$8kxSgSu=LK zE-o&zfkn!vuu#?t6~Ab|-p;NPQEHB)@uP1UVGiL_XR|45=mBHz+_Fn8%U&xya;?E#_5`yA3 z*wRc`AOm+zNe)DTq%VmV1?YC9?<~rDi}KaQu!}!)Qqc{+|if=)pA z{iNT*6Z%X2`;eyL*(aaZgT8Lfw1+8(2&o)Ry0w|xR%nmzKtuCwtleV660)&M@z1h{ zVR*CLQ#`n*E9JjIziL8dEBPi}@~-F&xO*$?Bml3BH05-GT=Gv{AOJMHAreM5e3 zmkF4;Z7{7QHo^KJaVG>y-YHlf3rXy%pC_GJP0>=&XbxXO)po^vNr!zaSC>Grk&eZ%= zpk#!{#whEc70NxjIQl00O%Pw$2lL@g+xM=bZ0{wD-*(Lx58%<^nOahR`4Y8PytpV0 z#>3+I^7BgU>?^jdzoX70Y8n=o&qSP~OCh8M2S~NG;p?#FUx9lv=v+JSMq=G_)&^J6+4=u1*M;zZD!YTYaYUZ8rACU z-bYvgaqqvj-7j_KY{g9NUlu4)3gMtf+g>Y1S`;%Nknt7jZU3&MlqiUz3$LF$pzUm0 zObRI>Z>=*Q>h^J9SE;@TA+ZbvDgW=&I>35w?V_?g@Wp2vZTHOF#)%Gs%&ym!>{}yE zigoL4>gis(%9{AEMvaappGseO=|hsauBifKyNs4;@AjHas6N{nZ&}>R(c~^a{c5>x zBK`8!#`a?X9J(Vh@AlD}yp{@AofYgc#qGWyd(9D7d_=g3nSr|E0uJ8O_x1;R-d?HG z2j=Eq$51{O6s&0R&vZ_O!z*)2P9q;|OGRCEw7M#PK?e9`9d{oyNY1A8emS z0sOJ|=J*C%Gb$YRTNF2=*&J%7+3YXi%SRJ5PqMMc+{Gg%XIjk}84IhTz5{9L5__9l zcQ@yiftTKN7NqpurYNdgxlSLN&mxFTJ($NBz-^c=x9!bY zQ$7W{WdDqXz}e&=vk*K5ux6t@48y$D)np&oIo!WF?AekdB-q)`f87TTU;5+l!4%)s z_>^XB$+C<6+*=+(spz0Z_l>(_!pqh>D1glI9iy0=K>6(bE_hY6Bhc! z9#W=nJX?2Orwe$jF3u!P!g`XOTfJS9mUVZ`5U`|8G|$%*^K2}U zX%NAy&aAI?+%6?qAUs9qlX~OV!;Yr@<*K3#y#+fVB;`%9FzLGqKdjA z+k-OxOn)e%mw`zs5kH=;j{4!jmziz_@Dy0^$Vr}GTGuB;vAcXZ4!F?aae6&HH|Aiy za^y7kM}YgIN5knEN-rVyPtIWA9}$lb0{dQK);kk{9`!PiM~?vdunY!a1doZ(J<>d z^~)A(#eJx)qe_7ilowNG+{$C_Zfz}JHnc{0%Kme>^WDV)a=`Oft1^zR<>e7>x4&)W z9b0}DevDvRWtLLckbD-&+H!mHDBTOxj>G4gOetElo9)MUz8x3_oR@Q;K=;IOV9WU% z^Fz=wy_ID?;a!18Zp(v#A`_M9xRO*8VO#tKg;t1OEqt9j?ni`p4p&NUGTH_U2w0gt z{nj;$9SRXy)L{f=rm)8jUhBW=3uhw6Hzkced|$~+Z{Ar9(#&@p){=ZvSo9ckhs9hk zDmaoDsH&lJAm)!vh^J>^4L%~_b(5C^>XLpcd{Q3R_))av;v`sV4Nmk5#{uCu$JuN> zy(m>Q|8faNZrF=>jE8yKcYK9{WUJauE@n5gM*c0EfUhno_jP=MXJN2qe$ zvZgaB@|N*(9^;!OkhTy&HQ!O@f0&U6t5 zKrlk7I~h@zi33j}CPuY#Mi6Ip%}`ZA!wBL5yeTb+{yy}u2w4r0Q*Et18(H5jc_pSG zT^z}msAkAsr|W1&AN)eytWxQ6yW8hlbhFRYu|=agKcgZho`I+I%Tf)6K+znt+2(QHK$nZw`fu zWexu0-THOeq(%*O<$#&LMUJ*7Sm1@drMl#cjz)nhJ~>zkJbC435M>Y6zJUQ1xXB?H zr$h8_4ng3X51IUpUps;+^Lq*Ym7g$6x0kLi!1i~f++h!XB>5IMPX2goZc#>T{Rco;rVRrV+=O~K1e zTm5F6tVZ4$8^=p8hueedr9M&ykXF#Z*t=qObCu4n@(kc~dVRUtH%n#LJysbwIJBru zOqh_Z8aeLbi~9JA*M+tdUlzxAcCn~jy&p1C4@w#zR3Btt41D?WQ{($Xb3_seW9YN+ z>rkX^6j+EntulTowWh}RMJ*zpilX1;h)WSvfqev}d^{LHMu$(y^2hU2@W#NbSszAD z7{s>hk(YYpXO;>KgjHMNz15bbUCB3{C}Lc*>b1QZM#Vt~i)&T_E-5{m8tUJ3!$_Of zN7XyE$ZOzZ`Vgltf{?4u;lzD(b3F=k!rEjf{Q2bIZ+akd8J)2KvtV~&>!-inp~J{b!L*|6$LUsdWbL%`fXGgcFUMnK&P0;6?;yfkF z*d8|fx<%~+DY}A2l-oO=5cxM7OvxM`htndUjYb5dFviB~*Dr+ea^kpEs-mEa#`#5c zRRwibK?CHB+VyM}i+X;-%G!!@0aH7XQn`n?u`2!nSIh(c0XGP3$xY8_P&G+Z-HWu6 z4hQJJ;z}A3Hh$=l0owY;a`M%`a*E98rM7P_%^Y*)D7~R*d?fpF44diin~s0o?6i*w zsTMV?1-{UCQA|uK)=tmQ0NVAPf4A}IllA_T73;iDsx*z^KAEoe z*x%UABuX?IU1!_!EXiA-xEv<8Kazy08AT$LwvxTu?_ak=$?6CliCtZmk*SB;hvxVx z8oeHiO|rd@R#9r?UPw$?Nw1Jx@bev52Njvx=$e_wD0pIaXHs!2*(~u|Z*YLNP2Z>n zf9i&5Y9X)0VE5)NJw&g}=3?ReekQteTUBg=$Z%~vGlM?p*2lW&-(Rc@)O04tg$>D> z!K+n9-r}2hY$TS{ij=%d$ySsmSfnqzkUxOL11ssfHm3mubsfubU}WKNz%gcN>NUu= zG~7O;16d~9W`q_RmLF6F0(+a%%i~D`V>0ry>Gy zr08Bq>FIg`F$Kyc(JW6=JZGBY2X)b*x!DhR5_D1hNHmOKj4RLb8}y{y)^E6Uf5s}u zYSG?&&O1<>S1S(81G?n#IQr_K^Avc`R%<@%Tm+&`1ApGwwX3*)mht8Um25UcgAnMcIM$NLtyX)>mUwq~NWgqT#Nkv|yI^?nP5k0Y-RJJXk3yye?#wa68cW$K|OJ9BjMqC=qENy>G2Ma1aY^ z4QtFlAFnl0jmU5y=BBYQ%|=pQxJ-4ht7$zR!wmBF-54Blm4!oRhEu1@;Gm;*o)XDn zX;RJnqJGTaQG>w~6GJ?=>!XUf$bhj2>M#FI85yQ8$u|SM%s3_zvl%Q}6{Ik1 zY}E0zC)drj)>0F(@;;8YFVD}7)rd|9;XnTaQ-9fxQISa+y7zoM4@*oBIA~Yx2+KN_ z!@#>dxes5(mR)u4X~Vz!WABVPsP}_(r_hX$|3SZ5uoo19Fid`|+1kI(Z7p2^vvu4~ zJ{+_^FNa3Wq^25}S)2|woi<{p3OK`GNqo{dl9e(J+dQoUjjHBl@*U_546a2h+wa$q zf}sV^q7^wXc3I_g?#Bf-T}h3-V1J^eXon#Yp8kzrvHOX+fd`Lfp(tw)NOq9Xeh%O@ zQ;49x`t=l~1;y$4&YdL&r2-rSQ+@DjzetWl{_^{_c$IqIx4p3>iJc=0?vp=tR^TNCHu% z=}e$w>z&9O9314qRQ90VO#Sa8>wK)99VJL6tyeaDu>+gu&e}+gPY7qvTR766Zgl~0Rw&B41gTgko~ysFCIRSd$2_xO4k!671o9|0 zw%Wm@caZgAgH*SNuy{c|Bia-;S`;9I!rRP@utmMO3v_$YuPSLUGsO#?ZN?^BYf1PC z9YwO09^JUe60@QKZoEq_;{F~tt@btSF)hoMLLNGYE$Z-P+pFp@PxTh3{xtrl*P=$? z9je+%fA4|xfY7x0D;rGmNrV|ijE=h{lIiJ(Wm_~LZaxOa9#*6bdgD+; z0&uFfjD?%O_|Z~Iu(3-Ozy0Od_)uJo?k)1p^bvmPqWM=#ee6f`CDf+Dpz&U(C}4jt zLG{|MvxS{lm!=U1rCFFYU66^@J0q>7ysuxlV=%847kJMu!9eM#jjELWI#JUwhFIrk zMq2*04*R4~sz%UnPy@6;v99&ur)BAv2ibkI>=hmO9T zRIpC78t}8G7tG33{NXbvf&QkM4N`T{kB9CTK|uMpV1wZBNeGQk%UJlEeuDo8^X2v( z6z#-y5>U1w!#$fzNBHJ7qEx*@7TB9qm&juv6_|IpBi6V->DsUGn&ki{grjGXZ`Wg4 z*Wrr6ZCy_^(5U{CY_(mK14zp$A*XxY`>sJKbusTdm^;<&0FysfvnLAcVf!J2gZxqq z6y^;rbMTka9M6{jG@aOdfe-xV~e3h7p`5Wp6MxRfT(FHjrWBm$eYE4NxOCm+2 zk=mltSfYgMW0I7wn}g{7VCUNa5#!0`biRRZgg^d zc5%Ky2^6m+)=at$d^*WN&EKo15+_kzVz5pNO9%%BWA(A5wDqf~5t=WMr^S`@Q^*Eu zV?bu2nEhB5u1C=><_%wZF`j15rxx#!!Mz_^m7}#hTcohs?y2>?-p%A&c37`*lzW>~ zfZk(O>lMO2K8kmG{_-^1f8HbFikm@bTVGL7l3!E)Xk|vOV+I3^^t`XEt-(2QhV3Ky zWW33j)|naATA1~=K-NUl5&Nr6q1lh4BBta<72Q*!u^cgrKf@(?d&79_u&i3lHf&+b zp~ey7aOrXhTC zQc9|DZzO z?wwN1`;)w8b+SRP(Yz_E2N30AG4^l78K}D5_KyLq3DsxUG zlsA(^~mJEu!(3&+Q z6nKQ2zD(<#@rDd7;&mb3cvW|QRZb8zryql@9?)yYE5b^7X|N3&RpdI7^U7=};VP}_ z9u|AOaqf#q5*9qe1pPmJy>(QSUEel5AkrWTf=EfIbP7WwASpibjQ#w@NMqvx}WF$*1OjG$FRn=oHKU(@;HwDO*K!wuu#5MLR({eedU9h zHJj(m9m*paDJexG6H8(cZwu3a0!uBV|9Gh=HmO@fXGjo`DP zso(}PQ>*ih1hw8P0o^2@fi`l7rTZ@jx|J1byxG@MwWFz$AUjvJ7uU&-tx5rS-f4{J z*z&N~@jK-wGKd1xHxd+T$~V1wIQ3%it&DZYJXq)?jpNHNju=O~V@!%|uZYVHLZ}ag zn?r1KPW{qg53t9sOF~l@%Hn+rCh3TJO7BXnRnB~7^blKe*0vyqxNkx~=j!waP%O=R z{@w3Pd@m(sY2@fpUY$^1tNdjCke`w=?rt;vO#V;$`NN)G45zX1vQ24-{LIF5UHBi@ z=R(~9kB~XJ*6hXR7!WLq@5$LdKSL`WlYl$xZ|;ytW!TVHxn0jcz3!R(stC@2--pz_ z|6H%Tvu9TEJjX95gImfz=vV(ryknW)M|S$_q!4Fv7dj4lcXliaoQv_tIG(i4*7W{t z#%3-DLfV~Z23b1Qa|p$Q2a_d-tQ8CBPJ9>v1ECf~lz~yZFTXUaZkzGq+*3edn*2mG z>uElZ`05g!-uE=s{%I_~_uveHqPJuMi+HX*^yPDyPdY+u3UbHrlNV#J>u4FC4`$E7I_X?~aey=J?+z;YK6RwMX!;fqJvyKmpDXoF94{pL-UaT_T2P1|&-WBm$e6Q4vMlP&7`iAKB=1wgdW2_xa9b-5MHlh!)-FsPY+$0P z6K}W4-t@OY(gWRVDahW7YR_S>CyDwg#EmKV2Y5%r*o;rSqn@VL+GoF8b8Eem;zD?Os`E_2J~6j76P)V~M5mkGqCVCQb^3`s|RVUXjD&y)zqc%&UY zq@MgFRv1s7BQNdn-9&&mbgJd3KJ}geF$G;*jI8+(G?quoEWTh5wMAC}@xFQZzHVCj zAP0kAKL0W5HO?JhYC1QHpt3&~oiCbbwHOoLEkov)toj$`m7Xd+V-HwbGQ9^09@6xa zaH-a3BC&I%-#;$toEx6Uq3XZ)&zoA&H*+wYS!V2zsMcz^4@d||^6q0EuZx3ctPy+b)fTKlr86Ds_*v(B3KD(o+Rmh}j< z5`g6x+UWF@_*O~Aq1}Si_p{duEHt4H3YY`gfV%@eg<&0y_rYI@uWaD$>`IuaAasSu zmV#f7cF-4H5NTIEWq2(`$Cj1%Ae@3EHU}}NiNbVi&-&z~?0RVwi%6xKd&L3snWW)# zW{dQsB3kmWmkozJId=Qwoi)K|V(joJFxT!AH>{O2<`rPU>A>#1y;HZ2D%2a*_*UYu z@o53roxEWh%?C1T=#<>G%HE?s151jG%W@`m&cZzW@$ounFF&xi9iAz88L3B$ zhnyi$g~D15+=*N78#cc}VWJh(kA}{#k0VnU2iT5NBN9_70tfODseQ;4{7tJIAM$O# zNu$Nb9Wcf}&UIZ+ie7EtGZUL`phIMsd8oVb2{QxR?i&s+g>B8#)Fo;Fiifvl`Ow2)u7i&XF()+$`+`g%5)Z#yP#61&M$Z$QtaejaDbIE2r zPTsk)lN8Lte?k!hid#!hI>e{bP`eMO$N+0)Q}z`WxDlo!G^N!Mif<1+V%By@Lt(}i zA<&*}S*@>Gm2AB)=@hAr0qB86-y7a{JLfs#hl zQf!N>9c@_=?TjG3vEIQXy?RJgp%GuxPA4N5YA{I;t$x}GDt2%5uXm1+qC)X6RUmMq zte?`TP3>9=hH}wn9nQA*&Zo?H4CA#gN@Z8f8dB#@_I2g_O9u>|Gss+|a@ zD8Rq7NWE$GQpXW`WJFW|r*N?G{TecYl)2ZF3h z>~DWxu!n(g@_!cbm0OfLxO9eq5KDIGEt25G8D6me5xXAF(BqPN#2i}EVKc}=chH8# z|K|^j==HYFsuBy!Yk*SbVR?Vi!_v?&`=RvhGYcj*rfOKp<@L0Z+be&V@#LSpyv+W( zaIfcsAAiZQYq5H)KK%NmsDlP(=aBL|T1&l8XYYLsd(zsQovq)`W^Zg(0Q6ndLDsA8 z=f4>%Cp@)~91ZLS1z?y4xzr%HTd%9=DmNJ+u6p6e>R<8+vmH_Gzf;8Md@Gs=RP826BTH0mMQDeLG|NX749 zOa*HumXhagQ;8{7;(7B3a-dr^wduEQ%7i1dLMF89Me2l6mhv{2+DowW(q-;dxG+wc z93NOE{e^U%aFV! z&0qDWwn{4kWuO-#`v+0Jxjdw>Ev_@cPmDOc7t-QnX z(jvop2o+J7?dk%&+Av8Fq@p{mj1U52UP*skr4RD~oU}`Q92;Y^wUQfkMiLlm89Aru zfQQ!$kHCW5TpBt8J%=wI6iUf6Mixd_y|8>pN|YOA<0WVuN!1G&_SAlTi(+{{<|b@n5Hfbos3@+ zf9L%Dk+TOmFf*mralipqaO|JP0UB$+q3)+#J;0H;kV@M_Wzm1Eq^<))6^BSA=h89@ zio7tPAg7YfMqzS>-4EoYE*5A1zPfI1#8oguATI`MeZt|N2ClWcsHmBQQ=g|t+4?c+r zlV$M1JQA>5egUBrbpFs%qtc`H{7v%Oeob**MNi+X)7THWL6xv+81=W{dgl3kuv53z z4Q_zG#BgD1MZw?g+6l855ffTcEUXKqWIo&JzAI-($$yM#vlpwMWFrdG;=O9(3_;>& zY))NRI*24rQkYzUsZZ61r6+Q!p^8wL6~HfmWnQl$%ZS_b3Q6!s7Hr|oyxV{TER#W} zMrtISBHku27dZJhUTL>4{ekG!nNjaW+Tze<&G)p$2QV!%AUE?HHhY=o=Fn46+yA~k z=~eh<#Oms5OVW*Wip-TXY4lXrSbN{yK@zx{#h$+n)RW^_aX z&HbV``z2LXxY&DW-YqQ;fCgXV*-4IVxpZ(srD3bn(|jVFf2(E9URJ-~;$j=jjc$!2 zy+cNkAHk}{q&9m&hY(eLTCp#7Fvq{v{MdlmY3Ru6=T2vt=)#aIt zpDxG5I6A58Dcz3F2B|2MnSGSR>WFcSNE#Euso}(p)QTPF=g+s z--Jnj;~*QW@m|U`z>^Qm(9_M#&K8yCx&YM;Tp#qb7vJ9=P38BGtB?OZKYf3-l(jwr!o~M6AMR~DNn|ltMjPPM z1;V<%SSI!7V7@>c1@VDXq|9|^70wXQ^9nJZ6=U!}`$1vu;3~1$E8hC-s@%##t^CMp z{QRg)%k_ks%XlL4cDczIPfRs>W@R^CPaOjJnc*BRp63clP|um1@NjOy8G{$T`zvd^ zo;R(Z)E+8z22-ghEAw0Z#XfmOLsLxCaCww?+W2jg*S$HMOyA4$d@oi!iP}o+rskmj zwDHHbz~{>l4~Gt{fY$Ss&SL9lPfs_6%I2DENgoVa6pMzA^ZvK~i^4>pFegC-%pioB zdg~co{aBAcz#`-b{RZMUAMW4C0dgL{uZTPZ+C?qJsVd9|z6MP5(%GkwS;-I^hrFH* zfR=<jqY5M@`ZsG&`~lN{rZc8a+}>&R<$UNQHMkoXJvW;HDDTn z0uy}HA}49J;r=`V$-n33##J>d4fX}ki^kCbOb1cL5Swf`_~QyDEk`6WFN<8kmMf9HLuxAt(u-zRn2@=6-@>h zyCww{W{qCeMCOqXrP>zxi*NL7tBK|ai}x^Jm9 z=~Kn<3RsUD11f&MlM8*?sQ?T->^)Yp~fS%@ByIeg0g?72-{;2vyq!edC$Y$%eGNzTS4v z$+~?Bw3`O&m6j+S-b#Xg_E-p{SCu?KGByE6sOGba$&SBnXE*aF&@0Zj*t+8(ysAL` zj5Ka#Ip$Z8(x$Pu(Rk|NVHTkmD>~)9?hf7OpSB)9WY#cuiOS9=hWKJQE0XgJte=)| zPPu~KJKq?o+fG%cU#v%RT$tL~me}R{#O+un@cUwmk5e_5Z7>?)@#c3krCJe|1#C0A zloMKwJDW%#M{UPbrB4VAbqp63N2Als`SK5_M)<7Qc zw}J(^UTmNKAEI5QV>@>VTRz1ZtyS}D1qsZAO$ zu-j|Sd2j19sp}8hr_0`1lm@&m?_{kJrX%~xt~O1h=xwQSUPOIw`r&_tf3q3-f&CyIh580lBGDkka2Ba&K-CO_x5aqEJPHOP#Jji~A_EJg%nJrf2 zb+dAA=^A*ku2)5U0ZUc~LK0;mD3nC>KWg40flY zmZH5q>ihVxzPpKkTwF=6+{I;-6l*9Mlt!P8e_-RJ96bf$$+Nu5hx^ih1e-Ik| zBs=_wA#lCJz{sH#ddCggaNKA1TqzkU=u;UyDrDX8!lHxWuY~tNqqiiHFnhMt7%sq* zuB~KF>B|;9%}j>JDywLat#5I;sp2Q{PBCkJp7vUGaxJRN%+NC4D?t;1%pcM~+4Wz1 ze>29|5a|>IXc?zd-tL3 z?_6Z;bK4KeduCp5i&3+X#tr6Y>b_A3#y;K}FK4;R_U=y*GI{&SR8&p)Okq11U0&~XZi(Ue zKB@K=)?AUJQ;F{N2!r|Stuc@6h+%t%4~MiKh`G_LmtY~xrjzOG2?krqYLYJUltP__ zQ2_HCo3M80`C`$t%*rZeSI2wLcxlGhIOZ~RrkW#ctHz?qVYpVAD-+Z2dXxEDx_iIR z9tI=c003y^?{~G7A)zr_3H|-dthsFwvvTs8n-{%5VEVr<+xrs$h6n)ZV;%OvFhpsN z_})GL@%X{crg1jxJ~qzY#q#BGF?)g`(|vH)Dk}bnUrF?Q(5+#5hmoHjA)KR_3cMv# z7agDrZoKx;twt~;c!O$tH}mxA(E4$zv?51H(^*0qiIl{o0!RW+xxLExn3-A z8QR&Q+o-EE_ev$QJblOa{#6?M?zX5qttgii9Vx*km1u>LIejR{YOmGi4i3bTKoLMu z<8+kA+K0~pXp@1?{^aqQuvL($Y=dp<1?Mo{YvvQm+E_K^&5c!l!&mw@>?kiQ!HH~{ zk8exv0pQy5AALTtMw{^9C_lr98hskW^`aX7sePBaw&fmbB>H+=vd{CSODR}kUXk@u zf?QC6<5mL?Q(Wx_`$I0S`lDHoXh6lVX6iB*zz}bHp7Bop6~I6OIuih3z9~}1-yjok zm94O%SYpy(_LDGwM)Fqn)tu*ELGIRf)zpj4akgSn9;5_aS}{JrKzUeB;$OH%#YdT$ z&{EGl|6s6d19@BN)W7#drL#|W#kQ7%HC|!YMo#Kc%7W6fR>THVv@0@^h?-VJGy@{V%D^rfPc$B-v)CG%_ z=jLy-I9u0~_xrSyjJ3w`nC(Hr9r4IW^<+UOm+Qq+Hr4aeR$BpBAS=VFNSY*_8|HnC zQpeU(y{nc*j@d;!0iLyB{)*EN%HN>+O=5Ms68Q=Z7oEB%Cz^vEh>oP!@#P<1D3cHk z%rHz>?N5Atx^#w~RP~?IkfCz>a0w^~X~FJ*$_qB}@q4B$9b6(y;LDC;?wTS)7m z@%oy}g=(6qcKgQb?+b8|QhU7DBFJAy4Q9RpXG4kVhd{qKe{0su{JNslhi_LvTTcTI z0su@aq|pskpMm6-0!x0*q~p5qEwsn$Z8^`xoW+WeQs>d`et%VZ<*{Oqp!H0jpfk7C zsxK|NsP%ACga|!)ql%;RXY1&98kXxg?QFN+#Nm>Ad?9eI5;W4qh&kxXM_d&R+)hzoHZ65?QbI*n|f?P|_)(`xMg zo_o|*Fq3vH6dFn~dm2<7T_Z4kQ-91UrQ%A424Q3>*36Z?z)e@ryPc*om!+km>|ZrD z^}&1wd0#B&ysGs3OE~5{;Yy(cb9|JH?D-#dvj?|)k^=Jtv&4slG?ua7 zZ`3mauS}uGCm7zqFFg<5z8TEN6TmRLye@amr{dydKAGB~xtVg@G4)r?OnW{C<-37f z={F|nHhS*H0n~K<_)c+=<=%-+$ZJ_c(N)I4vdSvXDF)QI%pHKZTk!g9 z_GfkQ&lf`iMxjZAH%)eqWm~hOH%m8#({9_UE+&=~fYC^WeR1N>Yw^zxbSp%3ED&vOINX0=x6M?Qwa<|1v<$ z0yDUHw!XmbX(^;C5yTg!t;{Ot=v&P$Ki{CenFi* z`Y-bG%C46OS=?#o{=EAY9xiDOUD2$HD5nDQ&2}w+-W|*YZqRq0d`CF5@Q5TcbWLq` zq+>08ML2yYCnta$J1Q0y+Cia+!KF(azq-jonGnkHPGmP=NAQVNM}|CN(0lFZP_}|o z<60bveznx}#xRwbjZstVvAmE1!7z`X@tUUcZ3Cs_qOgL?6xZU_!yOk;VAeVBzsvs- zNF#%Qm{aKLlXze7Ou?2dS?K4+9EeJ-%P(__lBCMprNV zO>c=R+@EAQU}RWfzdyHp^W=351{^Z*S6e^|FjUGah(OxRs{bMvnWq1G?FYfZp|RJ4 z>9^Y0e(2vPW}5rt8Rt)T?!Qxh50ckA5L+B3fSe?R$K`;X3jEuKgC+`iXAr&sj|kGG z1H5j?{Ltv~WW)znwl+eiu?XqoMpt?Q2#DQ4;MQ>z`T|PqkLk(*Zm7YYtrZ@pR%71Z z6%(zH=~b=8q@htsz^uw^KH?om?Ee9e%Rz{~zpL5wtclT{$MCIkOtS~wBC#q4dP8CG zU2z-A?SgfhKbR*dKCdb4FW%NBw1h{;zx&uerC-d07;3`{0DU)-O$g2Y#D4h@roH={ zh)ia>t_2)G;=Dqd7-eL6Ztn1u%<=pKtyXlW>V7)7Y3sz+;$9fcAS zdnr695;2tUn}wP+S}Equ$94xLew5Jv#gHFdw%NiZKxE=E3e8 zi~&7}*f_Ncn+{nPywd#gt8F<+4!zn@X$sEKCd?C@Q2ax(pq`84?I|ANJwQbm=pE&* z6J4*hqmMHGS*8ij5b<#h08|md3GI6*;;;yPTu9f3Kp$b1k^f2fx86G*A`@~LO`G@l zZH>h!SiUD$>zo#O0>UB)s@~7?{_dO|`_tS9*H<5phhq{30GL}iqiU>%gniRE7Xgi8OY9|bcJ=dKeJ+;2LEOo*j?RTTDh1^2)g4gOh_5( z0b6-|F?IyP^xKGY#HjfLV|3p*Auz+SoL%{q zICNoSN>>W~nHPT%m^THy4X&TNzIAo82Ysw5Uk=RqW}VYa#_~$E{+=3p08b9=?EEaj zVQTOkh)ukOq^b}D@Nu7;_Y@K8->cyBsSw~d5y*6 zA33wMQ*er@5GD}yK%5-$O;bb0k;*bL-ccIErbvQ7?l462pQl`KDd#do&J$m1aY84} z@@IsJd`<)UI)v6!_P5kpJ6!oCV%5-J4GR50r6GUoailze)3L?m6aEmKoUYLQ-P<+m z-?>s%Z=U*dE?Z_Dj3du;d;#JFelyh{v-s3SgzYP%S-9H>{z+~v6*Cz`$7(cbTwPVe z{-u}`_wc#9UXX&`Th-3FU^^zz{d`YQl80?!Ga=@$bT-n%oMiHJ~6(=Ax#m6TH zD9OOW9rb@W!m1lw4C@PVQkXLZZ1+;RPqg=4;DS_QutNR*BD1A%cVXR)P($I3#E}7p z`lx7P>dhD%mI#KfvcPyy{Q-Bqn+2KK@xpQ&JFeF`ebl`u)*Ld}Ej5 z-d8K9q`~Uv5YBNkGnwfQ)7*vlUf-`=l5WA|Q(J9*Ta882r%TVfgXCF?XJotkhDobV z?OmpFh_-^2^)^E8)|F(=AYn@Y!#@1YFjtqJ}Ooo#Wk6)HGO-AD%oa zjFEjIRXxAyPpUMjXcm3X2?61X6!#pMo*svbLd!=l?(NxvYS{(qbjQrd`e=*Xv||62 z?}gQjV_H#aF1)I_M`3|VirPUd!eCE#)I9tp%5X1kACRGk~BGu&Cox2;B;Vt>l9o+>$EsD{=BR7g9 zDY#x-%O5n}d@iN`mR~VKKqML(yrFmlZ)ar6&$Iq)8amA!!NU5KF4Y?_H?|GT?m~d) zYsw=X3-fq1RD7w`_!;NqaGA(g&)Nk7!naya9*>dvq#nnrf-=+oupr>5Grh(~6XpON zpERz%(mlEmwNv3!sNv*^bC_KrB~3(mQM8&%p6*0bYs1HGE<1-Eo>9Qo4g%*qW#*-# z%)eC&P4{Rx%rLX0dYTn_|Cn7D7a7UKQ9{%~ENeuIR0AQJP)3FcH%X{!I?AC6Ox z^Pc}s9=s|ES@gMpb^VgGRc%uGPX34DjH=nBQGP{T8o|jYRNDo^<#@4Tlf_?qOH^w4 zC$%)k3z1GEGYXuZ&NPB$K+xn7UrFbBYCUt_=Jkxj9;g-HB*qi^Tle$LcBhcn9wv-V z>v=gn)5U+9rN0a+FMuZl!h_4>?Te8gDz1ls3|=1{*|%ovAv`MC9}l*`%Iy{ar5vn~ zPLzP_LhzbtX*R``sp@-84G^ExT85FE>c(9}r=3PK#EKoi)@a#39G4AG!?On>46goI z4@qL~Q4F-IFMY>91S652m(`$TjP3Egq`LCmdEc<~R$i6c%L3N61=NdSc4le2a>TaO^X8eXr9cnZ>QG_^*iGqNM;r6#8*^!ll?ubCmjOTIt+u=b;vzaqGa+ujSE{95DYUYpYJiaGHAG6K zIdwL-+WwP8JY4Dw&AYPDFSxKBuegr^|H8zkhSKtxUshHw$}okMwf*`Fb(h>^ocX!P zrEi4_?9PuBs~ONT+)UcCdh{a>U13`WhM21N>#PdG4ed6(5TwHhwKNo_jyX*BI0psS z>LEK-?!%Wn#sx759*6_piHIZDm+R=C;c=&fH)FZ#89@<=%1vTk=g&Np&iX@)0NEO? z3E95zN%gUuYGGmEM1B|5c@8^sp|L2=FRIV=Grz7UJ$u$WPrUUE8Kf+yy`-mx> zV1AQyIBl;h?jJRt>c@K>OT*=*q#cfhJh)P|nbQ-R!ER1Hgdek`_pHdWa;KMnQD;6F z$UXa3>4o(bp|gcY&4Z^)PFDPp9L2fV?>*^}>Q|6QYo4PoOxH|)KbKA!gX zxYnInRS0o$Mb)5zS|zcPuKbxJQuLvm;FJz^!LuZ$aDZ$5+pF zQ^)!`xZCDf1Vpkk3UDDnv1?Yl)*mJNfP6JMO2K^wF!1a0+SII;U-mI zU*(JA-nP-MH*|bLuB*6GXmYBEd-|O3r;(no(Tr-T0izZul|j7Urz&*!nKiJITMB!) z`s&q&Mcc5HYZ-Iuw%mcN{}Ez-c)k>`TRLu4jqHfMr#3a<879-Oms@1HPQ7|l(+T|% z%=QV6@?VIhjJK6uM|{MRp|B4Fxn11#Cs&k$1SkPXsZdjgRPqwUk>3? zUVSf^qyN{{s+qpN19^9Ou!F>j>}rLf*%PC^)DU#^`o84XY4jv!O1fetr^5AONILXz z>sh(iT?BZicOf#*bppRGCrkp_5ZO=Na3i_zagno+*yHzY!Ksz^EC0OP0un{a1X3y@ zZUG&-b=vxKl#dpXpjk0ch!A&xqcCqjLc5Yen`}}KLN7T>fgIJC=2NA%c04Xu_pW8! zu()}#%LBHjX%Am#eV%aq^#nUAu%fy$EkJ)~yxc-V@d|6M;34k0eCDT(U!_N(_@L6a z1Zqrg^c5Je_xA0mhN^`i3N+BO>_*sA2D5k^4A9u%(6v~bmb_UnnS)X~FVrXNxtI!G z9h;2&T%UtdrwHwBEgU+7B4C~4?#8`F-R>1TK)|gwNCq_9>9;p^xvk@$MUTeFyp%~y ztSzp3>THi*W`N@LWoOnMck0k52Fl4cN>IzkwV(_HN+VjubEi{faX>fa+M^W>@SPh< zU8W|)6&6`O@C!|_$BCHsMz_8vlzA2t`e-Dg$eDv1N&(tSopZ%_NBhpU`;oauSl36V z)H)V;U%fpC4NqY-t8d7wOb-{v#jX^a)<7zFvO94Bv_x>w0hQL?wyc+p5pU1d%N50s zmK^ZBo+q#ysLgLqwmxvF6#_W{NPPh3@Y5$iel$;yQwCA#ni7RL8IrROdtk19ouwx? z2nUEIf@;_58LfdUznmHYYnIpYAB_YTVXOT2T!yda1|Yjm#rG1uWLT4UFF@*m^Yv%f za)iw3T*aEP3@IfjsxF}-))vG6{Awwb+0{MGKIN|}%)s@IPoTA6lO}PZ7 zsJNuxNW)1S2R01oFr~ZtL7FCTuAFxH4~MIDm;%eHN`G-1an_6J&Gz*wvN@e-l16`U zwO$k9HC?MxBkP|5gu$;8a0h}@6Y0l>c?O&dI6U@->cv0Bye5}cc7%;)vA;f<5vJOq zD!4)yuE7ZC`u4FLh1uMP9KiqOM&<}z=iOTMsL+4`faopANYk{l)yg!H$^PAYm27nt zKFtqxMCqMciXIW(owklOr+Ehd&?~Q3kk8~)QNvR9-`;5ebZO4rsdc3&6+#jT6?;|jhVROVH$r?Ra_KfQ zOa`dXGU!=yEk2h0{6?K?{Q%qu@}y}vsejF0u*B%JKJ3w_kCE?WUs-0*<*6Hc7?lS{ zwcnA~ie!njtCjdr(2}D9I#zXwVKQ?QIkE?>*5iGYV!pY12iQqRo%Md4*0Uges!tV} zeqtGhgYnm?o2Fv02^^_v@v*8ZGWL^mR?)pg^|=Ao`w8|!zaE}lWH$m)j2G~14R?t@ z8$sW98-!!=f3!C3f?dJfeJ!uS8$j?@Zi3`R`})V zRp%Kr!Zi0s=MwJSX8~jzJ=G*9ZZi^eLtE2B`yInzv~bT(i6o1yKVHvIH#WMjZG`B{ z(o~WzK0Kv@WZd%@bq0t*4T=_n9+E&uvclTx>dz>kzGEbH$eqTH8nS;igv1?^O&l*}KZSd|~+Q+th ziWfdlV)^-eXDzY6k=v(8=~e00d(gI29>-W&FN)xPKmqX2XjuSFt--(x z`lb+;8neIni|N%rM*&1r_i>mcFC7D%(yj;g!O3pe81CtFe1bI(EM9jl zT?=(J0>ST*6Wu#8-Kky%UN14+XLXTi@@;7cf8zb6nINF&`^VT$hvK#H#$J9CF_tLj44gz8yuAp>~FStF(9WI{Q-qMa*6!bTW%M)&Jp%>WfVX?w)4Yy=RWe3ml44-GHyhm-w8c^Q!kyiJ}f4De``D@?U2qhr+PHI~u%h!^@08pn(oJKv*Aj zC=9Z`_SQ?ptN)8`X@&j>0E_ja8RWjsmsp=M^*V%v-TyQh#R`@u4xvm!w}FG#(VzUU zReg5@<^iSmmr%RW^P}0RY_Nt)f+%Go)=z(9-rq=Q$ruhtt$f? z2%^b1=r2EBYObq$r7+gZ`U1Y#zz&lUD`vB?B9ce-YvaYz&8}<(H?SGOF@*x3VBc=qvV%X{pBW@X^%<8P zIm=0CogW!x{RSDjgoeiSM0@XSpS}VXtSTNjEfT>Y(AWnS=h}IMDz8A7dW!~Cswv|ykz)PuScYU#6Lm3wL zlJ3DZo@2?sklqVf-yMsGo!IgQ;ZmHJ&_0i?yLkHilL4t zx4`@ zs#ot`p3Wu_`mB#_LyW)z`u^i%`lEukK49!DS^bUm=%mmx)t+MDcLZfJ9+QsNG8lYz zc04I_1(`e6*r`LI76G81x4eMs z$M85jlFXRh6cCn^=OPRTf_%9F^c74D{vw%RDeeCPjRAC@@pgZ3<{*% z|3T;%9weuvDgciS=u;>yfUzX6TKdIhBK|2GO2fP>TlgjAN^5jx>vczZa& zKZCF?*U_Lf){lI`RId&JHtTk97r%fD<|39V7Z}ah$2=>dfKc}1_9tM=P6CK-N-|<_5?md8l|B@`4@n@{n+BE=*fvX^0B9xzuw#1Vo;yDX$B_mr zKa>-}5QH)0TmnuBIPvbEOEr6?PvjUP30h|e>g7pqvCvuIQs8L;RCZgC3{Iam>j5ep zv%vjCmQImRd1NY#At6hk?k^AXng-@1t_YDDgZKhu5&xG3foP_FAqCLVx6!k63Lp-3 zDsZVfF0uoAaja8Y4X3c_2NwV%ThYZvbsKm9XcmJox`^8U4l_12VB#HffVT(+JS>3S z6?X(_Bnv8)@X(%Z2~Y=pZrK)V;SL2T ze?#8DO91}e1Tgz!u95u2!3D4wAB}9+ggQd0zq}&+KlXA7Fj>lgZ;pFdvvX_1 z?o0s`@$HXmzzY~C!|s5cX-N-jmF*?8L}8ACR~-V&%DH0G>VH?>K%-2A2?Q7wZzo^_ z?^XPVrJM>J++CQ)f0%l=v>it<7)>A~|1;sFIEH)z_i<##0ad!`#F4p|D2q3J0g22EI&S3MeKrgII0P_UBE7a;TbR|z1>s5!Jejr)%G1u zaTI@SVRmcWSj>D~ZEn#Z#f$nKt+2=cStYJ*xn<>xfG4uy4A_K-a{nr7EFpMm z5ntZyVkddFH8c`U`9ad;)VEw;R5^*<14@ZTeSfPu?+ivlAtiA@0RdVA&9rZI^{@lc z31u3Ku`*F&X<%<7b>th_apY7n0usH%ON}JAO%z983`UC#(p*M^8`*!JtY!1fogsY& zPmNJ&=?iLx$RJ2?A13$LTaR;xr!fY0w{JhZwc4qjK8pt?8UV@?JDrI~O*Gv(yrPvd0ni`0f)2Fma&G^{uM&Kep7j3gxemDXf~rP9Fu~9GQ*b6f_Mq9K}Hg zm3dB4LHtyqqe8HqZdnA6w%KCAjvFYy{ky@DPsQU$C#Vjph5+J;{S4;wi3N5iDF;6U zod1gKEW+O=rzBm+fkg2V02yJ9SkPbn{HEXL`qSo4PfHhlnl6>)CPik#iT*Dl;+2ID zGGcDeuAMAB4o6h#AE??5l?Sc8p@cx>qc&%vM!tsUk;ct5k8!v4*IRgFl}iESoEW0N zR$%hY<5^P=)c>10(Rmes8MU2n2v{pGEtOs%tv zwp_fUvOaX zkf()uZb+iAm&m^6hYttf_~Q8|jY%RcZYS6@FH)cZM#2rh!lPYK5`Tj;BHJ>IOJzyO z2P@r9i(37UU@-gU^1X>Ca_uYKc@-~Ar2X@1Vz+jB@d#J%VjaR^SRq|=4}Yi8O(u!t z&Acxw__4M52M=e#-~WJ~uBoSInXa}raM@VHG>e%fD7>rY`dZk_%SxGuLzq&jC0)s7 zNqTEA-B^!WTj%xLcXqn(&wMa(FbOeIO9~;Kl@^=U3rfNH4n2c?? zXv6j-Bx`AD|DupMIyykC1BUvo^ee@fyC@*QX6l77N9X{7&Fi?ly+_(nvYJno52Qmp z7{*1zm$-i#kr^JuE8A&?RemW@On=9W&7%|I2OW3AE$%j+kFS0>&nTK}rM}unNl_2M z%48NUViv}IX(!TQCnCMU!J4mbY^D5=Dmxw*;!PxAPkFg_wf2B-2SYw*Rl;N{+4xwo zjEP2_TVk=j^kD5S>mvWFW-oS_BuAt7P;svLPekg*miVlBE>ioKdwFU_U1isgR(rk( z{E{v14z2+?Mj%pf{Dd(OuA(m?1N4NF3$yi5(oyf>`7df!*`Inliy2@;-WRd)tHen` z#0Rg$U)*d3tI#d)&F)d9Bp_11V6filC!s#Q+86fk%{Nty?{$|1*j z!OK?42Fx%?p_bQXcF-T}m&?XBZF9f37Z(`s$B}DBcJ*=a5byEWzXn^Pfc4cICrxlh zfrGaXL+-DZ1HFZ7*V1}$*uaYym2F2GpG;``m{`TUct>YDS|*$0lW19rdlZ^DfOv(K zInWv3DR}zY4F9fo@Fn{z*dgAL?dT;Ta%KpAv&<_al+Q%(W-IV3qoVFkHgQ(Sril?# zmi263+gy?;{50K0ljtHQDq5r9+^k!S!f9k|Y*;NziK-KWACOuLg-&j&OpQ(wg1=mdwJg zKQ`N`sm@recNcQ~lXkIs7M*>3FQ6`3?D``TLH2^Y@J}A|N}&#^y~>8YP=VjEXt-^i5t(GEVHtbCj^^sLTmXWUuO4od`{n*h9rig z8Z}#3=c0CH$uCTKhjLHWkwQQq?o;l7KkZ|C^;!f3TRfS@S^PDDPJr-qx^=Cc4O8Bk8(Ih^`&>a%& zH}+U_BJEp2U6I0-#=shu-uwgNVny1<1Ap!%niTbdyFpzC{3ffeA>B_FQoIyUI}ve+ zLBP#S(Sj`*xLmkxJfDDF`ITK*IJR5h72V7@y8A}4*b~1gO~b(uf1lT7M!I3K)H`#S z&8zvDy}`CXSS^+O!SR(hEkxbP{y1qU(n&w&snQu-$qP`bFobAc5qs4H0b;vw5QxDz zDS4!zX3I$+p|^wHGN&;e<>tF6o{i0p9sG?_Z{6^Fsv-Y$@;UeX8&7gMRlxCCidR#9 zLzC4q#9S+}vbNKsmr?cqG4+;FaW=uW@DLn=Tgc!LToNEaa3>HnxCer}4-NqW!3pl} z?(Ps=g6rV!?l9kz_nvd_x7PfaH7sWO>F%o9wY$1@dr@Vr`*bG?8#l7$7bPRJ1nC}+ z3%A7z<|MawK&yMeAT-_b4%U)<+3?R$DO~x>|Fubc4Z7Nqe7(2x&C=YGg?O^1M4V=1 zfFUb`AT*#_?ayef=aY^Ii~&&8GmY;cApH3Bm@)f)0;As6=T3lzeW$KL=zBI8rLL^L z-n+Z@&(R*z(n*^XA*+`Jt9m8f%h_e}u3GDGgw0;r@$#Qx*Kg$46=mV!;kK<^5jK?! zW9il}SIUa?SNRQ350-}~&~K$3<%}FP=W*(V2Nur~KoRNoZbp|lk^cQ}YPr)6tiDBD zcZ3`;uPHxMiTxk6>c;uKnxS6to!mo29{k<$FCF)iVCXm7%J%m2>$$kW!NsJ_jkkm> z7B6RFv_NB$vOUQ`&4u4MM|*+t6x1)qf67j;==#dONpU-UewJBG=#cXzB z(qwZ03fkD2n>_w;ai^ZR7x;SySPbBLxJyuMe_QV7rx6Y6`1#AqbTW+zIS4d(ZZ7)F&e6b0HQxgDVyY;H)YffTO!A_0>rjP!V;n9#}Fx4(iO&I$0> z_$(g~HXBG}X3E=w_WKQzYg#W_^ef&Ko|3e-@$ZZ!Z=Eh}57mKv%9ipK=|O8}Re)4_ zZ{!=UsPuxWqWfW6ALH4D64ToS4qCw3o~}TyTr7}414d;X&rJqrzALV*WX9DPU=?%o ztM3t^q2IPXm$$UA15K1W;dqxbe}yX3(q6cm$28$rRh2#7mI%eNFe8WsT|C~XZf_5c zr{$dSui57snBS;T~8g;rdMV{c`QK~d>i0Fj8k}a$dK-<@cLt93AwGTrB&3q zeJ;a!Z@Mps;#`|){?kop%?&q<(fnFT(n6R~JU~sS3^G8o-Rk@=SwsuC zOdwTMga8SdA01OCB^S|6`0Ga3kJhd*n?>7BMpb!{Kb77Fo`Q2zqkjl26&E0fOZ2S)a z5f!>&ZGbcd&~Yn0LMry_g8N3mj&@7kAIK_BL4+aVdq-T_Cx6vE;?#o__;(gwi9k$la=~G3$j`C;X4j-QhzJuBB!oFYYRCqd%XE@&OA7$&mkZ+Vlrx>*Ywr?oC*}><~Ec|qbD9v1VZM1 zA5~fTEx*BP<+Xz|1N~(|2BCbCs1V_6FzxdR-~IWfQ*PME_^#_de*6Z{r{CM#u3BVO zZ#3R%770#}EWNJ@K0n}g?d+b7QC5+l1A(@#jkZ5Ve76OGR7(4L za(>_K12=9PakRy$$OY$1btEVlB>U)pA47hF*3nOQ<>v`fT}hvYP z`}QyxUO}8ty&qsjfV|Fct&~m1DE)!c?#^gVv6-uvf3WvFWu1rl@^d>(97e5k>r&@!6KhaJry1vkM|$;+|~{2_(F=#C_bp zG3c6Ezd=(!a4|Vf<`keh_(uSS18+tG5hVI7P|7TE&dr|0(Dai4$nXG3wwV-#EkZRw zh>bCp5rne0k*ur%h**h4=SBv3uLR_z#fcUb7XunLY}`QxUOn?&ze*aaEe}%EYz3<} zKl6kBwy7-cSlOy7=_=SJN7%%w&GIg2SMBbvax_-w1D1m?Wcb%7K*Q+e=5RQYbUrZw zhn!=6K<=o!X{y2c?jsxZ%jjJC;hn{JYUt>IN`WnZn-M12F5OIpPiX;pV-s&A=|_Cf z1$szQHM25Zq{$p|+6QM6b!Fo9uTRcumce)^cdy`9M`Z7gCf!DyI5^gG?Wu*8QSx(Z zUt`@-hcYw47pZuC|73(h3RQ#=GS!A;U(h;D8u`d55zB^z)D(uas>VQXx43P)d7X92 z)?vkYF26%~?$&F&yG|UCR42OEk7xYIkG@Qr8AS{M_Mrrpi51FzvDDb&mI_tC?t11s zZssg*(g5U_8(qYHga-7ugzONWQ?GnjsFJu`Dxz?I$2a4*xtuX4L25`n{C)84ECJgw zcRt_i{wl1F{{ADxrWIvZ%5lqEu5ESK=*I#lpn5J(9pWEBq*Jciks!uQLe~;t@!$?L zX$1Pio!I2J*DNWye}T)j;X)u#&%v}q;aR2!W4UW8I3998A)TCjx-~j|H~Y%*#@3nF zL!t^f;N9ntMV-{#_I`XBq^0|}03Yj1+O-dGztM&dJ5GiFm+kf_22wYhH)a2Eb&AQ1 zOlMmdczn4KdJo~4k>#(Z9)~#a&2YXt<;yNStQCdbt4n|8diIy&V&?eodMoQR*NU($Peq;d=hU?cRh5^epp(H1|)FT5Jj+u0g9SV{;km0Q_FDSPFr)O zDnTkZkoVIKwQ`X#qQrszI5UkQn*xM?C-NdeZD-}{d%Mh+1};HzE$!=v6GmLTx~z~Q zoD>Qj;hAwpS!WOASfxOx@BkSCR*mM@KaJo>>i)BC=r*p*)gZWCA)F zNmLn0eM<_;SzHm{mcok;i*#qR3cPc0TX3kBMyJ%@! zk^eFqAc0asfvvGGFl>K>sF`f3(nWb){x!GyEYYOFwOhoe=2jfao+GGCK$eGYr--4c z;zesfaE73VocKWm;J;&6?n+~AOtB(>yRyE;sP7{NWOggPkM1u!#nUX6G zHRZJh;VraazpqNu+gi@PIYD(P*gObuG}1q{n*y|(-h}@#yHRVXcn!Eex0WjYCZ)7j zT%+&8z5rbcAG`!O>xAk6BDe`R)>{`hIu`}AE96)azeFF)LsR*q9Q~|t4HD3(acABI z7{nrwK#>x=UA!WxSBoA{%s3o`fP`t)@ncm0S;KNNHnrD)W*K`OO5W^A$&>{*;_F(TKVL4gZu2da>M`} z1(U_lO&$o%tga)xdhu&I0ITSeS5yf3%h&EX8mVP1%49**C(f=7DIJj`ki&upj3 zdh~PHVU*Q;@Z0+}tFRb9>+MvjoQbVe$0L&B_D3mab#;h(qzS&Myy$X5t z8OVdcX_nldmr`Mhj!wB*jx)u|jDCbFEEE>~U@zav{LgRf=(BgGGvdC!@$3lGUi5W- zg?E)g&%Hol@jQj6n9L*f+@B%0Kbc$2CqtVxbO?E4{D?J3_}$OHIq+1{Y#e_D(xZO} z_m*~Te%^u<(cZ-$r1;kYou>n{kvRZ+DC2Ws8dh|*F|F3K78-jQ+p8H@RWvk-vMyB_pi2E(I#y-a z235LClYvT$M)cv~#=A9Q^jZ%U1ll!QyT%1b=UbF27M#Z&;(=Ce>`GXl&gJ30-Ksrp zBa4)0=)c^sbt7I)Wq9Hu8!1iB3Ekba2#)^@f@#>(pmGkxg-#P5~+X)6kG#v6g2?8g0$-@y%}f_a#qf>sH%WF)=xh zFSkX7g;53Hp+2yN<5gJN@!lE|GKKXx$paST$J_=e=(EdlWh>Ie%I z8IvAzf)5FBZaWWjb?L&u;t=)g*~Se?G5V4af=4Kdf4;+3f9l!qxDim)jg@)wmOL}4p|9|*{Y zfRb~%>}0;3z#rM)Rs-vS;}@6|D}k#6GUBWQvo`gc6;x$G3g4)1E;4hdB&m%VaY?OV zRHN#nM=c^WUfcnbQ?0}zh6+uyo6rc9r0bLwlX#6 z8%*{!5VouUecQ^*vg5{4;2F}eddESVJ3+q>Wp}tP@NkK_qsdYgirENod0%oy51*(q zU3OPI+T_L^H|wm%^=_-iT`khl(U3eSNc%8Jc9+sXpcseK)Cie)@L7mM1}yOLDq&#- ztFdZ$B~YL5)(X{3QrrU{(w0WqB_f4buG{kv`sX^kR1{ zrW1Nj_J$37FL%3h_Z>_L@vKGkN%zms@M7aH&mCw2lO30%J_aUf#xDzOFMpv^x0}1| z)_)J}wut7%j`j+VJy!8NKTK!bhn+3)RV@T;TY0rrs4I*7V5SQ?KDn8lyHsV-fizr$ zSO3Be)Hg<(vB+v+cm3UA+z3mz?FAOrs$K`mJTI5nqq{=3_Xp~Oy$H4lmay|k|50?$ zKT;s!A{AT=Lw^jOUQ|rODpyMjknh+45FLK+o7-BmBqhHB+3}R>!GQ$t;}=q68;`&Ao`?^9_mAU^+w^XjRaw<$4jhs~83w@+gX& z*AuZJQ+UuBM(7!406iNIFdPY<)K5G+Yd1n)_FY>Ah3&l*jd>leu zxylEXK*S?K@#`G5e6@E!dfBeOUd=v5bxkNi$jjDobF(#FD-`aGaUVEi;|f3!y)#~kHTKY_{TBJthg2ZTx#3d;TPKfgf%psISU%4-+?68pq?HSJsASwB zr2GB+d67Q%!`XhS%nF8MvxWk)>oHA5CQ}!3C5ip;GMP&?6LFjNc!FiSKSX1jg*WTU z`W$qcmMvN7*F#UBDsCRV0g5ua?}Otyb!!3Cr*jQ(z|!( zjG+~h@BG?*KR?*~QiJctNt3+~oz&GY^|*Z!w;jmGQ*HJc)q{;Yx1U@qvFBAzaKu2n z>t_=u{TrCJ?Qm$`p*mE%LMoNcE?lXKws<|c2b>>m?k;Gtx!kiJ!}nT5B!Gy^eb9oF zP1uD?fFME$Z`*O()tPyE+c3`m$SE&HR8$}PbkWex`l+gFqJ?}JlOvv4;BK!*v?fjt zT>Nqhd9e<>O_A+8*5($xIUDnVJtRbU-65^I6M}BM>@@7kB?yJ1G??QnJS7TAeyge# z3lS}wYSHFo!^dD;bBv=bV1P2GCON5wzuM~RQdnO+T?!rt>XiGOeA=dteE;*OtbByw zq1yAfH|>b`amUlU^q+2ry#{xK3cw-+SPkMT(hKJqUR-|Ee@s4sz3AHued|j12fy8T zYWpE}pzJykbk@*X%oqg)fx;ypM{Q*!ajF%+eLeloP8OZ;Tw?L)aWQm?B1lA;gg6vc zvgr1?{Yu+uL-Lyn#nj)bxS{I~WgD+hjYW9d%Oyu_OYS6_ruGN?--&xIL!)d%4jEZj z#H}jg@sA&_sXscYz_}h%df@Z<+bMI<@VxDgbip~`?rjHSXVIY`Tp`j7D7`|V)Jode z&1-4@-EyAZNRp%TE@zKf?rL{Z{l)s8L(NwB9=Gf-+7kcAoe~8DdW$@UkG(}x1#%Rr zM(lyutWnA!*P@EP+um$N+wgJfY@IN+Ibq=eHtgUN%=3c2cJFL8a$yVWbG}cfHO|Xxw)J9ajX@+O zAAe{u8DL}-&5)P*0+02at^e2-9^TF!8~ZmYNd(Klz0I%(X-*$DL=I037Au*!Mjcqb7%|AbKO|+HTt7MM_e%XU0p}1?i*a{B=F5y0Hn!RGiUgXJ_x#a+bI7(S$_Z zFTY1bK?dQo_aWXJ8C*V=sCN&Sihq`Rez*Dy43Ow83{{$(ktQPusTG z+7_Ruhhw9)a0iFb<@r76>>OH4hCg(5Jp5`Bmo)2w_$TL_B6VzkgZ9g|gDDp=4)X78 ze!1rdJlZI7JlKE~fsaIR9Q$iX690wI9lIOP>%0T4ms2`2uTHbSn~BUa-YO zk})IB+fopSN2(Du!y!n1nckqYt8hQyqvKe&Yy(OijqDIt=C-H{Jm~K0+trfb7tv2Y zgSjfUks@A!8VmS8jt?@m6IN^1pZ0V%I|#%ydRK)A@9wnVEYJC87akP7NJsi({~e4S z&WSb;$^ONL2Z!(MJxO;LqJF?WP3sLcd7Lj?>SL>5&kHuWU7M3RBbEJ}810AW$#h4g ze^fyjOM#X0#pJXFZte_9f#bzZ;iTII5i7+=8iZ`Rd*qKyK&T6Y&}n(F5j0;vO|q@} zYTmI^pvMOG%~JQvU-}4DZl>qV3P9#9-r$3}l-3P*Gr8oV{e;GiToWTcD z7Q%#$w2fol1g-5$QOrFRjPLa7VZVgns^n8s5|8nrv%9=^xu?ms7s%DwKKRBahy3b3 zJA9v&QH=*MM;fci94}EZLF3z}9D^zQjRYGyVTbdk@U~;~h_$Z>EBvTiO@~I>!G_0u zMdv5_kTgUP+FG2k0+HGG=W@I=Nmv}yRQuIKTh*uT<;N`zI)t~q`Imwjl&awNbcQY} zq$*%5X<2WY(s`!Wr5IL^%0Q32xYwG!xIgbT|43&rasgcY0>r;1xE(C6QZJf?jO<5& zo}Rw)19Ef6nQ=H7d~U=d3A})8KuE{xh(q-tq%BPg6ufmmTdlKZ6I0 z)_*IV`^XnmDBg6XY2ORwv&;sO!Blj`I4FBJ&q;V4E{65*>nj&94%OE0#t)kg!L}M5 z_i~giS?(9o*K~p+%!KS8C||IaZMw|F>Ya+%y6pF&o;zNK)n(puZar<1>sGYB^3Dr1 zlv|@yqr?)Wr7eY>ll!Rz%v;@LJcnIF;PYal_j<+o87?up?&HG37ktjqU#@-!qwa>X zxnq*wjDB)-+*VbE+kEXK{u69>Cd$6;kLA~4P`O>AZw!9hdH9Yn^sy7}umPS3d;8`X z0MX>M)QZao{7)b1PeFDzAc~mq@>@u7EDl(r$rt*PUJ8Fwqfa@@+Rjo^umh_)u0Y== zlYNlyC>bU`(|BUdo%`M?k}`+7&2e%7GkO$67{dtIM2c*R@Ot}ej;Jbb)h~0Wnmp(G z&@+ed?EU)pm4}R&K}o}7!zF#l5fn*OU!zG+@Ba9Yd&urVOV`iQs?+dcoRyolou2Di zgZNF7R0z!OGICM=!A7|DC}w{crC$lO@eoVjRQ#Eoe4~YOi;c!ox_2=k0htxOLh!c= z(%fN-2(ry)nN~;Fo?auO7hIGuuRMO zsI3s4-bGHv%Z-%Kv-KUH&*ddK|I2_p=ix_(|E7S?3f)GdtNp`w@*G)O8P;7%$yej1oGdodp(Et@U~XQ0 z@1(FucwdiI!P|B(CqpW3PMWLNNKHDISTG8++_nv*s%XHlw&AfFvB-CL`QUu5t!h2b zLn#u1oN&|x?rD@&0yc$Uzl{ZU${vZi^@c-vbjbM;!f=hW?7~ACCnk-HmLy8}H<~WQ zHr~7f*=4m=(N?+q`1VGc3BM#A&s!490^7q2GY6lV?Wwfjp#=mwL7hWx5h*V) zvS?Q=TP1Vmi)p4dV)>Jt!FOweTtNWp{J0~?WZhJzaZi%R#kS~3k`IkKgPsi{1bphq z45R>hUo0kWD=~O748`sLC}3^Jt(ewq1;lUeW?^DG#Tre4<2Lg=gWAT|X!W{Q689I?fWf?>b^)Mnrefjeeg833brYkP2Qh>~qE|^Yf*VHhoG8x@n6} z!FwN;n);8TAann=l;H#WP6E4seSXNkgAkKZ0h@^QD;558-t&IZ2L`z>rr5?zOD%={ zVM|OUsnSN~=4UqIE-a*nI*t#{8AcwseX0u%nS||0`Td{=*}=pAI6~?%>$ql-oK~Rw zOEGJeACsq?8msr;*B*WHs{s%7ldJ#BZ12$FwaS}epcogQZ>Wc8LpEW`AP-r?WX;_lKt^1rxhSj*tC6Y1E!bhBBZsD1c#fo=PGx``))e>b@IB9lbC6J9kJ zN+IeTT!PCAmylN}vAMw7;@>WdrTBa2#8>EA-d$Jxxn~C8 zP<_3qoq6uXXn#HuXLGNlIMvIHem%$b3_~^y<-Ul{Vl=(RpAd%zhxnNnfw7>-#d46DiRn@ zLdP+Rb|?(DU!lG*ruhjOqOY-pxhvsG^k;bA)>@4w9r^<5goe~tFtT-$GM#%jr>jBb$Mn|2?YEG-334Q_4y(k`Sx zr}{i_$FsC3BO&o&a1eWzu-|LV_ZeAe4L0k&%NM->bQ#mDF9-??hoc1UkfcTX#mS)a zebyl2wvXeHq?dbTJ%X5I!xe7QRP|PdR0>=zVuJ$JTN*C^-X4(PFw7*oI65$m$HuKD zwya!BnKGG=DNPzf2oYeMmfU^D2p;F=X&I0i%!&v zkK>DqK2!$W%2Eo`hhUy0b(?-b`PJ72;pdb~Ci) zbb|qHnXDOhH#f&I69#-)5jf11S3g4{;>$E}K4?+U)B%qfQ=7x5&qtZ9>Zt7ZBx?~jq-M1w5_#M{BG z<`R{bNZT1nmc)N93h_}KyVe?(Hd8lhz#v6qnS?87CIa`=S~^2^Y-kh|CDD0g1>(Qz zPzdQO_2Q-v@x%VlJL8l>K~<-cXU)P&mm+-jVyKvG=r&lDB$XtYK&DNIq*f8;bq)6`a=(`WBok z#(pKZw4aeN*$=TFC-w!6kx_3x5!B*}EMf>MgE&dG4n@QXi05W)>;keGlqg?QQboQ# zZ_W}h?p?%SoUfzFgk}c&v~ZYn`}K2WLZdFAQG)3d$C6RDsP9hJ*@ddX+_7tRjh*{_ zrwrAZeP6A=GsfF7bsh@w~xzt3@LOh-T- z{xJhb5~Tmt=zPt|zaL%e<9m(rPzqowA%uYj)iw5SqEdJp;wL8ZcwXBD`RK#~^FbmN zbZ7JVLFR95tqXM{yF_9(9sTt=nr`7K(nuc!o?dGp5oI5hYSsoDw=|9-s~zmrm~DWx ziotLkSgY0zL|hw<7LidP08kvae5j}c+d*|zmdQqJC_=I0;Tw>H;6(n-4}!=VVQf&4 zIX6Y)O)rqa3x5WpbkQf5DDck?I3|K>M2d~>SYl6Z;ZkJE?ALwFUfiC%=-3UWX@d~| zD3rx;@HzC%lp8p-_$Ij;9%U738`*0+1ZMz*m}oUkGhiQu#xbBU8AQbh(C4f6dLO5jO$q1w}vJ!LuD{7~!@ar_th%Ce|`$*yQ z19IPCBm7eJ`{Sig#R;BQQC@0xLpuvP8$VRF;Fg{zLnlpz|zt1^S$yz zcEA9p6PSqQ#8V_9%@(+tb7-b$U%bAzX^*T+Xg%NiPK?(9TsniJF>u0PYPgNu45?xg ze-#n_@6TXsl%ipFFmAqW2S*?Hf76u$?DE%|5l)k-%$hIY_bG0m*f08v5dV!;TmTl( zc>e!(C;s-Z`)6P}!`i{IwZISnw}nH>Qm27OaP~6obPF#E&3e|syN#Ur|xITR~gp{d6tqRfd}Zjtqe!;ZI63KcGyuo^7t?uSz2-f<%K z)x2A}Py(S0L5e%6=T^(T5?EEVZ`! zKicVHug?FfB+~abj7B-%r{a))WvEHSCE*|UmZ3)By*YM98$Mmi!exIu4qFk-=w9hL}CEwyZ)as6Iz6aC}08$iGea_bEg-30nL0`3`hdNQk6?j$0Ug-_Zr<^S%e*xG+l4qmH6fsXEAooa%V7Vyy$lQw_- z{%%Rug5SruP*;`*ut_Vr_@gT&gRn!gKj}?%{j}hIqQ*YhhBIU5+>bMDK=(iMFiYLKANn z!_+zNT;?B%>#kV7%*x9yT=CY0C9#Qe zH1snie8AVb=p-$izjkdyYkDm-?bmZ+H}Sgc>t_^7&4`rh`JC`(ZD_Qe=j7Y(lOC<5 zQ`@taGY~sY9h-{b;}3h&cX{o!BvKmjF~h{?>VexD3!d(UxY_9AbJmSq?yaRdeIwq~ zmn>R4>&l~Pqc$UJEjTBVAHb^^-8gLPZvruIq2DwkvdvI{Rdv@)3QNlScf^ddk@mrI z6(h5opD$Oi$a=A8mcjh3P4FoaK|T~4KuAD#7;xH0QVTY!qUCY8H1ZtB|1dGZ30iKT zo*ox1=(q_mFiUitr=+I7^5vLJnkrbvHE09;)@~O9}c8z4yv!JSa0c4zv4pgdHqR3bn=&oSHIyLj>=Bg6(o_*-gpGjwD zy|jqFBP4cM0lAOoW#M2ZLHyB5vuIwbs^;tx@|cjDPn@KHb{yWnVwbe-KDckN^Woca zhR`(R@d&~c$JGgo$OPvmeu*ZA5=Mv9ZbgGnC--w$Y;42j^dpUFk8LV*_D$`|dC~Ac zNWlq`#GIGLuekbM^{~kgn%&NiH~F|&2+C=QES6fC8;YrJRh(-?O7xV{@!E%KXR1y= zUrV`^wd}-CMQ_fsFkz27zFh50ieY!WwxyiZ$l76UmP3I)zVPj=$|vq z$1^)U(eb?}y5;N@I}f{Cd;O@PGyn6NmO<7Ga0U#;W0G-X6fcP099XY$ZiD}h))Z#2 z_sFHPS9j3$d+_@%7~etjE08d_VfOz{SmitK+%bl5Y14=k34U4bMfcYI68V)9+4qr) zdBPHq1e*Nlx^KbPj}x(Z!5$NzU>vG`e_Vnbhqii@`JT?$&HUymEZ*%}#nE)ij}nMS zd2*Tl&GBFTPWz?@P6>aZ+!oW8TD-`% zrheb8Cf)0r9&@nDln0DwuG4lcwCc;5GU(tPpy&Jk0%;Y*udw|^y)!f>KfT!NT}GQE!4RX2{m)iQ$+g9ae}pMiMkO!{M+ ztAtvBuDy~|mH+37Ir;D5{p;I!TnZwE227_&x`O@-ra8T%UmQ}#TQoqi`q$Mt#VOTl zPRB|J6~jAT>V6%^EHA@l#+V705~fcqYKhk|zX0T;z=Sgh0Hazk&F7X6F{el{R@7CD zp@I%jNJubuJTo9Gzf}9&J+V{xCQbBR1^|z7?`={ArYl{fh;isBfxzSs5*9xW)W@pk z!6RWAT^XK9kNVl_LfvYUXBh0cKWX`d5}!Pzh<|lcg^DUNRK6mpmXl@p-5jJ*CHk`B zF$TpdVN>^rl__o%Uzz#ys?)N9xAtY^b8K*O@>YN~8d_+pXVS!H-PWy@R-n#lvBu!L znN4;_2I-qM?+d(=%782e5Itjj2dv%FA_UkyTvm#_B)KQWbad(_bDF)J;YJj9jOo47HQSL)UrT%iDd-s95_d^Q$RnWspH1F?16S_&6CQjHT7&n>8JRJ8!ND zy4kSw*oK$mCQIYTei-L16qKaomtnq0|HgLMFjUr_%T%ghV3Qq}kpua13-PGe(VXrz zJzV%*`5kRF$EP!eL&?~*qta@#nUO(OE_29q7JYPO=7UvWHGGDx>a%y<^53(a#*bD& zf^HpBg!u}Xs2q9^+H;d0c~zm*xfFaw)jY#OOqjX@I1U%0-z{&W)XGYk2Z!XpfPAqO z^or<5euZ*@gvGQornWV|#-8sW@2bUalXU!DbMT0dGfLRXbGeNS*=%~xcYn6f9Fe|$ z_eN}H@+rwDvt=hpOID}YcCJ_zQByh~Drfg#sW~W>6$_M0+gGZsH-L4~l&sd2y3m-- z!_Y<3^m`=sF1c?kZo3K8>98EvcXCwQ$z7XYb!g$pO{tiipr)5N_5~E7Z)SE%Hff>K z9og3Azj+K5J5C`*00GawTV89UuWx^07&BN{W_^%e&&&9wdNSG&E3Mta zv5^stgT|TaiB+ow>7&JV@x}7Uw5#Bq*aiZKnQQm_663iC@B9PO3!eid8r$+U>UCee zV3}mzR6w!2@$1o5OptGudHaxXj#@;RLP;!|=&uB0%eO6Lt5v+7Y_{HZHb9sNMi0kK z;NxR4fL4ooE3e;H0IH}triTK0_3!zT)Za+!{W2le9gq_#in7+z?S9V*5|`TNbq|8e zEb{v1ritm(qCQ{@R>yDi$(FoRlh-<`qV+mmyW6T|VOYT@%}epBO>LdWC$}uM-6thW zk>Qf6&{peAsQkIAX5zMl78!3TIMWH$@ZyR&m8^6T>xT50*zaEz|5&k)TuS*C@wJeE zQzFTbb7zZQ6h%Urw{6kJ5jE!cTYQcy)3{6PdUI1JzpP4rUD^V;%o6LyhVO4sa!vXQO#08=QcrHy({FGh z-VryU3L|P-U>CL1i4KXCsea}Bb0|W>W%|W>bvkkMP1z{R7d7+P0P66M0y*%?NHM%6 z@1^sUba+=bt}AyjXTUkm_XI__f)q{&tKsj*G4*CdrGQhPZJTfBE=ov@_sGI@T}_&X!!4N|dORZD|;=;=pRfmlC7&=4sVAv2EW*{1tnn`DvBQ8_{U zj|@QVW)`fE`wFPrd&z)lc39MP``{5^AYcr~GqCDjadLYcV^%w9n%PhZ{umrHxjXjU z1U~>JO)v#mDZFnk4eyY6n!q6$*#;WAv4li*1ZMqCb&!4p5xbE{EH751+$Bs-e(4@n zL;DsRX5lF1;~8dPW_6$=cQ_{Zg?y#Hx~Q$g^xJE3hja51_*d`p)kJ+a2hw|p65>pJ zjJr>qov-WxGP(w|mg4G-L~bKJK; z9{ro5Mt~;@s1V`f<-rEZofph^1cKO_1oT>ZfLi@S>LoQBJzWRD{1Udi69SGF_b*5U z)L}y&1@Q^nXW0uaXl%nb7~utUe@qIJw0V*5eipEPRM0+-gf_UVN}NnMVz>mMgJ=t^ zfsa|3M&%VE4)=)L0ql9YSgm`@e0TybGe3Ieds%0VTGbaRSR0YG-yE+u_-?%^4uYw- zcS5eK7mtVAOlg1wB5mtQI9O~bXX^0ToCI9cP5Sz0bOl|DSou-4BC_h!^Ac$VX-s3~7V4>;PgM}Abmq}7a7*@cu36XgqDx7j^*69Fa4eV+VR%f>MMU&<|a5^gXmbf$Mqm3&al1Z@?=l1DK{a_P8j`a+Zya-?e%6_*|wBRcfF;XGRI>cnYhOVMH1S6RC<%2M9~W z@jG9(fB>k9cHf?p5SeCcW^uY3gEIW32E6#N!fR)9TOeq2VA3HyE!&z4uIXtJJCX%mg1lKNpJ|WwMu(?&V{|2vVEcC|$z+YZcEh zI8a{!^9JK0y}!$l;VutV>iJmv?@M(pslI|$Ub}Q3rzGQAjpMN%({jRX8lSDMx(OsG zFr-frpI6jO9G9ZQ;*&BgPR7iFxBjF0Xml0~YIwB{9+BPqrGg3~$%`A7bVw+bXxn7U z)(EgSbEYI?)HKvf)aB$B@2$flfNX$yMbK~<=M0GS=sqpJ^1 zO2uipSusqL_qvzm>$eZ^KTsZBK$NyTWuXKehrH zy2Zp2RZh7rjT-cRo{wvqqrH}~!AU|*|8{<$6Cdu)LCT&58Dr6iPBX2kliiTHGomy% z5BmoT)N`oaCxIM)WwEwR^>IkwJISJHwD@g{ap&Gd45m{C&R#R%J*e|iWBRvzgCoX8wmCWUQf|x_&2qzJ#5h zfPbu37`|E0Td+MIj4bSzY!c$PEh)Q>h_Fj25$Jd`K>xD3xi~Q zJM~M_mQ0UOSS5+T#usctfRt~a^5XQM#+1m>i1`^fE3TibJ$GX z4M=YrZ=P1}}tt;W84zpjL2gRIc1f*=riqV`5boQI$bYn=3%I{$m9fHbSn1fdnftk zraVjRC!tOoE!FH9dc4hlNk!vwd+|SXw_uKH5tm(*U^1KC0|oT;zoKT+SSe zJW5yP7f%(ULw_XGj=T?!n8>H<0bk!@q~l=6$9;-P^QK76J<(7uR;5M%oEzqP zR3wCej!wN9s~Xv>Rl}~3tGZK=YR5L@+`G=>{?kfDqWn`jDy9rWC6Bga;GnS+k9NzK zIL-XIW`}MmB5iC7)@pm?IIKM6Fj>tn=%aRnGIm3iijvJc8O0NzaDzlOdAT(I9ViuH zf|0`7uhDhvoP(h9cdJf@@^b{`pnR_Ku?HmnGM&+yno>YEZh&L3=Mh7n^a6N;0+sG- zOLef3O{V2gatW|-kt^n^mTSfw7|o9(gl<_Han_c-8)xlQ9$qG3)L(!lXEYk60wG_$Q>Vwt3zpIP} z?KWbtX>Y_JaBkF4X{9O6_?0aA z(Fo%GOvu;vjI*>2OyBpp(iMCS+J#xpFs7cUKY&LKy}rO}cjC^T*iBW@urAbCto$MRtBj;)m$A zgO#T2Ur8x`*oby2jLb@fX0BhySGK19?(xXB@^bZ0^Of(P5iVV)xudR6Syexb_>R@~ zB#83qRq2>?tMl_%gWtDI^|KMrwmiiAp%$uiZAQfx6S_AG=k-a|`ofT&-dSB!buC14 zcJalL^I|J@zxh7xq-E0(N4;LUvVS%8XVE*y{k+DaIcwXG6!>_K*lz|--}tw6p!yFG zH#oTj`DJYPRZp|97|Dfj^&274V1b_NK9JfFOl8~oVa-f4b{wom8TxIIhKU*&moQ4KNad%~C~~p1)#$WJ|@trfixwL_%s=W5OlO z$4{+BeMUcMhmv0I@%X!wHhBCX0joIf{FIW^O+g_KvQrJd^1-E+SyNk1@@kHBcm);65k-X)9@-7p5DU+u7q7&W*Qs(voaRhDK<(nH^yRuONw>tmd5#pdP!k|f+sYN_FFu>ci!vq3X%U)#yPr)c zo-p{eub{^DtAM&(H{~UXtyx3FZpfvF)Xvtb`{_qZBilE6ErwGTg=LQI!Sj3PAA}LG zLvqsEnz>n+1~z~5>JY6{vEG}mkM7LnQ402;dTJ#PThjAu-e`>?DR4NsRKw0n`8CS> znR0zSNmkO1W-^pSj|od0jd(?bD__`n3{~qMU;ufL2>2~KI z1Uknac4$KO4~VAsKPtywfzBu(8$CvLuim)QSj74xVm`ZT?hLCDm!uhWFM~rO?+v^n z&9*Q};oJK1hRxlKlwD^XPqSie+Cf_B^2RyaFQZt>P32kaD&;YeNU{+~vUKsRf>>E> zMUXb$qdq3pGa>Y%saO7EwqdAQG-V>-d@$PFPhD8VaIpoS%y=_Zc>Z{%kLOj&@lZ>Z zQD4vAIS{W^H)1H~6!w&wpm6RY6%YAP7#&H~R8fnYVQT zs7V=AlDS=TMn){7f5uRi7SH=lIEYZV)5X(X-F75`(8;IA6ESShYd5$`wRhd8|f>p$_`KRSSvYEFXX`9+H7L_d7!6JQQLA4?yCZSQ*_SSRK9TpYylH1 zE;;{F0k0#Cjr2r>$ZG>LM<*XZPS9e3oc)z)qLiN!iqH?9@%M2a{Dw(p*a7 zVPgmd!}GK8fG%g{8*~w>)AnF`(M{hQQ{V2Lx)PuEqchOr4B|AD=f8v%iir7=uJ(*C`JuV4&*G}>!oLHdBrp>X;by_%n`R;<9x{9-=_ znLcE}E%2JK?D29_%g;BDmX5-R?IKXKl!98Em~ZxUKSLQVUGl9;x<{;;ue@bMD40`u z{wk0@JI`}gRx$Dv4O1+oJag7a*mjN%x;Z$hkT>$fj0f+LDc;{o$zz+%!pv65E`$ux zU3H@R{`r*pRr8}C;m~sbcECt5?SZwPK%d?x+N^-y0>2`h)bGamJr`buNx4GYisU0< zDB<#;u&@E6+~E6?n{swiW!2Qq?!q?ih`J@Ba81QU3fm`X7Qn!+EzpMk>6^bx2^axo z)4w+E(-S^cwTQHD%CuOb286MSeB7+b37GVAp2760V1{?886Ty-#huCfPFH4DUloRKx(bEU?-i=iyGwaK#TamKJ4`8)O8M#Iu)F4 znJdc+KQz?8RVQaM71xCe@7<43B3T0agp{^jcNO5BZ*g9pW?iBkOC8H*@_N=}E7?Pk z1op-iRe$8fu}+1qd#f(L)uePk<8yKvE^eB6*#SAkysQc;m(e@y$c{3lcU-I;TcJcx zH@j1>^F?Y<_|JAZ_?fbmcWE1WMW*TM%{fYg%deToZyPe5`E|)0b+)~i|z$l`=PcE1~cg{}Lf5p6da z{d75Kj*arh-9JrE-JOyS$jl>8*q<31tSgkA5y}hQ5h;G)vymkF>U!A`5r_9=9m4rA zNJA%w!Fa9N*8rE+)}6Fjq_BX-re2^-=lOt{qIPoI=!ZuH^ zJT*Rw{p%Vj>_`AgyXD&@c|cug+3D%#-_l;$RaXRhb};pnf@kTK=oa52WOBMeKeGo5 zz|0C;mk__h??`xw4kv^ofli*io%B@t+KP&~mX?jmd(~R|*Awhm#0I6-N83N}t-YK* zo$cw|<=v*e3d~a*l!wM4e;)*a=LU57{M5^bHVu@C!dVewsyeIvPy&ek)oUr-nvLW_ z!z9YoT#G+mnaxW|%VVVVQ3bSiUp{)spgb*UtS$@^XMpZtpLlzcH@&%&4Jnj6LqXe= z->%+YfA??-HYCScD&XDFL-rebx7T`fBXSPPc3R}o%XK4x0t21n8xZ?|YGIMHhiSIp~n?jP1 zv>gxVH^Z-hIyDH$9eFt0!F+vrqH#5Jj7+>-bDY~agSDOaF~QJMTjlV|xtF>Of=X<# zyGyvE@ImYPgS-8w9_Kryi-C|O;cM}4fxCE5a$C~MYTDHzJ#W{qnZbDce)ctw4pFXd zYzhv>o~S+Hxc}0p=i_396%9)nZpG66{zfnM)KcAg3QHdnce}cK24WaQKiSx$L#P;k zlA9ddnwsqq1aaC1$eJfaE>(chIN%R zBmjuB&{od2FuCDefOW;qlFZylVuL4qQTY+ zaO-3wt_sjT*j>+Hf!mW;`j@@ShCx`9uZN=5fLkEbYb1p_{*|yTXZT}QP&EGDSnQRP z)CpOAV4f%NsL#HL7byH16&B~LdyZ-_aZp|SYn8jnN<+j-^0TMvxrLj;pb-+O;bOxp zh`MTu!`jEA%tuGrp0UbtxRp<`+L0d;G9SUXj@?|MTCuk=ow_@9;Cym*&Py^sZj!ym zQ$o?Xa>xTe!QJ^hM3l*?UH}Z>aew1At1iz7+yF@h3z{rC0!I9-?1WX~P0?<%aURa+ z1Gn^+R*_ufl%8mqm~902g+WGbV9uVfElJI=I1_)ur@1`0q5%J1CItD`C`>5(rGlQv zSvm&09B%c#<-s7#Cop^hcb+*1UCFQpXcVEr!j78H^zO1%Y1I=J8-6kvLh*@=2c@fC zru9|(Tc4>hx{uJYGCjC(o=;=9^E5`+dv$i@eZkyfr%jp&)SIDG zZn}tHAvs|lQp{i-sux&!7vT8g;X`PA(@+;;&5>%Oo%;kjvB45qN?Xu3>jMYwWgw7? z6eIWk!A}h6R=@I&t*JQV>8?!cFVfM79?YC?mMR7_vnJhgZf2uT&Z14yl2C0AixWg^ zqH*(&JbT8KQs+qX;Xn`}p8u(&uA~v;aC)gC*c+XUE+kgD0tR?5<);UX!WK6{;hvWC zb6rjnyl;qFpUWwPk0a|@p^dOGN{J0SRy1kpTtyC4y zT^Y(KpZ2late>X``sXk&mwRrpNhGn8xjOOl$9$y$Ff(rbc^#));>f+c$o27^ZcsUS zLlpkHw6YVBdK4>MZUt7^`hk2VzQ=*DhUI0`6o7hK^+nN2+SvS|dird{8!^+}UfEWD zf46Qs68v4o@vxs37wRQs99=u~R)xqD`?ak`XKKK(UHkkeYwBWxVfE0%$LCIVh3df> zv@N$k*X}{f4eP+c_^q$b{^#%07QB=Kdw@fm(ZLioPwA)sytc0rNH>6p=c>F>GfWd& zY1(@{A6n|#|4}BjT9HrlmRhQpYS#rOc(&8A=5@u&M_351%MK!S3JeJ&AJL6&*`o(l zUeXAmg&|JQ=2-&M;71yx0&c=d=}caA1vK0x5;`DTdupyZCB)NlcriRKqs3+Lq{%@{irk>d|kncl+R|4M1?Gz6f5!F z(cp{o{*brpGrt^?LhfYd99qp3&)?dC+9P$^D@zlG0XeZhHup!IbodvxenW%JSfKu4 zsPFp2guLoV1u1z8DQIOIMF46&V-+;22744xvEZLelM*}OyHtsjYQd>EAV(nb28+$n zIc`nV!^zBwb?Hh_izu?N-VGCyfR*2Vbl$8+ixtz#>86o@8uii%#=e0cNo05t5Gn@-^U*D>BDF5;VEt$)gM?4py1Tv(S8{h9TlZDLo6B)h$HG47~Av5``#p0~1oli+5KgU&M?_%U^o!c$uluIFHUG|5S`JteVE2#r1Av z6n~~rV6u!i6P=$%KBy^*-blkoSCRL1pu_6PLLz$+h5NTgZ|e09kv9$wyc@rnYH;OY9lqh)RM`{xdKe8<)4J@zgrb18q?_Zl5*!Y zq!Ic1WYcJxavs<>#J}QcC3`YcPk159#wtzF$uMZk5Z!OKcJb0X9BxYL^O2+td5Z9Q zB{9R9}t7{l7f!)3^~~gDfpcn2J26NYohYxeE{GvOx50@ zH4xtR^-ORnY`ENPNZ_F_$HhJ4P?Fhw^p;>|2Q~s*rFzELWYLU}$m=UC1bK&yrPxmJ z=u1dDtf$yoz4dobF$xea(vkI^k%{@?!s(q;_6G-UiT3x^M;uD_olMLc?x4H~J-X%{ zD~bn|pT;+YH>sWGPAOrU{Z2c^NxxE-Pj$R-5bn299jbCJ7vj2hPX}iie&9E)Q|i(i zV^EVVYNjZTu`L)#HJy)PVtHPHD~KsEyz@`-(N@MH9*N1wE;sBxo^gvn`k=(%V%u_T zntVIHVI?NrXbT9`M-|O2_x=O4AQ~>wNkKJ5FV|-e5?Gj|;ssH*ei%NINr8xhn3!_? zILRONUu4rr7i2x3M}8*ktxb#JqJFCJ`~%%~$Ishsx_BQOf=p9V!QqslYux&;7}UdK z?9bOOw8D#);V(_LJ9PLFK2&RyV)R5^k3`WMJ`TfsmJ>(-r7_EA<~K9-C7|r#QC}Uq zGZFur$X(JTTBtge0EECSpLxwTq?FW%BL zS+Xp=HL6$>>;5VguD5Zudt#R*@TdZ@)<;GOvY z(vhpsPwzon^gW>~6L612Fg`jT|Dh>0wszTzk@es3z(egcT60ie!X#6=V^hFdHO7DG zJG@S5!53Y{=s=6UYx^}XGTHY27YTSIn3gP5$MkFnvP~-iEA2TOTzv=|VY3ePvpEVl z%~)HhC6E~R8539X63KIa4^U%3fQsc1BS&A^Z5yvQvV>;P#sCzP0!2d6X-NSa3uK1< zmu5B(9M4*k{Jzp&Sd2P6?lDMNjV~AvEEgi8#XLdk@xr1t_%OrI&=SjF>6kn0-()W! zqh8TFRFe!K!rMJYX(MIYq5(8Uwh?V1mqPnJaDb3_uTXh2C3rte zM0(a{^i;MD7?X;04f_6k53B&srn$)CU%}ocF=fHNY}g_R#SgRjHw9du-;Zpziab6f z1UTy;hnF4FKdzVI*)@yRq!*dTa-;nZ0p zbl7|I>rh)>H%aTz2OQP);cr+Z&{2ks+NwPBpEG*$PF-Mm@j#-W!lh@niylMhJhOIXoS5OY2@XJ2J6W3pIx49NKSAN5-6RI;MqP)+ z+LAK9&4cLX;7Nx2LFYxqF%O4P<@2_0GQ-P%a%Z2)5;d2%&suKVdCp?YN(@$`_qDJ? zNDqZPUCudm-;xu;EoC#&aRFn*GJxW-caPT>%Ln(+-MN^EtWyYn46ikk&hWLR18n>s zUj(^$BdNU~GWZg#3jH-;H(5X?+Xg@(d7F={4dkl`B3;@mvQYT=XP0;c0rN^p=?`Pg z^fm-hxHofR_)0_L+^_o{^Z|&6wawEKHpEA5BYa%UMl=#gU5*r~u)HJ?viS;J0u~fv zyma?{Z;r?lb)A?*#|KgJ2m}U6{}BQYu0G(4KqcEwM@!1YcxJQF$txmL<*210+oVf} zO}@qL6X^szKj^?n-@vjOPI4saw+SK>p6`sYQBFCD#kIm;FMrK)IB_lzb6mD4jwea< zUVP5*lHnz+iZeVzQ^a>9WF+KQx622Nyp|4W^-D1cm~L0lL9uJ5S&L~PXgggZ;oGNx z-~L-L3uH`)-}b>BO!VyQ1*m)-f5-6GYtO6*RC`L0LZ)giwaq|VJ@0dvhh@a`mmW3! z!AD*21x!p>sQ!Qwo-TjM*vZ2t$Jl)$C4rz(Um{wRsS{qC=9GHsKZuyzXxm&peHoYo zsG2|AZA-Ar!3bL_J2`kzgLa?Q+-dp8!(4rU3RXQ;ZUXt%mVeL8F=?5mhDJ<$dIALU z7dMj77&${kW~w#Oc<=aLmkx4?98N5tb#hkaKi|(LD--1}+Si@^!#dB)G{@YG2-4)X z``K999sJAQXs)YF7yElU!6*ozNB}=eDA0Mv5>T9fTS+AV@e|is9dovrT>~Q61D!Q- z-FL8Ksg@ztyZdXeYBs*CF;|gIP)p5p@mjy3M9hA~H0tWb zIlEkLIOw0M_Hh1E>}12hNb9&cu;E*1{!)@^GS;B>WBdfB!~Yx80!rp78oFm@)m&Qd zC>Ox(z)!4F!npC!`43Y@AoZ69JHnePiZ2VI!jFJ=Llpt_c+cyTF zPe?Stt!$66ZyR}Vzyd)AydI!nFmjw7DweC9Ona89hJB&jcxn8PJTRgLFg(m zky^AU+W&?Q?XFNh{a?6X_YSvXi@uHX1OYba!?SfuGS=Vjg!?=X;?_qMbfeC`u+wd{ zy)zZF5>e`mw@O^JkY~k;FMJ;L*n&{F4EmiONk)s>IBuQe5^P@T-ZIzR0zi7HR*?D0 zhG}RW+#jl%h*r^-kOV*Db}Ah|&{rU8!ow%O);LFrhvm{K-#@dadH=?y^#G(FW( zfH+YgunVFZk?kBd!m!-~pc$~L5RM}03=kAxj1}1yVgh18y(X$wO&aJ$l@w|K%lU( zTUL76&o%(ni!D*h(Ml7K$bp_7x(XKlqpD~1VYr!93y1Q}st%Xh9(~*NTX)7zb+{?2 zbcR~9@vSWz+dd{yfHAnlTr1+Ua~yD#Pi)^kTtcl=K7rjm~4O<3xm`ZQA=C`4u-)*;3^m% zZ3D=Nb|)#EKJ+et8qDlvIHjILyn0~%a@PN1lBfzS?;})&3|78dxvZ~{C(_CM*p!6> zqWv{Oulv7vG%!H;UDgbyA%azw`Q1D2PtLVBlU#cln;831xQ?GllinJW#zx36fz02#2grdrtxpV;d@^Pv0E@xav>dX|! zgNZYMDH0;QU)D0%HSmLx702$B`x{?s{&GWBNmfiiyA~ht-mJPsWLhWvoHMzANGeZ( z^g3!4vKP z=WrX6mJzYO5K2hTiCOoT%3KId$itOOnF;W|D)9EHnwr?wFo|T3tLRJU$Ay3zhhY$1 zw0N|-J305&;3OEu9x&OLt|$#vZJqD^oGPu`piFMo>Etk3P_tqJfPlSvy2>>s%5R0A zGuLXRBWNxrHXTTru(x_Q)2Kc)U@-5CIQSYh%hXdx#0y6FMPot`D;fp+Y@2P`+klP+ z(H7s>eK*k;_j$lT7H6%~ir(ea^6utVGm4T9-iHB?pXj97Vn7MQ04KoefJn2o=|g^; zNkLB`Rge93hSDv0O)rx9K z>7|oJ(if9~y#+Ug$c2Mqla~Ql5@3VmK14+P5Asv|!zu4A9}f$YbcITpZp`eA04yXI zBVo&Lm&TWKCQm^wtdehe!y$Fyj;oAr#_VJ8S;2Wn*vyEC=WR?5QnPA&GyyiT0Re6% z9Hb)Ap@EHOh$y*=xUOs3K7iXJ|mIv3^^A#HO_Emigf`XeO93w;=x0*Mcj)f@%wL|KY zn1!CL)qeWpw%HjtW@F$zS8CV-0C-f(7>49I_c>gWgUJnAe4;nf;&y3t%s>z8qo*j3V(h!zvMZ<_h3NHt zmwRqjs!z)x_X9y{tV*0>#nR6SG=hU<8_9L#-PZKn`oqXkg2<(XVfebTVHC`SMLwE>|0SLbG4LWT*StHj^Bmhmzzd{B&9 zSrFj1)0TME4X(GK2LP%#E11v-BuzXa7ylQsbw*pFM9Mty9{h6g-5Q`P82H?}!?h7X z&kbxdB4Bz#Qb1---e2V_;2`NDWlHpZe>4ixb(vFDqKZEBE39{sis8?R z{mENl>i#kP0}AKP>Vd=Eu0Unw7FA+3K%}3r&i==LMgo&K`r#k{nRYe)x_~wb==P}B z8%d`++B#Ig(54E0%>1K!d(iMPlzW-E$pzM3!!c*}Ta7v8AT-^B+?Gnr9sRpjkqU>pr5NfI{aqa8EN8(P!(AdAWGe{s|H4PGCRE9lPKDRF zOwI?~s5KID%|f=hD-sD)zjsOAU(qD8)Z+%Txubm+Pwe^+pCf;c7X%Sjl$TbN|GVY= z>1FadAD4UZ^|P5>!yt&x5Fpd9;WJB_xH}QAr1Fi!PSq|sYb9NH>sW~Z0VqG8Yaj>R z3!!d|OzHl*syTv~Y;I07jT(wXJpj~Adn()~6SpDp{s!g)ClsBJbX)niX4^0J)@6Ws z!9#4*>y+;XN|5}M_fURzXcfM0((+@6J6B!}K0Bf60nDejrZ-=LM9V%IRxckvgOn-C zy=xP>-16p)*anVd?uZNM%=<<`>ETw2*uf#%aZCwYKV%`g#W=A-HH26GeiRrG^}<3b zNygr*8OR5SANi+RUJPXe>fX{q!JG-tObU#P2LqoKJ<*&)r_%O?X)sD}N z$E<)q*S7|rln0*n2oCL>mL0olILcjG7=sedZf%vT4S0R28?xhfsM?#v*xX>QKgX|K9vm2>Yq zzDo$t-QLStz)VYx%*?XeGtm$CMC;YP( zTkGmn0p`-}fg z8QO*MFiD3GSFbs$Gr~S5+~qUxBDb4-I2WAeVzH9x8iLL2(*Mj=RE^CHI zKvn4x-{aT4;;JB6>s;J^W%%AtChZbi#2tJzvN4_kqn=!L-^$4cveuEwrO%ZBvA)qb z;U}c{PFL3uiF_-#^ePKytSF9%8E~ByTUGBl6rnEs9r%Zi*vy^pL%38_cBsYQZX-mN zj7=UrX}PyC^dc;WR@_2VRikuOqXfBG>z{76Z%oBLH_;jftLDnegm`?i%Xcob@Fd@n z@Bt?8=f;Q0&vJsB2e-%3L}@|{cp?K;iVcO`SE-%}f1S#()~nC{VDiDGd8yrr2?jM@ zbKTa>e*iIpoE;UE4QvV~f6{hv~ z`fb0NmdvlVwcRb?GZ3t|lT(?C-0w#i2RigkD=_Mr*o1jGjDE}TW{FoCd4h)KHVcCt z)#`Zn+F1i)x<|n6TAtz67aGb5oUt2~ge4cO7-BvH1o$ee6P+(rJS?p9NNgMUTfL5= zCbwDkIlveIha!~ZV+ZqVP|GHaz|=^S8tfX{4NdP5#VX>nx`C^FHnjaFAp3_h22BXm zttm#4I+0~(t|%58|F*PbYa5Y_H)tG54v|oR!`#R{Y<;)hmEBc4>-rn$TDGb!Z46_q z9~Y)pu&WZ5_jck*It`RNA4PF$l&mUwDscIAnGcLKnpIyw93G?OIiZc%WDyO_!$X_5n94&eYIu!)&#Cl% zF#1WpoZxz1_}clQ+G&3TRPs7BkU2P%GfZBcs^AOctyyL3?W0CS)Zg1jEW!8HaWZ<| z5$f=YzwUQYMMi7(%cGB+d6XAi;Z^>|@0sVC72TY?HZYBbY zEqJqriAl}X-oB)|E}D>>Caa3K-x3d#MLSYLgFr+?7rg(KEP~wA-zX$X3{ltIAh!aW zXx9SRTPxUeY#&MTQUfcS(Kz^KV;C$Dov~yKJf*8n)pybcwae>t1Mh=bP2;6`dZRJ0 z@eoi82Y)zfh!{(^>04-+&9qOd>AC-cl~aZ*b6vbUf2RdRtTixd&?At16gAhkUN}CZC3m&d&X}V-$N|u7KtSZ1<84?sDQIwsG5qtq&{xO+$GOgRdZ2 zO(dIhw|9BY7#Y3(&Y91?9v#rXPAiTd#HsB~1yUGvpI)Zwbw-a5B7l74ic;3;Uq)!xKjY|@)=8(~@d<5J;&m$XMep{*MHlLok?5~$X28!V7mV4fE7(89g~;{pmpHg#9ragnJ$7( z43kpjYRx7b2>|S7=GSj%w+pRLdtgz7m=LGF2QcR9Cb0G5-HtE-yAw)UsfW=hZN#>$ zPIIs zC?n&DNn@qJ*OtEJ|CA#G&)jZl3 zbQdsL)}{|P{yo$u6+Uk*m?BVb8B*xx)2(Whq|)X~{YQ`7|Iv6FkxN!qo3e)?jxuOmF_ppM&b&E5^{W(j`+#h1S@ z>HYY%l~2{Is*{izAOgMj-Re0}e)hUhD<7Z<#_*($g<9IeT!m|ARi(3o{(+f;M=Es2 zzYVg1CzWPL*@+XpzkIC;XZPorMC`)F+_*t90b`)^;0BIJQiMeWX41Qb!`!AfveZ=Z>J$B81L<3ZXwzU@8vKdSHAL<94Oi57gpK>3t6 zY6TF4@;>gmYv}ZjsK0c(D}dpthCcgSLV?y5^1G@uktR-7n6U#bBnQ|fL}?KfkArmh zJ<2gK>vV|xMc+*2`fc)CsUGX4>m8qc$9%!+h59N6E~J3cwEz`;;+kR!xUaKC-3s7e z;^kQ;r=P%O=9932K&JPr$aEyB$;~GLb;U*(^{dZ>)uvlVSl>ZpfJ#@NPlE+r-zlCf zz6xOgcpK4p@qLKpF-}k(qv+0)$18Cwyl5sipu?su zC-FFgYliFjW60|CoRZ(-M^o$2#4D-u^Bkq2OY#sU(oE9E_RO)ULpZN1N`Mr0#T(KL z;M}FaU=aDS2E6V!@?&1V<{s=!0(EcRUja|#`-$Y3reDri$O}w4MQF5}z3FdQn1F07 zX^s9tw~n78%+X10)Utu?Y3jAD{a z8>xb3u0!%G$Ss3+iH9T`Di+ugY=OSQ zfS;JC--}_G{W&6(HTQ%Z=yYW!f0dASr_Rh}5=;p!#`h?DZX1)VH+QM9F7ZlhnMZc| zAhc}(*{fv!LuTk2(hFgbf+q(gY7qbB^G~M<@=%jPfx$lzQT%Fo4Ya`PYB_(acu2

{Z@aF(q3Z+YTlV2GOfh9vxX|zaQA2mUeL!N(zhqy(+xmC(BJMwap{^p^%Alg> zX#>@)O%^DA1EaZZBos7G7>Z!pYsU4g0mbYHZm8dhoZ=;E{_@}BLp(ALE|%Ax z0^vf))pLAENI1#JUe_jW_aSTZwhuye-vG-sZO!KqE4%-Q!EM8w>+lxNcp$*Z|JLe8 z4|x|6#6gMsGXl9Xd)^O(1x7DatntEZ9Kw+b`|o@P0ia|@;N3x#8F-v+o`V2p`)YI$ z1?2iS1FSW{5QJ}OgV-vG_NHCT&{k{m3;4*yAG`uwG0X7Y+db^nF9f8!n+MVCjsjCU`OiteI=Wmdm`ya#Ps8QIZ0v^ z6D)3uKD#|0Ts|dcZ>)U`Yz%WM^GoWRXSW?oK8Boc5I{`79PRHCeW1g1(V%@%4`BGo zra!NE)2!mpshpyyVAGgt4QtJV)J@uX2$;e(B_^lJxbtp5akEn&!I5_Do%@B6f=$QX zg3PJjsje9>KP=~MulHY(8xg0mQ-ZBpnl$sEv*#v{qbIKyMm&n|e$9&z+#x`H{#Vi= zD+t^QIt1b=kb=?Ef|I}>0o)B%1t6NV-N``El*`J+$KWLUhh@44yPQcOHP%)^A$9MC zL9?UFd$m;?0~s|PI}=L-H%H0yh+%q@A0oAj7YlAucv=kty4LcN=bI>2V9-{3d3DRY zdfUBIBSXAczs{?ALWpy_S#sYk6DGNgEm(g)?9uz0pz)^D+C#oXaTuzs(=4|7G#|Qp zR~Xrwgv14Xckw3TYu-uEljpIMYKhK`iL}y#kjGU&7@QLdX>B^XZ5YTAdu@2yxwAvu zoiCTxF|c*4BKu8mb`2I;l`ts(aC1LH+5tx*f&55PyW)oVER_nH(d0?Z|Hm{vdh%)B{oX!Mzjw~OF@plDeoIazUG+h|9inp14&>1 zTJ6>brC_Us2v#>GH5=Q}A^`Gssf4kGk&RgdSYswjkFpMKF>6Hk~; z^POl2EZ!F_PEK=O?v5ajORieKkj{Swp_91)x`1R^!S`}Z_}JFj|t!S21&bzPtK z=-;UeNEqp)X7+ptzQ_2StLJ&pIlC%w1(%y*p7oK3y27;0V50y`w&zBtZF~XY*6g!YU@D0iMs1a?2jZ&Qrs?&l`1~7~h zIF8(t06luZp{!l-XY(TJF)AdT^!%OpX`-WE;p{ZF4^IPKJN~5Sh+a|OR2oe~xadP) zvW6R(4Z%0-y`@T*>GN}UNS5ionwP7Ijo}gjw#Pxlleb%mUu)xiKh%hlU-cSU3OrY z1@$zf4X8@3V`E(0L>3c?TZPE46+qa>&3ZpQmOrlTI2^>(^Z=+OG9j!?)3p}U#XhBZ z|7Wa8N>6#o@Uow_@*^{aN6z4xAwdR9q~Q* z|4zGnQzJ6U&8$v>S#TY#_0%+zx?7Lt=INyd5&o+GfRt*#Card^eJv@rYJ9hz!}e*^LzX$w*D^^0aQ(J2C@& zdO1yD%Zsx;lK8*+`+q}cO>Lof4=Q$|vaTVx5Y`FzZED6N0owjENR}$?G~IUn{#~p| zMOc`E`&RVPY%}>kJLB4$cN~rPQUbasJJXcB;rloKaFG3PFJ}O%PQb5nzw1%*za+ts z|4M=v$!L*@+g!j|ee{|OGDm0?Pyq7@y5IMzC-cpI~-sGdS?g>Te<}C;+U%l1&FD=k?&c1#iFhB@eEkT~q6C zCvaRQtKoc%mATj>*D#KjT6Xm#ow>S4hy(LA*z91gtNQzPKkdQp4JHJz``+u7 zdQGQ}no19MD%+5^+^kkLd^iD~Uw-w__%iVc>{X`Y(}&oxPR2mid~<)@GKNJc5c1hc z^vMO8neG+0EOb2mI&+0-Gj~D?3wsWc>RUU#xu`g#XC8Q5Vr#tQ9cF&K{5id|CN!S8 zdP5>aeS|nFsI8gw`&X+cJk08hZOJkWWb(~oH~lcSMXJ!%?##>MvIgh;+p<5@Fkg-8 zpB{%T-tWv+cs=g9&8R$Uqb6F+h&H#{+r2+nF+j1>xnR!p0HMj9K1b#_^Xcoo5(Y89tTgw`q)rfz#{(1?(+ydAiIKJN^0V_bYr%Sdp z?Wk-x(9ZUbi3u~SUHMmv^Ih<2Sh<$dQdzXh4!{*YtcICg;EFXh}(sBl-fkAHPhmHP=8tYassIp3TY$K;Kro+}p2Nfe* z7e!9U;at->ROeuRKOpSmMLR}faRSzAtqUc@FrONH81>p27RTG|Whx~JZ~VnoH1ub* z?jxmAk>0dalChb)EnGk)kRvkPUd=%Pfg&KR9sFS?hTBIbHOaexiR^dL8SH2(h`@ z_ySfwc>L&F?>B{nGgwTG=uMVUY9-px-^8DIQVDeWnl-`@s+dS#ie|WbaZO6 z_UzL9#5f{^+#uF5@F2q>ey46X@MoET^F~hRb_@$rrY>%3(#WX%{X`*=ty>e~c9YsH zCzPSKv`JWfVv_6f>T%OTHO|O{0ugbxqFlYT;qyuRq?g-C-$aaizEZ^XKi55(+LQx8 z{%{b^#=&*_*3%udQ`~TjW_d;f99yqg_1J8;PxhRt9Jme-#2}9ayzt_Ey!s;kZT_u( zyfUw(dYZH)b zq>$3$98=Sp1`fV0S1D;Av>;k z$8}AlSDSMQ^+**Z{dHg(0-Y4P>uZ*h*YUjn10tph(yz;3_iqkq$!E4|YQ~kFai!xD z;N2hTt@O*vEYx@iv~GJbVZbZs$^?)qLYidD<=3tWSRist)iedB510rbq{| zAtQw&$lOVI1vV)cZ_@>{?w3^j1WPGpS8~gFJ+%WK2Siq0EA)buvy`ruPy58vdH+`J zDjw7DoO#(+)D73WPU85})7Y->;;eV;?XmUaWrAexQiFbX+bIsDt2ad!ZaJgpY7*Pr zj#Wt^qd7;FmV7=m>lg3eLT^dKG$kZ>g3IaZmkCuR!S!)_C`b(ImcXYfv;;cSP906* z;v|^r<6DB0H5C`9g;J97POhB!+yZ|nVUSsJ&J*a&F2#OdfCni*>|oyop(Y@>LM^2M zKyS~4e8XP|38ipqTt400rd^8Tfven;AKJALLl^7Nh6~>cCBw%mPc)Q zY;Hm)EtB*%;BH4A(l?r-;zQ2Jvocu4-0ZNHi?WJuG?m`);g_S^E4xXUPty}Q*O6(X zvNA)`GW>dzm*9!Hi60e6PK;NoDcwp(k>4@O-!dtj;c)u%m@n{jejWK-SkioBT{#hj zptY`)|4G|HY_!eB*nEQng+!3E_*+?HWep#TV2|n8vo^2?o)B_3Uysd$?WR~oy6#&y zH&{u@C~3<}-rw|4NLq`Z1Huo&2K`ArJS zrkoST3(5K=7s(Nj-GqksEv?>$W5IB!Ul!}p><8Z$$KFxTC*IbrOrdLgm-o6(Ph*Ss z5pGSov5HS;)Q;kJx-3Wq|0Fu;l4)cK2e*l03LqdzYILUqI0Ygx=qc1rDA?OimhhBs;qPeAvJ#HqW%!g~G zt_4L*{4y*^Yp~&<7hrLJw05eK*C`qV8%FGlS-}qhw|BoXAD3m^9!Ddex@@~l$2=b@ zEkPFzv3W{Rd0lu=%Y0nPmu4P+ZV+j;ooKySx3qoruosR}${ENbcvtz7bH}*g6d}5y zAYyh!;C!Jma4;0gslvD}_ugdZk+H<{dLjc95(n4T8Z{P+c#sbzm|9#6ZYOPKD}xtQ zRR$N*smr&u9=&?*7he@CJV5Cq)O^;?FsswpbP4K^DeQ?XBag+M<8attf&hEl3L}NF&_{QqmE(%m549h+|UeiP5}ob$W)e(rmJyp5la>$BFHbIllYjxk4lbKWs(yZ5Gk)_bAt zyp-zF3U@vJEEUFAOm%HmS6MV)V^`3!H@eAUGu(4~s7JES2e~UqCM%@Rvy}>5fpcs0 zG>AjH$7yUWcr5Br08Sm$ne_!O{xX(NZMVXB%Yh*)Kk}i@iCvFtrN#gszT@*0D&y@b zCWanNpeatqS58;rbDqDg1-Kxk(gc<5Ydk}mG1_fs1+W0rUg*$ZRp7t)WNp&w%I$Z~ z;Dz6~KR_9^mNttt@%1+}_1YE4f-MXAIW%{Wg<3VfX6rh9xD-!rXVjn1 z!%sR^yknZKHV`aLxP)aSRi#8`6PR?s5v01oWx)h~&LaGIqQ@QXp(Xh?_-X~~>~oXM z^l16m$5Dk*o?#|OmHx$AqO5G=Ov(P4Yr>A-CW4h|9z((oC!VCWJvk5?`pvhhx9&4Q zTY-Fu#-WMsF^DK=dDe{7j3j_#_@&$qjn(cL`m6Y!3?3qKDaT)-QVUB{1AYK}5Iv&_ z2_O-c69J7|y}cL6&hGu40BHRr(U!C$WwGfD-`>LV)b?54B73|wW=Fyx+68!NLX#m# z;6BK7f6svZHYKUpx%nrM(!GhkY1*Y9jtZ&GgV{w1+(pTeGPV8Ye%1a2Cw_UX3T=Yj z;Q*zG&945kUnhRH#%(#UMjxOn12a&eu-vz)qd(3Q($=(hL;cTtW zMM001h-e=t7HRY=ATgJ>wNqLFoznR-GYb)sUW_s*@nvY#EGIgZN?b%Y;Nk7o-|KL! z_Rd<6B^1GvmdRfQ`r7jmF^Jo^z65{=1kX}|C%v0S56HEC2!JBgfqAAAWTgj?6c}Pp zdjW<(?@k@5+%DN6(8H0x28`EIr;&gWWTGbPN2gn(r(S@DZ>#}>9s<+8b4VqL8*!Dat-@>(UQd~q0W8PcsQ$#XNw=ymz11X={6!Bb7sw2 z@fA2PRH-yJ_g3|y-nRMKBJiDF)(z%BMJoM;NjP!aHul1K2Lv2%C}PnN(840AM=QS_ zJnD5I|7a?VP@GejgA}uz&VRVyux^acplO7dqNIpTU(~66&m1Y){nFh>l5IY;`{StF z2}x31<*$zHtYzJ_wXh+85#T~tAkQex?h;g4B+vK=A9yVNZUWLw2?;AXh@7|+@~M+s zcO2+J8W3iH6aV{NM1Pr$T~r z^JwY&dr}~eoOhSb1N$S0^S?el#`n@HD{faH)rGvwzFOPn7=0M4;XC>GAAN1XGWt5c zCpiD*tmlF%y$cBj&1J)n?>9FROyvJ|aQSTKz{!D#>8`q8_!JqE|k%cv?zW^Y$mYcmWbe`QMQd?tq+a-fj46# zvdyi^u+}`q;9=@}pkD?-T%^P1AVb?9kOJh*U~XK1o-*k`UX3P^1NCk4>j5d^#eg1~ z70?5HtAnmDj02=_`~1vuH>%{D(u;K@9n~d0P6qb%=g)*c2WNqNq>NQ9b=ZGL(0rL( zVF&mPKpz)SbNL$=f;4q@|H{1gZJpJ+EBif?TU%0KR*jQvvL`a?$Hpwqmw{1oD$0LN zj_0%DoCJ<%3!ZmK-DK844)sBEq<_#MK!+4#ZgYw1(gVmBI^eSDYFo2QzaRUp8=G|i@b(jj|6Ys zn)p#fb6(GRdn*q6mlL3mGb(dXW9G3S&t~OJ-M`z7oAUD%H!cX7l@+4_p9TH-cM5+9 zh6KN7)uZPc(`4iIGe&5rlK)Vc=d-Febr@@Z0hrtcaYvqZB!JdaZkOj6JvcA?o!%em zsa^m7Wi0|@Dru(Ko&VNboO6|p9(b2NgZr(&5}9Njsk{L|2l!fxCdeV47Dp~t_BsQ^ zcGV(;-y#lRV(4LkG|U2g&n5=lkeINw9WdVl2p_1(GY`@&RD?1R`@br6Z4oO_hrv@R zP>c2!D67GL|NUOjlev!1o`AccWAeG+W>XdRIJ7{isW*RHF@W-3A@mAfs8IdyAGoh`bBoP9Y8{K0ycF^Pc>1{b|QzRAOGT|AlHmyl!VJ9f0e%`#T#|Nc-_mU&ussWIxiJEQ{Ch!r{`g?~G_e4R7%;=^)7uXKQvj=D z9|8s`+1ntlYM|;|L3CxW26+_$kdgn!E#3XSDuJSTh?3{l>9SK0*d#zO)k|a4sgQWk zK^uU1R5*y7-v}}zB8|2E_A1-%^c=Yjb7crhFWFceU=mia=?>EU^4|Ns_p_(Zkr0us zJIIAvI`6z6)xF>Rdv5`F6fwGOyGOsRUC+Om0h1J9CB4FR7=cW+5eWKNK${81v~%|mEWsZD$OiCQK;r1uWCf?MATNj8bbzV^J;o#;P=pEr@_f*|&1{W3m4oK%@g&-=Cd08)Ernm4-PCLWMmz$9`LK0kl$DMKDk z{#+fafsMMQuSDBq3cAAcEY|_dCK85IU_S^r1hg#64)A_6X8kRBm;ty9AwX3I=<0{K zz|6)7b!GpA{;c)QFN-Q-OPd`;1*I$s{96yAUe#uS5!?E=C=luBYzsq7KRvl&ZWa(j z@bc5SA)VBS%}t+o)}~{GZ`zN=!(&vb1xI>5XI~1C6M7|hDN}mgBN5v-`j~}u z(G;tWjXk1I02iK!MR)oP?8*PNNO=e@I)n3}{e}4#0x)x6^M4PxDo@iM-^6Ny>`*B@ zzC=%2z}iNq@n+XznH@*K+#432>;1GPaf(|?fkk*nx~Ol_-bKYr$u4_1vs21%S#09R zd8hXi$dVL(qDUL#BafCC^)Is6Z!qFVOl+!GnMCrH7Jkt;A_XuT9kY`Q?lYD8dp&Q? z7&H3z^m%8&Lrm9a&Dr62uNb>oBCX(#J@0x3i+d`2W5}}c$TpW3l3o1Ct^uFtsFu#XAtb=z7?!m3a7@m}Did5r+%^}6x&SyE*%k4E1 z($x}DY8zm#l8=c1>f^A;jd%pwRyuMeiZ?D5C&x>wUC;EDG9oQ288 zdnGR|#CmL~tDj=Jb8fL+!%U-e>b3tMf-qxk%5zQPTTm-yk$Xn$FU41a1U%{9e2xQ= zt`Q9(M)!LPs@0=YZKJ71Y>?Bum2b#v8jN*)e%uLAgZlJJxHZigJmLewhBqpx zVFETex}MFjFV!zY7Ab`N z+t!{Y*&d=HI^s3=0AfZ&<^#L*Odt{`%OtEVikEF10b;b3^P+v_1>#X@&L~F>&RyxG zv>KKUIc&PE=SvE2Et}sxxi$y6FgR3S|EOpA7_SjyLa|suK#2R@VgCg&5^_EnvUHLx zcApiY@Kq#!sym^e-b3WBcJ!Ze*nP;;8Q$_w!w)@CMzr_2P^8oHe6*v1?~eDXv+LHA zsdZxf&c*W^A+M|AFYm+90?9wN>gLDd=Tx9-l%Sq+X5V=|@X|f1%Es%}a;?|B+sJ+7 z&=dm1o>J*(myg4Hwq=g;I1i}rW8r4XQ9XIoGSgWgNch}7+hl63l#9o4SNmR0WGP3w znv(+gJqB_x0?%&$1kCNckGZm7$`j4$SVSE4L0*rudZC#XZ{-Lq7{zW`PRs(*3?oPA zG8B(3dwTPbi&v{CT9@-Wu*LH*^gf={D<-uU(YfE43cAl2t(HZkNClQo9kb2o(R!R3 z68wZ)u6%Gv9~FFK#;?#wuYZT(8I4gN{Qk@DKku0>Bu;}(Ze9?d2i$|DAJ@>;XCbJf z8{*Zd>WIC=qqYsmKc=EN?qa9;wFh)^Zhcge1Wz_7C4+6#UXg^qd_D zAO5U!sit+`&Wc6KZ-#n5sYF)#L+9h=wK+=ACqeKh21@;Aow4fzrHq(_6(PHAPO&T@ zeQD?`_8FY}s3jbGgjGv?p9MTIz@NZhyzeP#Cl4BC%sO%?P+K)9MT8r-KYRV9ZeP#~ zFvj28BX|#7bQY}Hvt%b${_+#0oUXmJto{cn3*hbDk6SR@+_?WKs-G{EysBLbgHZbH zkwr1L2K~fI-62;(Aps{3$Ux?-3VE;EZ)`J@@^Cwjv>pK2rY)sGiWbz?8R$es<=r^$augf zNUnT+jA=6zbD&lHBzFo`-XhEhx%~!p{j`}G{iJ7-=dR{q`|1~>(}ex z%c#P2_X}|uI3q+cYHjydseHQ9Y-bb})(5r%)vv(1W4wK_35D0LFW|v4kH2|eu@!WR z#dh(o@Warip*8(j)8?>!p+nmpTPapuL&7me}MKIv+*x+@6$un7#lZn63B`{ zrnID*8rKz22Q`FiQLApgHHnIb`~dC?@Xcv{evg`0tWnl%Y+&EjcD!*DT&QqBZ8~c1%C==z7-aWV1xHy_o-DeW56t#Be2QbK4G+hcBzgTOm*P3VopM7&E_Lk&nk z{_CT(J`*J4MH|hNhpEwlZCeZT`)hN$kLfgRrm8!(d2MptEgcgax{IfX5XhGy3n!&b z*CX5)lSc6EAQCBQ|C^Tls~KVj|G1j#i6X5LqcLC;0WD@y=p*7qxNb!B>zLJIfZVDN zIYO_d`1u<2c88VcI7dhLfxFsVg&7^>dmgPbPy(*Bs)T-NUOZUWo|8c0v9x$1EVrx> zb?`Q*c$L4g(xdI`&jF7^QX7rqBKY-Q*goR3MIvCpV(f6Fa|3w`>M@Hcp&9&U=(Eh@{j_af?{Aznj5+rK^)vS8Xjt zu2r2Tx2pVSn4S<$NR@K3u`}O?7{+yr%V6gzs&TnoA&N%ymDo&8&7Ts@+w32gx1mA+ z;Z)U@s$5g|SQGY0Nvm^)y4bG!CY~vEJ@xhI(szKZ4`>I51zZ9Ht+x+z%1E9Wn}OIg zZrB7!=u=?7et75^xI`Em9R5o3tve!^3Cex?3|H~Y?=P>G!^|RP4#~Lzg09>{2$vTLXuqo{*a4f6i#nIyK`KUiM0%QK8-Wl+gRlH;TSdJTtR_l8?<;-zCVh z(p*Ie==d$JLMPZNE%Ne^oZjVr^Vl2-+u?LvgI}Ky7*|;D1`cbgPk?Zt!CzCmwl&F9 z6{-}v`eo^0>5Q(Nqt|_r;kSdwUxmW2!#s{kHJo(DvFg|eKqB9%!hx~ao!*M>~+pBHiTm}C89%HaxAE{y zhNa?chu;+ya(+)-Ox!bo7ITvX9}BiefG;8Ge+N>ab|08h6|Qe>RMkq2Kc6 z1Um;iy;J;aFesJ(=e||W9M}C;#&~zj!gw1I*l1U_r=`CMRJrR-`gJgP!}FzxfDz@UMY|y?4!a3x z+z$v|23|t7n_zy*XPgQ23g5IyqmKxb^Rc-KE(N6&T$GzeRvXuvn}FX3D4V{l;DVY| zBR^khY=i;H$bJs_;qpK_BvfXMtvs2>vtnZ+tN#839<1vMI+ej2KBJHq4EC4 zp@Urh`r2gl(v0W0y7+(Vn$U0eK-rRf^L)_b`S5oRId&wR5{Rdhs8{Na>{?<^7Sz8F@t2i?J& zDXzUfN}ehB(j!<3ik=q&X9@(04eT znOP-n4syi|8I4utyvl1cHh3zMuB3H_qY@Qgsv;$VAnZe5HANKe%1gF*0t86)?032> z^HlVs4$*5A%N+l#&mXht3k&&*3y50^`d(c*O~OFuJh;sQd`}?|-_-PU!7_sD!{5qm z3SGv!e|0Yq0B6&;@-Zt^M#VgX@BTj%11|PVfvt~f&bVTE@ZUZl-9;%E@+p$1qUvl- z{dWsQzlURft1fGGN0C{N@z+?sWtsa6H+GP$&n?KcC+oTwY zw+}vyl`MLPXGiUuN);GKY4lr7NE^4~JH1PkST3zXm^1sQ?iHmUR;_&{=4d8%)xPan z>5uY$y=)Mqk4NLYE!64Rv8vOYEEN*M)+$0^DfwqKYRsw|2;qM6{gAj|GNilgYt{cu zjy1cC%x_)NoGn7fAKYp5gw)%{{6|t0^|*QJ6I9 zqmaZJ#d&UyTC-*A5b=QQe})xMZcH*LHgYno{-9p#6bP|E==*tC|6LIR3_U#dYu!B_ z+~=cvbXEKvK;2PKn=hBYfJkjlh#DcA=}LAJeA@$doykcw%}tVY z$&Y-U}(6xb-Ux0&fJ>Gfs+@B)~v&hWFPQ5 zWT=P17CJdVHvFl_G(FRGmjvo{29XLI1bMj@bs7_7T8@obxs@g9*%pp#c77t1jVCiC zruLLc*8i^KTgmxr+$CFu8kJ&}?aAY|4iUG*fUBgr1|LYS$<{(N?pjv=UoiP-8ULzm)`R0{Kg)tNVoyO*Ho1Pty6) z!C|*tQcGMy+;DT}g?DdOy11UvT-($dsQO78C&Y45eB{UeufxM@(3*X9-D@-G0nOuG zwmNclnpNNm2V9@fLX-F{ugM_S3+oI+EH@zxuHGI;7d;_>XT>H|;;ibqE|r))^dW=* zBWXUA5S(W8pJu&eSUz~bM*YMZcGJT9a6JO(p_Hj$jL|tud0}Le~9mkIx1BF9w&|%4@mdtK98&lPpYOB+$=`A zjoH!3>`Wa`hVd@gySSg{D-%gOsOs2{m10617v}Oh?9CNBfveyvJx;5})6Lnlow>$6 zakpt8R3UuoS#{b|E&?mS?fPI>W^Za{aQGx*{w5M??gE?@`I`;|+@+^*liaGy8Mg;K zZe)LLq7*^-t!wo=qTVIDtO*oNT(xL7a`72qkl1JRmC~NgH#yOD5ni1P@VgDvibKv@ zb*Gu-`#@u}8OD)~Qh+1rGw+X?I`;qJ3+B3>UK1Y}b#{fp6l?~a#OAKOcv16HuqJp> zn51mx9JpH9ojukD)M;Dc^xp6|b=O2-H1gEcu4Qj`dpH8?E9M6haOyMtP@7vYO-Pa$ zZjAT|c%7F1r1ed`^J%$y!2S4h{r7K=^LxO7MxFZ-l9Jny?O}OL!dH^d!H{16@=8Hw z51i_EZ#^zsDD#!+=$y|R?P_AF)F&9G8?88-6#PcqEY6-p6D?_jT zvweXb?|neG6nS?}x{>ooS0-ge;6aYqa0(7%;E1r~L!Pd{Z^G<2JQP_r&gQH7V8E*zeo?Gb}6CKY)0I4AfmSZP~Co+(i@!||GB_0PG) z;cIit+e+WG3M~{~uDFum|#h0mT9aN8b!70*@CR1Izp?0payH}%xFzpJa> zjE0O4grCeuK!>C27F4tXu&@y03R>@p$FCTx;v1T z<%p6JIh!fio9PMnZ9k6`sx1<}Mv3|vLJ|as_T};IffVu@sd~n|@!9?BwP!!)%f;T4 z`ICcr-$l)CGhSDC4$g7cuSQrR(GBp?RsE1o$O8_BuDKO3m(MjHg-8OmMF1M@us)|? zTJYsoJ{^!)k*%_dT=(84iu4tg>N|CDlO#C9J1-*EP1xVj$pMqe_fERB@((woo?|MCr6t`xr@+*N)@Qf!du_eA`Py*)Aa`iZ_WcpaPkG|m2EEU0fdW!>>k16?a#4nVb4nt?OpY8>D+AwnB-yPYw*4 zijDPFO&H*)x_`5+=6fB4FB$szfDUM3znT;1@~ckJLQWnBn@<;;N)xbmi1Itbo#V2W zKX@{cBPM1svfr#$p}JjeUfJQFfUt&o;Fo))4G$J62o7Vt^8;-CdOnkzRLJ3#8ebxC z^agKWkquzU?;JR4JGyzu3rebq--Q6>)2$OB)mtk)AJtt=1n5P4&4yjv(sl5}JU71H zs4$)_)YUQ&ovg4qR;TO=E!hORHDBVSrzY;nNzX;K2rqMpUIh3VPe0Au1=Q6&z{JEv zibJ27)eLe;rBf?^t!|iFEn(&0K>7MEDYBJA^labOnXXQ}AZEr7Kc2HllK9D38~uUa zghZ#aPX4Cv)-?%PA+BM`O?~=ho&=Xml0ISLGTIicgYFM~4o?%WC}om7Ea3;aSaniT zT8~AywhYk-2faEL8x?GqPaX#aO4PgFeSo@AVL2BDt<5JkrQ&APpqpq>Y4BA zGKy#W{sY5x_N$(U`CKjcakJhVas;xx)pzNd@oNQYi0L08x4%1~4$EtXSn*%%mzH+t zh~hU5QF0DR?0Td%>z6+o9Ei(ARShxaNN4tRJlZO^I?MI(*!f0-O(AlL_(35jplwqf1dcc&lT1(xXeIYzeD^A_q?sh{S6OW!^_s_CrfPR z3)Ii*Y|XDO3@spQu}M{AP#>P;sXLCRn_k8SNN(Y3=P z&WZ%tSeR7mE|sxSZU@MidG#6%QmSZU6XZF*Nw??%hX`n0BlDg6nm^ZD!^$LC$au|aC(hD>&chL;Ywk#oG<4C+kE4If8i zpfbq~wuk5D&^Ti1$gLvQ_yO(usBa0F3sCM4=Ra!gv{>Azsp(Z=9dX<2d)*m_Yz3Y! zryDy!+XCk>EM5SQ7!sUqQ8NE7~vTj)Kt-1n}$YnydJ!*J+pU)9-n_(vA(DY zQV!@G842-E5*A73a&a2`Vioo#nR?|RSzusjNJxlsk?U4(+mLQHFR}-YY_`3r>Cdwf zkGYex&(Y2P)a)yVPHK1WU|3BO5^0*DEj8|%9!47ge7OFVEXLAW4yB!qk9+uZC`cBDa>apm9=FC z#>b6E#%JI7%6t*)4iI~eiH66fvtD@9F5=6^rsQ%)vdeC1E8tFwvAVh@DkO|X$W&Rc zv9z&*e!-*Px{=F!`G|p<>fqS64!&@(A0A<2b2MkvS6$r-^AZ7sSY>2Mj^o#$zZ*q0 zq9tVfH9`S8hl0mr%M;yEQqI_9!~Suj7+H@D14CG}0}Y>PZ|8!hKlGG`&*Qo^nW+qh z*W%bU%pZMoiW}Ae9V~q3>U!8YG(TSl_xHE8t%x;c!!SawxV@6h%Fw{ac#@culsjh$ z`#B$VU7MGa^J`$@YAS@=%QqMW1%;BVM2ryQNrUAOR5UEHaB(v#BEHK0rm|1nA-`&i z->|pEFLk!AoSB(b3)WG4^B`>bE67p+fn3&R2aGKoRnvK0b61+?&|wR;QY1B4L$Ajk z$dz<)sd@Gn;Io>nbSzsnt`4J_t4zO^ahdvQH$R}wZ3n|AM`##tW=PstieO%f7|!1c zK-kw=U0HcV^vY^*(5lfcKAFd9ZhnB0BWJP40Q#-j%SDu@q2lAgcjZd8>z;>Zbc+Gx z-0Ws5R;Qy{%nA|0P1mWiFZ1S$Es6?*aQn&9aOmO)f7Lnd#H316*bM&AVv02#Xe1X> zR8axJO7~?Pl%-ny0?lU|`Hg$eZV*Ec&a6z&5s^0@lAdu$xV4o6+-b#bg_8j30_YfFwxo&Dgg)6KEWoSbtjm2>Wb8sn2J z&+DHJ9z}4o$${+9n^~|s>UIpYw!O$x_|o;!3-M&G(rK)Q`6~V%Yj1adKyWZc+B*}r zCr_ejwOEcio6ST~&DHmh(ByL^BP{Htwd(BYLJ5CWu0&5Z!7s}MQ>z^hsN?(iiXF-< z3gU#yjcyJRT-ckK62!sYwN_BqP|w4V#9OVmoXlNWNKc1#Q~5!&?bI+k6spy9dIlPc zIkZZ{9`KUC=o#mWzLpldHJJ!@i}U4)Onw3af~BdyXkx2lA;m*xCy#idthoA{z$0Ew zx^LVKF?mWZmoa>8FVe2lJ}8j8>G*smD4>&6y5>0zkrIUPA;n52C4B9E&$u;qa8jUY z^16xmXEfI3#^$DUGS}XTl7#9cCspodvlM>by80_NHe<}u_w%212guSJOq>OR9{zJ0N$x}G0{F#?>Ss5 zPZlU4=B#VP?~E-Xv^!m)DDzsODzvB|KYwlNM3hyF^oJH$jG59!q zcoGspK?Z2=U{N)ynF4`dm*mMXAHq59?hD?*h>ZHC)I|D@uRB-zY>x;qD3{agNZu>7 z&CPAQ&0m$ntX_Aw0f#)!9yu{&*)!|a1&w%sGc!^5=mjdo*Q3b^!IHSVzC ziiWGON{e~xzV6Iw*W1zh)aXM`4cX7krxsgW`B;=)bha^sbs~$w6uZ+u`@ocKI$No4 zi~Ttnak8jT8k1a`&zoD?@(GIK_aL6AbLrSJNCW&kHZiepa|CxxlgHJyAs|O{dhKW( z#^|w!ra%!=s9hv|RY@1n*;I*!F8)2h2y!GIn!yr~G>tF}|V89yO#@b4Tb z8W*MRn&Q(kWpf#>hK_Pi=Dyj!JlPsOEL6Qw;+tbVJbJjt@Aw^dHg_YsB`4_r@&)V7 z&rFj$b|%pIvQ4l?AF!KA!inz(_>YRNkMZVe2Kk%MIm=NPZQ{KuLDpjBbs7ux|Mu-` zt;0M9rD)xl2Yrph(f9cH5zu-XDU!cNrAYMr-pmS)b@U3i1{)G9fr@=4;XQkx35nY6= z9~NZFaBeE}j{@g$NB1oYcDEb!ritnOmN!<4T?SG+Qe`FzF8ch8D~)DtXD`iAa2N*q zyGBMvW{a)-#Gc17>r!J>m=o38-;BTLf%W!xty*)aSHcQ_^i`oy7pC~Z&Do*BbyXiO zkpAG&2B5PN=Up6j-0X2Wul)Hu?c}}aq8Y+h&f?G{O@G6I#+JA$+wyY%m(*N)tpPTf zWJ4BB1-aF!b#>dZHqn$)vAf#SE=#R)aOa-B8m&+BlSj%Fl1ZDJic)0=OvmfIgmh>2?zZ=CJ> z=a722FvP(}rcFCntzqY8pTkRr_8R;~cPU1*BngFu`r_Cs%SzmJ$$&J?$i&9ud@U(2 zP94-X)p%00CWTP7JHx)~m%NM>;i1Y>X11*_^wCJC@eKMniP$_}$wIB#u_hworkfv! z0FNMVeyYJHG23tY^6|7XtYT=cUw@)F~@r_yz0N`~Zdi_DR7!JJ}K5`3JF zX8u=Dwo}=U%%=ta5?!2-Xh-3ExxzKn9tUvXo~%eSb#`u##qOmSG%HMPr7vu_?MxMJlAhw@na*G0 z`n3>qA9TE0&febK_^wrPPx&`HapikzF``2N$-}@5-&y@|62SZpfMmwfa&bocYwY&H zn_hg0O42dXft`|@E9#vNNPrFM>g<#?gkU23jF9eKRAi!wncl&rdZr#(jYc8dx;Qv6 zP(nQNp^vjlpUg8FZc%mhZOv)Ej7)=#?d^ufNWoMwDJf>QSMFi$*x)-1O+RLOj}t4q z2WVtpKB0go#oqtD68!%aoedGclHcQiAl*T|WV%a8BBUc{)!Eu1lfE|I~eZ`2!x_luh?{XJJr5vaiTsx%~b6w;lg)J^oKW{vC$@-26}Z zjUW_DF+J-@@e{c+*<7(g*#*bH$IUhJ7YP6XocRf|w&rSY8zR@wnz`}p6!H5@igghW zasqMeTi|oXr1I38zK!TO0@TGDnV zoFq-yU%!Tn3JLN}j1P0X{81*U*tq>GB((3^j5c`GM5_@?OIC5b!0tzj!GT@do`?~ScN$3NE5n-Of`vX&TCc4%FZ-M zO2$j16UKI;wL=z^>Atx2eki3<-Cbw%B3?&LW@-DPHU@9AjY2OEflxe?n(u`K5!sMz zo+4!t&$pf@yIv+J=k>te9#oZd3Z01=SVa%7OV=a!a5#x0L?tlzLyV+91cZ1{)qkw3 z#pBIUl6^2lc4E~qCHCoYB!#uaNH@l0#GV#{JSy%KHPSRM3( z>I7xX^4D>UURpdp43PYpNetz(}%M<%ZL|mj$G0U=&y{P)FI~Xfzo%zs^ zN46FIIaWkyZkh$dOaWX!nm@eK9{9b2!LV%*pjm3vV)eggWU_gPKWaZVw1gGzA=Tj@ zGrAlt=zTXS-m8sf`^tGLxdx|pcmJKT3yQYP174z3XQ$Ze>zNS7lWkvj^C>|-jL3lQ zk+O%@hd~NuhX~t_=;1+$7kytk%X?i3P{{2RQ167Pzq;9}C!_Z(2sKB?2fKZb~HO@t6NNHH&``WT;{O#@Z^<-(X{g%f7vX#Hp0<@r8#|ISv~ zDvJ)0f#s2(XDAN1I@>U%11MO#eG){%(0Jf zxlxq;aBaS0M+dS)nP{}oa6WLfBMLHy7g>$ zcYj2gq-W)!go4-FtGGT!-l#*D#wSW-FzE8fnf1r#AbwrseEk(q^L8)x6 zqIJ#J7M;Z}Ee~-2cm8+HJJj(PtKbXrBPX-2U|qB1kfb>3F>gL_uTBVSBzS~~F!cD- z78MzJW;8=tef=*swnw_U*hoKcgPWgGM8rrU`n{pW$-57E-3Nh?6se^YRRleRxQ1uQ zADr$ED`c0i_3G4Ar|>`;9jQU~(G1y~k4#I}cs#^^iZrU-?xqViY5qYp>eaHbk(sP6 zZ01Uk4U^#ac`MewuU}itN@9=Qg%~4_K7!=nAe8}Z>uBXj&6+exDZP!YQeGZee26w> zru>VDR5b_$ytIEO|Nia1%|{bxFwlJlr6kjeXVVsK;)djG8Q{rN%h5qVZIJV4V|Ph^ z+<_#=AEMxjWs;Fa#S@4lENo|e75`t}IKFuN;~YkJX>zewdHMv*FpcU-9Y~@Qo53P;L%->MYm|q9)LLK+7wrJdh4HxCFH!2P2`pvhn60KLUSFA{ij|$!coOpMnfkjE zmu7X3lJ*M;DmOTPmdSN|9cI!bzUT=z9b zC+aSXmOqu)M16N9z9Kbg3bQ&rC17nh`f;!&_PKpWTM5yD=&QDDM&ZV&M?+J5?Z?$D zPfw2zajA=P%(yp0)h&={XS1nOJg4&&9~lL@i!vtmD=4?dX5-C#F2AXng^UGS^nG-qhY7*SW)yfK! zF{GSbGZVefD7!t@o9zwLXo7EA(ocywPr^%oRi61P%qrD5-H&_WC!IjTxaPOKUU)u! z%*g(V%kIE=n=gHj*ZJ^OQZ#5v>l1g*@8$Tk^fV}s!)l$cnqkZ9)aJ0ODKpT1okh7P zxQC7!h+e3PwK)O4guHgISa`M;0zA@UAINCEq{G5{y5W{I;ZysQmXD|Z^uAx$9=e=Rdx^}*Zm`ZDLSDCW;<<$u-pJPS6?J9+jV9keSG_EPNLV8ql=~KkZT9T{! z0!P|E{KnDS(2#N9D2w}dxNc7X8#i1eNqNij?_FuwMus%GD zXM1?wTZCdEGcms|HDB#I7m+XO$g{WBgyz0aTdmRmxsRrign31iJ%QQoxUixpMsfzk z;=6j@uIPkoPckE)h2_zjo}Wp)aJ#)Tc3|TLbsSA+8`st)G`JpZ6x4XUyvX8k*W21drnkFn=GyV`ezA0?Y{Z&WZm0!D}H*#vn6`0fV*mE zbJu67Bx~@!xfIP^{aIzRxdK(#X;qVe=7?9c|9Q54PO_8I_i1xu)7JH)xl+ckq#EqO z+Ot_do#R7?uutO+P=5Ez@vv|2_NIqMqPb9?ZZFK2b`*DckX)`m7|RYHLTJBUARMe! ztxD~IP0>1E+!QEM;})pQgPj$$?Q+K+%+^8C*)>sWY!CX4+ zWMRI$4e_=~EJxATo?Er6%ugS|)mRm&-^m+0zZ1<%ld3~SEZ-x-N){5Ljx?Usj`!kv zY@0iwzcO0G4&{|!pUXH(5muyh&(uY_PLTzr)L|_iXB#$8Ct>m^mu2sa4E2H6F?MjekyXqYS;0NtD)w0x) zxzQGrZr=V=$HaJpwd@#)4X$sJ=AjW_&*F*Cj*YU(7Q_Tc=|-W(ca~q-RRXjuPtLz`d6!+o45m*A{8uKG9oU35j8vC~)VV z&zgnhpqsu(`Bz>Isvw!1d{{YnNUnvx=WxTjwT%=@9mP|J9g>bBOr5$gDMo4nLg znmu#-;XTHMxpYdpS~Qmz zBjO|84goGo7ccA%e^vnb!OSh*$o%Q(e8#&(wn*Z1ezqOLt7Sp5xQdT@V2Po zY*g-DE>t7p5TIDw4gvfm)Mv0=+JU#Xnc4@&oG7Eq&ug% zp$=V6QBrVSU^!X1Ba~ojpry^Kt6ORweocdsTXwFu+WsycZf{jQHZd09AG*!-@q>u; zUIMh^-nkQlW`$9E+7m@HgdO0rIBsckn!7nyBUR=SmSjkbIhqwlKp))$pQ(=UM@_8% z@+E;wZ}b^zyrz-ys{ABiEV*#{`DzIvpSBmE2YPx8A{YvAn!J64{;S>TW~_Bz>9`ls zJ=wv;w9!2sH`V(;$EJmjdDv2yKUvA7e`rVDTwdKf>`5kwzNt`c=vtYSh$@<%=c zE&EbtWZ2_#NY9?=kCtC7hQDgMxpv#m3W+M5%77u8w_WaXqa{4$PlK12w4f%{@Aq_v zD7F>Ntga55I1m$ZI|wU_PPep`zPw>y`*E|JZ3nMKR8#KKp)@;P^`7zRRVeJ} zIrHwi_JC#sukNsaY=j7Aczi@lvHNU3=jvDa5wrxJCNt=eKm+%Lt;5CDU{|Jx8Ce<- zvQ8_Nghun;wt$HYc=?Jd3;C_tnu`%jHOr&mSHhujg z;3)BdjO}LHm#O_Sq)E9DC694W6HrZP zLgTMSJ=vmuv&vm=d^{o<2K7w`VitG!fsN)AD|D{0ZLcL;R5CW-T=i%=&P+nt?4hx& z!J-USkc31XTKso+F6T^@ytmgUwPLBjB|dtG+y3;ekgeuCFtna+#D>qqO^rXWz&j4^ zetr)&G2j|Ykp`@Mog3$<2<kxh9)VO@;cHy2lGznR;o^MmR`kyV-|7u{~SU z*LM{LWaYR24_jXy6=m1Hi~5SMiXb3eN;d-13@D6rcaL-q-KioiT>{e5-3?0jNcYg4 z(hM&trwfM(TndjNhe(t!g>%KO}-2ETsCIwG-HckC_ig%m5k*CvN)*M9H zR2W}?|Kn@y`~2vNg$VI`YJ%i?OzbR3MjG+eXU5Qe=esGm=ECg*VKb@pJmry8%m~#B z`raXyeS%;Inqm%*P4nwe^TRn9yO|=0nuHe zRl{g<8~o%gVVJ3v&3J{neUHYk`yw2I?8>D|8Yk;`iQi(r$CUO#csaExTs&`|YwD0_ zc(T4Z!%+*pRaQmB#4Ys8wARjD6pU4Jlf}GAc@iBM-kgj(A zZi)j7v!gE83#7V(FJFMfMqt+I! zt?C7e+#GxER!{thFS2G$D=5D&n19HSggPab{?%2rm?T7h@=eJNH(rT#r4Vjd>Uq4! zEQSZVce#OHQqGJ=xMy3_R&z)i5I1if+C}~S$Is6#riAUMe&K_g&}+4A3Xi{v6458T zt!Nz`?=MTYxELT0z>so46cDuEQ+}xak%`SB5i0e|niwWKHH3CB15hP9C z)38v*JsthAg@E82pB6{QlQqW%EtOVd^q*mPN;v6wSnwXa#M6)O4EXTIN?^0HvMU$H z$zeL3W*8V_UaZ&)0Og087}T+Wx;zawz8@PO!K16BWwVD=!VjNqT6W`2(Z7xMyfvAt zK)YWPzO(jAm4&A2Jfafzc*Xl_X0X#@{PiW({1IZW^p5=`imH~=W|lZ`TSBr!iJNd4xggz%#F2GbTlTI z@_hM4>#uN(Y5X%=n)t^pJ+6Hjai8r@v2oFhoLa7RMn4#m`x?wB#0QhqEh@xRt)mk5 zB_+8XC}zsWJfo#HHtx_4LpNW)mb;BoRnv2{MN6FNyQ{mz`IV3!>O31AxYJgZz)7pH z@A~7US-Rkxp~h@3M=F4><5AN_gkidPA40svpqjP|c1k@xy-IDM4c>L5#2ZPCDsOD% z0SQ-~;Cjd_GRp{WLyiLCG5(TzXR4${ajY~slInb~VPloAQ1kjOJFj3{yLOWB?8bUu zuc}&pOoA@QlpNb@@brrBP;_T3XP>3Z@%(tG5YMkGk~qEG_6kr6htPiM-0gd5%H)07yr8@PTF9NcBZrc>byZL_V) z{Yss+Ro_W=K?!ONg2>9oyXd|(@G28w+r-G^U}0v<(I&{4sw54*g}I%L&NwE?F}`SZ z9CxJ@9s#+*rR`P@I`m){6oVFv72H*MUp2~J+oAZ+4!Y=R7rjo^sG0nXlaG)vmB=(< zRpxkZdY{c5lQN}33B?q18;hUoj)kId15t?~f6};wkjV6=QBWz^Qt04Cqk0|~cQD%# z^X|>t*;;v<%!M8H=={>>+Y`<}CIow1d+yC$3dQynw?-6h1w9<_(>gNxccLKs(Z%lM zT{xZUb}HgW^aGHpR(HW^G$$SlWE}WOdUw3n^DRDM+HE%;Tb&IF@}%StCu#P?i-Ymp zl_%jsSW0b6_WW&w$tq16;UJFSEA!MDlK!`rLp!t|fjsV9S*J`SYisasx@vQ0ocY$# zW0lehn-f=Eouu`T)=!2f_KfO<`qH?MRE&_mvF^$a-tAQ-j}e~J^`~_wCapI04;SwP zcs8M*K!(8Q6mhB?iN;Md=O6a^PQ!=pa-975_b;CWq z8u64h6b^Qip8VsjsF|0iT%o?NZsGnSvPWH%8((=}C(WFFF*rEF&CT^?7V1u9XA2WI z01`%@r2&ytn-><~S&dJBxs|?XsaPc1{+*5`UWNb{4vvm8`sg2Qrah%=VuM5iZPA-o#cl-{s+$>~NuUbL*!+^{A?(BBLjaZmc^Y&#XJEKT?9w2U_ zH=Y6XRe(0pW4}vpu{6f=(k&d9T9K|7~B*<1`yz#awM7xw% zCGooEZ@BbK{^}Xli%^uCDK~D5sGa=EM{dUDdPhPg!;H>z2I&NF{kQ-S$Oy(9P5myjZ;HiQk`HaKbLg8n7i67aU#Wy zL$8&ci6>h#Z}Na0TRq-D$zL$BbkXC6c10R`+Dz4ruUz#LMO60p6KZ;q0?8hYiMX4w zUJGg~HAJL=Yj{OfZSm!w-R7Hr-<|FLGf|d(<$U6+4`xJJb5sgSo!&g4RA)`F!pobQ z&6Fb-_&8uTW$#w;np+utA0R(8v3)z$dj;AhMkjT(Ll0PTm$r8U8^3fn=uEef$-g#qJHx$LRrw! znS<)2+Tm>%LBepF5!}?)&`7Ui;k}P+cB_4Rwh<3(QT>Wz;#ha`hBV%{q503Sj8kw? z8P+F}Aa>^6)wE_+=j^NpOq{!`?e;dU6kH9JYSh;+N5VB3;|f(mZr)Qir zZE>Shs#>5brIw~XXOp)ONri!RM;C2*QUN7>){2W^5&ky6zC9+Dg0EdhrPnUDqa9DL z`Pd`BhNL%K;!yYZaa{TiMs)@em69V1i%KBA-78Z~6ZZUjwL|xH`QU3S7J1uOdZ2a) zNXdracD1s`0*GxPNYN5Cr%2BEHb+H1t?Cq&8ubYxsIk}j&uL!}kve)ZuauB{znI76 zA?`%swuTP9P7{1_KkD~GQF$fwET|4HDs?`nsk7y8GOM6<5sN{=zPeTNRbo0437$Xy z4G>#CSjj(VJ9pe_a;HAFcgac&XJwXSQPQV4Q?A#tUz(6f% zd$Fv#Q&0oCo|F_AvFDYN?RZHSH~mOk52kNQC(O{+YQ9$c!$}6_&Q@Tfk(+DzpE7lE z{U1!3iB#Vg{r>#S^=qF*-+j7>=eR#PFq!eS-`7hPF=)G3**9h_Nd*%b=gPkeb(sSg znVyo;+KP#rC!(?bdecmi!sqmq&Se*+xr0B%n&uF~#FaES))jqc8G+hK93dO~a&a9) zO%2h97pS>zqf$YN5fGYAo3BakGim)(?Qu(tiyPZTOFc6X_yrTw69g#$NtE!X^a0MM z*qUddar58UK4+)ONO>t0KT*&mY+cgg5J?Ut(Yt#*R)a~Zo0uAIY^oZA>Y z=FC2|BGZzoZ0=imaV8DA%$+BMK$F??;hvGzr4y&|9>37CH8-Vgks7G=EcTnrHMO%> z!yJsBrj3wy0Xn6H{YT+F_qXt?m!yai(}wfCSJqJygaYd;)1!QYKimarDq`cSa^8|j zZWS@av(TwrNe+pz#uo(-nPxZjPto&0PBvO3Awsn}=xgC2zVDJ9*w+zhNrIk7$#5?Y z{Wg5HHig4dc$t|Z#;O`l$Zvhz>xGm4^~&Mb#N36o*HrM=5HKkEUGEjzR!Nb1XEJjl0V0VRp3Z4z zv6#PAFU~ORW;-UQsJVGIv)WV*Zw1)sr&V84p8Tnk`cBaE9w1u-8oRjExz12L)F`Ks zub&`7qXXMpq}97khg(S>XVIhw%XuL*-{j09BTA4piC<84xq!g5eEjg?`z|4zH1`2l z@`*#;#e;owc9ijHwMXhKZ&`vfg zCe}&>qK5A8mMzpy&38^CCwCCfgbqZp+nhY>{7cm9Ug1CVzM~5BU9%TpC6s;n{Q1a= zDDU?MZ{vxTq|yji8|;)0GtG&fO#*d_g8pn#Oiy^qLqJ}2clS33HVp()Tm!V)^Li~z zdfVHokL0VkZoYEogH(vn{W@55#V!El2)}p2> z%Wr(_c0QSqd~XMU!g__luIk6=m$-60Y9S*jmPLt>B_|Hu0g0=h_ucMoPK8 zv-ZKxSbZo6-~&b``F`ie^479WE=to~Bg2!kD}WFMFnueMa>9lTY!gE>F0bvvc7O{Q zXAk*Njbl;ZX(15Z{oV(oZ6;g-={@@OMyX0Kw?;DQaKXUX3z_$FVx!r4(F0R(zsSz* z{oI6a7jwx}L^nw4{9hqXnstYwwT^!V??FV~$`)}a+RCM)uh*3Q0eYExM`6JD!enEO z$7-?dz0z$u{nsU@hO!=|@w2{GWAhT$AwBYaP56A*szXzaowB@yom^~dC}vClsdJ!G z@9UeNY^sIm7*cMZd${2gqdjFB&)kS4n-Zsby}tAAs0P576R5%Wwda< z6zJm9ER3ufT=Y$!djl^n%PX>Vn%ZUa{l>||t8+Fm2q+qhF)y_s4f%iW-_6K^CL7Co zk$NkB!;-2{$2a?TUNp$@&!f}pHcR~(@&*lNe<&}2XJJ&Kr5^9C9&gCgv$C}^kTw0T`o-q`RTevz-T+VR!jD)Dz*D;+}_huuavw+vT3 z>4dIq4d`(NEVe@lj^#qO&Y+mnUMmvet>R6>oJ^wIq@a@eTC8@~ugjfB(jf@9f4 zDb`8tmSjuAKba~bAQZ^t6i%BYcNw`@FM2PW-$u5lo$XCqO|FQREqFvFN0X$-71F)1 zfz{N5)*poE9=B3T0XPzHo$)fJa680V+wI`GV}H)5)iKJlJ-9ROG@cBNU3|D$tDTWn zI-FVJH>h2?b3An2gq=o9O~n!UQ1q*2-K&c-b>kkGtQq^AF(6i~9|wRLsXGu(`i)!f zYIuPZVAHh7EBsr#QH5X~yw>L6LVdpjnQh*nr_iGzpD$({o_xR#Ony+N8*8D~vvWE{ zJt6Lzpu3edlTW(1PJYZy*dRE=k;dt8yq9BFWq5YYYi4g3Qty2maSM3Os=Asq5nC;U zLdnF#8tb#sq_!IY_ZzGSJ`1+{I)f>^8ZB4n>S5h-u-AtdJVq6r?SpHFH3Q>yP`@&5 zUR2Ok>Z1q-YS8q66pJ@f*`OLGJ0PK$UZ%zj>hP&M!MfxK0fLs>XqCB}p3mS?%4VyZ zt=cc*n38&WYcGr;GoQ~y1fbx2;5_43`VP#SnNA*p^od}o{6Cw}Iy ziCw&{Y%hHba@c(S!nN6?H&f53Qd+$4a85TIiizJn+aVY6$b7HlGt{0Nz5}20q6HMe z88?)ac#C58cynv}gpeI33B7Hqn;M&tmPe@h-K+{}MxuO?aRRd1tY(0)7gZqswQN5= zb@+uOObCa(tb|VQX!Wvi=erf29~ppwUWCx;o|7B2t$s{U;s-oIXh+-)k-wK)gshxF z6Z{ZVA0EO7)fM8m%@7i-Zm@NR3@R%v>%hoRmHx@kOdl8pr^#68)v6gQDA3ZiSREXy z=UQB~&k#|Rr4e>=Cj&qugkNUB_Vg)D#kXK$div&!mj>w~r=L8FHPLiD#jq*vM7v^S zW6$XP8wmGYA9CYp5)f>JhYqv#f-`=iX1(V=J!b5vY=EM2<7b2Y_lUPltJQUG*q;ID zlu588f)eC6(60?(u*l$UtOEd$PaRJC?d_R@;M*|PZMC86(IqsY{C6rK|5L2lU8U8) zfq<&y#oqKze|QrRLDajT9YEiajd|{!qP?HUacOwY!Lo^N)$oZuq3pU#xE@?}5UR7R zg&#(f+726V_(c>NESByQV|7RP^!VzxsME(j4*2XKem(r{bYa)pH_GZN+`C!05apP3 zeLI~O%{g~LHRpD-_htE($7!ayG`YXL&^S6Z1)!z|T6!_j@hNfOR9<=oS%i$7H0UBQ zPxmqTiJ2#Y4vAhLEU*7~k{!BJE^xaqtSu+uEdA?hkSIL6n}13NpUjNqH_7f!hjAr6 zq!s1)c8#Mgm+JZ?j1CN^95tXJOwsk3Ga6 z&&yZ#7N)p)_Blqz)Z<}5vg?LgW|=R>LeVH7BSrMI|=16MHDMw6>cZ zd((fa?$ponSM=$jfa<(Uczc)=cc*E@Y?-gLY~1mUqjb({2z^UeCreu~N;gvp57)mB z2$G8T*H?7M)>B0 zuE4;yA;qC98yP3DngP3z^Nx&(TozQt)*6n?we&H6WbI*`D=-D=8;Qy6vE3 zP!5ZQB2v77nsCw+xm^e^ynvg#ln0Wu*;!cU(zjv}%RWo~2 zhfy*zpj75RfE9Ibk}q7!^-@7bp?o4|4MRq_BPCuqEfDus_`- zx@7$3%f0G~HfSk~ussrVUaEx`^&^N%^a=+1V+`tl9!~7~yJ;2_YnapJnF@Q7ZhtT) zz{OXDn&oy=-BcTbGN$Ix_%*Se_Q_46;7*(HPc#u#p+QNU5~KUThs8$)35(YQ>uek+ zZiQGpo9gNuU^YU8IYjK0M(@)f>m`HxMlw%U2SN>mdlJHE!cL53o+7zpViE|Jc9lDZ z-l?$r+`KUxIya`db~`Ft51i}a_$;QqKAql#lg{^hiej|MM@*(0NkgRf9j;FSuR9O| ztn^%qxGDwPa?M<1?VbRqua@Fd?rgxb20_9|epiKOwjKoR;_&YAqsBVl+3*&Pl55M! z&0lW6uGa%II5u{6GZRIXk8ngB4#ZK;4P(uVyn=fQUAcF5fG~mb<$FW7IiIq*Y%Q`hV?ngAo)mR?1v$}Qz zheQl&V%EJoA=~UohufD9S$$)BQ{najq&Aw|LHLNzH^Ir@O-?BysdFp!7_EBGm-6w_ zyNvK?LcB!NFfWZjPwCyclfF;RaJZsllXEXUVnp`dU!(`{XbM zA{%w}lV;Sovx{3L5AW#IB;f(X@l{&}V_P{RJ$r-S#bk|eYDn*FyUE>gN#^nhAvg|v zMfLlBiLl;Y2;=LF$yEkKwo$BAqmV`#4cSBV;|Js@)aPiL5Gmh7WF7)|GHh){r~_#r zlO+kS24S}yCrt3C7uj#%4ir)HtZkXI1xZ;3*QHi5Gr6HMVv*aZ6i_u+B#Dpuo?Dcy zerunCab#&v%C|9I(D8=5X!^%;7bNpoRqhKA({%$_2Y{U?$4~XX?*U?l{Ke12r}xR# zcWl;KKU9!lk?tso7phrR2$*xDd4Bc#-wdib^aWkjeCwF}nv0wA%@sAeQ2)bOmBt@+ z$CJ$K%}H%*=&=0>Uo(3p#zRjbTM+$*R>TiNOUE{cm^-*pc? zuCT6S=bFQr%n(oSNAWT)H#hq|%bYo;E6E4g@??{>H7HHpU!SvLT!bQ;gyvi=$B50f zc-GXtEjfwDe|$O|&}LQ*?w##t-cG4QZMDx@D(p)qX+3oK z%7)5)LhJv+IE`r@eBoWf|Jhs)oBVZr?)+W=!<)WdKDpVmgAng{!HrI zJ86G#5n~m|o$q;2r*zqps09Vbj8&qioy#pdX7y*^M99mDy6=$U^1!!P5~P6h2ADTE z-5vehVVK_JDa!k5XrLoHI8?U3of>qKTo0_g#_el3I1+CgZK;B~NXM&c^h&4QZu-+x z!0If7{rX@dYR`VEZL`QebmmgSuIE?p+Ed}7`p7!)DKk6nZL4itQpmfYglG1iBV^qu z&yFW5NjGZ&DZ|*4yo9-KV;vzSaX*g$?{`(E8N4zROZmFYw{p53=pW*5!7h+3mo8Dd(wQ0 z=0Sd~QQGuyX#IF*+Z2}q>olxdb9`?l5#e9*FsOq*O9&@DiFl_D>y#l&ux1`FX3P%h zH(Q-)r)HyK=6bh66_i4}jUQc1q?8%Zf~`HEqWjKv|;Tzs6gS-o5Tkjbh7=$2)0nCYl! z{T(!(JNtM$*y+Qj)q- z(4BiPiwDCeaOMO&0yH+dp+D3Lvy5WdhQd!>YC?JubLucnuZ~5AyzqnD{-5MZmJg`Z z3C6~$_wr_r)J9R3#qnSUlZDc|KQur`%WS zZyxgNHSegX%W^_`UDKyD1$BYHEAVquA}L9m*Dj5VC5#yBS8w!p%&pyL80oN&tKMcR z<}90}p51|ZcVq2(XYFQYwJ36fE<$oM;pIWndyYAd3YYsT4ST7TpbiG4QsMvsFebgA zlAQeGz>w7_axgGORc{aZVVIiSXE|f-MsA0!cMT$ZCah<3=3E10&d4g`*NGhh4$HMt zdLB|;3o{zvUQdu?EkZo;eQR?#-)r7*SJv#HOxnGSthseszIbAk~s0gQ^(f$h=aycVr)ReerIlKP zKQRt@4Jv6`8uJ+oba|GEcm`RWaqMez~p!;b^`A>FJh;`<6>K&&DN0X8+*hg z4XW0hGYR^}>TM6(^)Rb$l_Y(l(46kG!!ZTf-ZK6Ny-{f;iFVU%MysEwdd|ltenC~$ zhCWXG$Ttc6KtZv5ctWq{SXrs<(^Lb5uInmbBCKfIJYJ;YPHAkb0%Lk9Rh6Z17a&jE}x%75cyY~^n0>=A{0zL;1UWw^u4ky>YJ`;0! z8X?i0AV%1v#jZ<+Pp`?;zvw`SaFNYbJJZmox&T`wpeqMR`$AWJbacNBCJC2U%MBWF zvWU>S*%6Jm=qq)-7?j5{SJ>mglLbnP!*yCFXy>}4#Ir3%O-9;v6?o>`D({UicgdSa z+s3G+c~2U`*gpn_xDs6tE)WHSMlB8>rv4|ci%iD0C-ZRl{!wA1P2ofD4iC*}d(CjY zz{U7&PO$Wn`c+se6K-ms-1w?J+ojGWd*Vym zdmj^DJjs#CY5xM8+0;LFDCDQmGEd%+sekADjU3a~ZBt`+8l40te0S7#m^7Nq8U<=L z^s#ZFQ~1A@uNpatvF=5x(?|Oy@BJf8_<%1H&G1<|_McdKACQCQeUiIOB6b&09rMYI z@kSwP*QQfdD_nolxcOqa9X<506Fac;x5@SD=p&eZ`hi1{e+zkEuIBh{Xlz~0Wwyza zh1J}14o_&)9+3R(xD_d3FU&Vy8WJ^uV)Se z_m7gEdJtOY=i%d~@2neLzr*`p<+_+Y7L*Tzc@aC@8m`qNOP)E`#K}yoKU$uPfL-}2 zF+fM|iI^`tFwtW+zFMxJV*XjNy|s@0$v0xs3>x<>t!4Rl&a!@r;M_NSWj&e6M*mH7 zzbSpqr);hFT5m8Uy<~fCnMTS)xPwCzp^$uQ3tu5VNNu%JOL=k{(>@!8gL~^kJ>Ib3 zSJA$muH^UGQ#wHUDmr`3h3uJ7pw|@kO`HDRBj56xUcmTpM%N=Chg!O!p~82{?4F42 zIng1ch45G|M}?9QkHQ15+^d^@z` z@z_J}Db4LmKSh^H&)N16pSgs%5FQ)>&4VD>^-vV3O+ViRZ!KL3Db#N8QAuv^T0FC$ zBF0VhT+xwIcvlgb;&aIRY>{6M3&Z<)l1BhDL5=Ma#WAY}{t_cI0r0M(>}NsY5Lw;XNpfLL?WoKZ+knVo@8N2*IT#i{D1 z?36K{oW<%L`4*exIs<50drPVjbr9OzlTGBYBVgNtk$f5qrG;;OzPhw^Q) zpi_B=%K}y5ian1IM%(M|B)iypTjY9f$gMOmvHI?gr};ZvJgp1zZ)ECp-9Fgnc0nRI zK50@=ZIAbxc0u7_Az*Xe*NDYFHb&Q4PHPp0@io@u^BKDnIW(Le zb$Rh?VWe+y(hE-_#zy8Q*oE2E+5JYO?7X?Pt-+BNom!k?w)j4$r?P`z(LDIx^5(kt(o;0GDwlr; zY@9XwQZB>}tlJ291_Zy5F?E+aUhTbnNAcOY`X6f?y(8Be-PfgcvEf&<4~Xo`F+`pf zsGSRQmgH82r{|6N2lJn`TfagahspR+j#Ysb(PK9^xgZ2ShhSG`ss&0gm~Ida5hEuM zV-6=H1JLm%7jbTy7WQ8*t-F(-gH^bkN(R3&Z&=uwS{daRsTFD*3YnW))qk)#oTZGg zK2Il-?VoUa8N`l+g9T2MU9V%rI3jt-ADkaq(iGL@ad;`kXH7(&VrSE@6-bz#&9(%z zQP^QuFr6zd;!Z=(hkCWOAG5nQUvrjkX_n+e<5FR3Ch!9@yQJi#JX>95HJxs=isrvH z(U(uYXA(Bm=tZGCFkg4 zM`TXsBo0Ysm){lnD);lx{Y$lb5&WWxk|L42Ch+q&yxJ|V>A36OvGIZ5Yxz+#M5=wg zyr@xXcii5!nyZGB@3?F^E-qonglq8YDRJj(zQ3kA>`eGiFTcw)K?2`1T-6I)HVSQ7 zJw{bq632fl^^IXl><@Ic-PtxtRaIhLb0V8M|4n$L%Xdm3-S2c9X5Wk<@~M1_md}d? zJ7s@!`T6nQ`;Rm{LT$Bq*`*0DeOz!nbYs#{|6$qI{YGrIu7TWQun%+;KGl8% zrU7hAP7^G`igIY*D{N1JIWYypkdREu2-2TDuD8lRlA?W~dWE5C1==3KQedMSHEAY+ zL$lhVXG621`s}RwFJw$qkXc%rnT8!SL=PMe;Q4v#)Cm@k(G%12qgtZeb-(AO&}U5# zixMa9<7y`n=bEigIM&cm4R{0-X zg2Yg}01=$y3zOHq?ONzEi212Y_5J4WU>{ObYYK(g4&5Jbk=TZD z$w~UWX=vh|R4-g!8}zBv)i6ZLhe$<>nd|q2Mp=hvLoWCXWYrQf)Y9vFzw;;z;)2H~ zKG*9JlBDaf$Aj02NH?s-+-|}B#kP&HNWHNV4-r$?pFr2o8uWpPST67RJswr=8y}QJ z9pTxj%a`{#)I-Subf$rgIx0z7Mm0)feP&{9wfu4z=`mU=cfy>h17-!*nADy}tfk^n z=_xJipe!S@;kPI*6UwqaDP$iVoEMu+(IL`JA(LdtwJv-}E$DHZnbH#fsZ_&IdPa0Y ztf04F4j2bXfuVGPPK zKjK-B;rxSzRkkvo^&m(XxCf*lx%6<&%WRk+5gVjPcMo zm|Ek-9vg!-_t}0gr~-E;N|88jb#>l!6hyiw*UJ^_DkQiIexy~`r}E@n7^oM|npQT$ zw+l)M=`ZXyL7_z}$W)i%4$_0T&?5xt2wW{PVW*qO&M(?=+J-Q!;IVxPHG z3rvYwanW0kJrtDENu-MnVq+E?#GEN7r`u`u%ZsGS>~m#h0Ajeopr`|CR+ zvSTa<$9W___k=KPd*6r%50^@5OuJNRPt;8}CrhQ`hxq^slxA?UYg>q?=^e`7F`&JD zIz!c-qOfuzFgiMIxO!d4v(`$fF89Q3A$gzQ!)Fra1=xY0A*-qS+Qt&grf%Q4NLW&n z8C6)b-o&BG*LUVNOCTeGnrEV5 z+s4wWesd45>y*8Bvl1v`OObNfcKg2ngVIL*X?do6ty%Zy@r zfvsV-ko@p@bWy6QeQI(TF9q%scVM(4maeI5_3ve~VQNb0f}cU}CP92Cs@gV~Y4Dy% z-wjhmxc58{dR8~N|3zrrVDrc1;XGU6ehzl|0rv8`H^L>KAgZ!8A~>%qeX$gxjid;a_Z{@vbiESH+>Snjc^lQ5b0Af;%~qi+&` zJP~;~`RUh(X3B+^)L_(1-dP+X{yd8e1MP-t)bR+QQ+{koXS&k+ zVipEQ=3mo~F7QUh53Kc+27>E<#4>h|;xj-w7WpCYgTWzdjMi~OF~qB6bzA7cw|TT)a#mB0LI6_s_=%YaDjf{sh+N# zUUOXw|Kf=8axm+Eo2~p`P8k1R(~SS`hyQWXKtB{mcf}nRR&vE*{+#mt#jW)JID?QS zR8^q@xP-`Z?j6M&bNyeoAb-t0W()-cTIykaeeWzWy!VNOpZ>qLAj>tD;=o3gsl7uP zSd{Q#2Kigv!vNMGKOYqk{&l0e+$+RjVY$nA2c>Os4PSEvwkn!lRqd-SreUi8+eRcq z=Pj^kXqCE2gJ>%#6vp7qEHp7b!$9c>jX5^t6JlWSJize&X?5@KuOnySN{wgnXz>i0 zD$|5YW&_t1UOjek+5dB4dTidl(^NcXtkN?j^QYF@On zoUz5S!~vKgQ;jJOybDNU4FHJr8F6XJVWtE;N6u-Oe_rlrct$2url*_`Ujerv?(SwJ zz(8d&xEphY^qJW69}1`u1ACWotb7s-B{pvdDycI{#VEUX1uFY8q5M&JCzNyNaYeDW{mr6rakJ$$sqW@m0 z*vHj<+7@2(etXF>55xhM+o=lry7|Z3lgZ_AE$dI`d!%Q+o{m*0D04W?o~Q>8GrjhI zP`$=m?3}{x1%97D=iy$4Dg}e%(;t+|T>s+N)xJF=TlH&+Rq>p@sX}SNX%gKO{0aBnoZ(ZQdAU#3c`1Wb-m`Z8*S`)}#6?`h)3e7j$3xfbJ|vtU{^IEtxMq~@GH*eo z*~~f#iU_o5_T*w^iRYD}8_f>esRDiSeb^KGV@4}SD;*y^u-e|f!{-z5xiV1ENhpnY zZjR&g&EYKz6$K3!{h$7lAb-yqZf@Rrr_=UN_=(*(yYHY4SMS+U{;3z3!NcVY4(^OO zPQ6CFf$zb3rdDV7d%UpIFYIeJ9R%Vx0I{RA@!tjh@=jv$L3$rv`82eeo_7$C6_;+T z*;?$+SO!Dbn3mdBWAjuBLW8AkX3Jeub!_iy<{Rs9`uo{>2m8?FLL7-K!+H&QSA1>d zYm@$Y{B|NHk6D=QT3;>wX{^O5-9E4|Dn9&RoR$uggFXqU%qXAk?q>y>fFE)u#+DM$ z7)Q&Ljc3Vkis2?1n+G-wnv9`g1I+TOnM#@eV+sVUA(8&+pDf`Is*PlF`6Jzh`*i$zv~eJlQ??;I*rzt(nbRQ1Ja3_TNnJ$%zZ0g__t}5fd*hQ2%br zueU+>6(Lst5}ERRL6rL`vY`zAiQ->m!V{hIrT&BT-Mb104CY}j*orn;$;rfpdj0DU{dIvie z*9$*~F+Bx;J+m&F`Wm4~_^*3lU}O9v)wpl6|Fv`b`1|u}>b8@+2rAbrCR^c0&tk7U zTWsHC4`i83dwXScKLjDDD}Y{8u4_nQ!|h5WxFxxrUi_&S*^yKC%w8!^6{X9(E-Qa7CmxxtzILltuhfl{i-`u((3q?yT!xq%pDM%2SRQkN=E-sx6jDtYX+z zKv8ojpBTsOZ|_o@Y9D(Orq(-LNXxUceZKL~8*V7V3C_>RUz@x=s+E6mDO_r%HUOJC z;O6?B%G>C+yVTf&SZqCe`JK6%bEbUPM9fj5t#k-T5*>BUsZy|Ybd!BW3pM=(d2mu& zeXk~sshQcCo`wYjS&1jur92Ddtu?Ag;c#Z45LFx)gpX#_3jTbxbTZ3peKb%!a@$lB z8lmV*nV7H5%`JpJ_s{!u=B*`XMj)QB67yfTs<$6kTP}&eVY}x4F=CZg!HaGx9Wj}j z)uXp|603*4QepguA>yb-A)YmiZJ-=H?^kP zaTQeIV^u%1yKBK$xEl}Cib)0hRtQtl*^Tgi@z71P-adS=E5=bI@>-Z(fLo}|Z)zh~ z0%fbf%l6=wDyRpXYT!cX{dXegqqUn@nCyG=()pqe7L-*+e$UbT5 z`6MBIG^cd(w&>)cU|L-A8DQPO{(w4fE_36H-zI#z1AlU{YPj-fm~TdB)rD!Ph+H)t z?59k*xzCv08&?^vj7V)6DF>KR3juC}zzqA1rAhWj9WXaLH7EaaDKEFp;+O_cy7o}i z6dXWNT_M{4>_1`Tb+EIqM8Rh0Yv`b2rLj2~4t#teDZvS)$ZY8`B^Vz=o79P&{e$$dDe-fvw&Npd zXTXQQY0(T0Mr;O(ge_cNNQ*@F7*;(Am3iYIxk2y(sLsHnFf}>KYJ$pmx>`vL14`D4 z*Sx~upKn;F)z8jc90XgbxmoO1OINXL6Trl)RsU-)!Axm!QQ%gnR=CC`5II0cT>)+U zbGXV?V6^s=-G(p__rEV4*gE2|j08|xRYtyU2=HuHoxh102%XarBv%NZD0UL0LCW{o z2aC%S>HCjuKekJ9^mgoSr0D5+wryl>3R)GV7M*KFJ$XbwO%|IMf*){J`wI!bGQ1*b z`1VC|ke#FRm&ny#)x?7>i>Kg-56zB=wBSMc@M+e`_U(@G=%)c6BkiE%Qty&TJ@&(f7%V%>}ow-3D2z_I{Z8oIa9q4)6RIAmn9u=Evn%!uy z^GY;$>sq;GoTYcoabjRwS$pw_TOd2sfEkdgWUk}{PdwQCcg##Saia?=?gb5rxUCx) zDqDVlqR@Rh%N>L32QA~Ed-DfUCNeWOAABkjGY&#d(RoIjB# zHWEf%6Du-dm9*4eUWi9mNdc9|b#n8Q{h;956Y;F@n<7Mc&en;iN#}6k5D8Jo^qUw- zH^|Ws3~>m0EJt|We*02QV{UsnZhv03Zf2BkZfsg;aIkE{^5VFbihrs^KLbj=(0uVG za$w}kt8voFf~2@)^`_hb7JnhB9LM-j8JVs?&&rc2@ye4Y^5JJZhm-bIhjTes5&oMs zHUEh4eBVXYbHMzT+Rvf@p-G=-TDIWO?6Eq#I2)B!W?VrWukgc>kG5Hk77QtB!bLI+ zxJ;d4EKaKj6raIZo73S4w@4%qR+Tpt7;cSiji1_3&$b@Er!7+5{rM9m62B2(-Rk%x zWbcpI%t^`3hR`>O8YN1MQvxjeA2HD~611;!KYr6;{HxjkJF!jhziccW(^IBiE4%F| z6^&*Ny2gmi2GjyQ{iI^3<4F!4j(&FD`vyM8QKaFNc5!<5*+TX8_-9d9#&~9ke#twC zPJ^HhzA|{H>h^_%TsP7|Fw*Q<+J7{R8(q~BUy*6BRi#y+mJkz7LzsxOH&WP|o>!aj zVaE-^w=V#J{}QBjbgQM9%-b)*>6Y90Xv=1>81!+LGP1)sp=3rJn#S%LzT-(i7_X-H zD&L^w`+WOZlY-n;XKDnj09xmTuTgvcl5E+Pr7yon%w?9K)$*> zTR*#P*}3*2NKDwacuazYiF@VVfO2nWg&Q1^n%<2avpi5Y?Yl9Xd%l2iNy_2K$&}MM zNhgLQ0v6~pnNy9*&?p3(FGAx+lVaFCDqUNAYD?Q8%~Lw6z@-+tmTP=e%x~wW5@(hg zN|t6Ze+93M?O!u;Xh`_0_T?R5xx8V+q`1eEmcdz?dwN`YJml!LROJ_ zC1LPVp$b@>wHtBraQ|qARQzbxV;-BD@EtgN8YT<23o)~pe6CXHz({H?{QVE?Ce z_^yb4aFW-nn4{9LwS_-YwIa+$*rVU`F}Tz;??CD+e@aq5rE|x7Npy=in;!OcJZL09 zcTDpDG}C}Du&EWxRKgj}RAUa41=AvTHSq~iXv&diKw9i!M+LfWAALBK@6EIvX6zp( z&j>*9^5W~O8RQJMvUs5$;Z`g>desQJ%DUB;4@3W67|03>-;N#%;8koag16U)-7eRB zA?l`Bf_`$>xMT2=gZe4hbgU0&X;Pc12u%WBn6$+71}(6-5zR@sv?Sit=t}A`MoR%z zL^t-qSMDWr#IFzkx)*bW+^q5~e&8hj*S=YXvPl;*$TBcZlymPb%;&3rLAVk4W{kg$ z!_`)jUKFjSo+BsAm4t#7OepgA=e>;$SEGjS!I(2s|BJJ)0E#2{yCh121`;GVOMu|+ zmcRnRgZp9ug1c)3x8UyX?j9hxyDsjqxG&s5^8fC;s=K|;(amc36n)up|pX*ekE>rB2`s&@`CNX=+x8SIu&svB+cPs!Y#id3R_zJ^AZPiAV z7Nte@5`jQwi~-m6HDF>ZOM3zA@4%x5v?X2%`wXWnOiNXzNWomn(O>{4sz*Q5`Ypy* z3749wbQV~_2$WcuAn>Q@<%I?h4GY1=AZm0!NcU3)aVDXUXYYCm#(Yi!Gfdx8Xcq6@ zJeTkO{2VCz0PFg_jGH;PcYi-M@hPJ`NDhd^<$&q)sq2Qv#{MWt;Q07772+bw#}Deb z4e0=8tv7q}k4+J~h>>Wo4k4ZU{y+e{1Bd>H^i32Rx7TJSzt?1J3xo8IrKI2X4lUbM zJR^7%-LKQQF_n(;+)73AQFI~Q;@3kiNfg?@T&f>7(~gJ@3Z^iJxFzK5X*l3&O5zPU z7eVoyNOnK^O!4s4jlD^{EMAAVYL~tJYX8qdJn=xc%!xg$tWyJ&_Uu1?{14-?o7I1j zcK^RpX?xz~NWSaorBR@c{L2XbKwQnQ9xD4%Y9{dOq#NMTyZ92@15kOYqn+Zjk4|To zdwjm55}=bA?7GB#>jz$j8Q#ifcOwjP&tIb_V42OS^ZbXK3p`!Uczjs zC(*rc)a{8(=It~fkR`-H=dKv1_$uPu9p!Yr*%q7VefB-Zx|)oFyv8d}c2geAD^};; zffXPLi?j28R+aMxspDHZ&iwrDwCUMG+lGJ~{ozX^uZ}xjKycZ`d8cSall!?SFK3O; zTEWn)i#O_SLP8jzj{zrU*8;Ggr+?a7yepOOZUMvPHAV2grizN|wYf^B%jqM&5NQ;* zqq%(Vas_H0=Vc^mfYTM>FIzf)o(TuBfx#N;9<)?7oI879VXVTOBrRrYRk|^2%DG~^ z8f~N+Ef1gfGrS-vTA9h=k!$Wy)Wb{&Qw0x}p zy?YGrd#YuH(G>2;eJp^Az==Gk-;!o>0#zMFv-)yqry~=fyQ7~S%UNSYEJkzl?sLQ> zk~hlD6B5pMhkw-4au{s&_zjq8#?!>JPt?(E&bDsme|mAiei|=0U(sgW9jHoIa$Q}DzM+)9V-sk8Vfet- zeosjV{mF+oSguk~L>PCrJ0}RD5^&#+TQ8)CHw`k-UYQNA8c03%{W|3-{W0jK2b?DD zmX%a*Yj|=%1b43DbGudA;Fn*su9XuTW)dsMDeCR&BV3Yzfc| zf9EW`^xIlEb(TuFHR)RU1OSieqmQp37{mQMsXs*FrYYI=UlyM7;0F+I6!F@gjL>wj zZFNGU?oJ(!7d?q7(WO60?@YOf3ohsXaL!T4gZnT5Y8OX`_Iqjx?X>?9pXt6|H8eCgEsqMTJB! z*v+RO^WZYyJ-(9xG=n6(_qeZ(H)TBu#bG>+6dJAsqJv=9&u03cbPH zvqJphYrW?fcE&ii2UBZP7YZ!$>A+~m!p2UXYfj6`X2BTG)g+_j(4voq)*WYzj8v5} zhl>M*G;=K<9Qyr<*O+TRzb8ri{aX$c){FHG)h$_ozu>d>`hy?v!Cm~QQ%3W30J+R> zJp%?6At1H)5Ey5`jLkk_fW7`lI(Pz@zaqLeSCI%*S&rX)+c{nU)Un*EQeY z)S!{KHG%OqvE>W1X5t>}Ax6Ja5xqUYPP;vAC95F`?HoY-nwF4hER zkiU_}9S`tbh77#9?t#!?Rfz7_O@yEK!as`QQoVIflof`P*!W5VY0)fsHP?1fm(97cL-?dAx8>G$ zV~V%Cn{$P=b;ViHQW}J^vhDK^kr8X)+D&V2-a_R&$jgZS-|8@lR zwkgR>ojnfTcHlxPBPw&b*3*yZ&Yy%K`w}r20{Ah>eC)~7_7meRrkz|DySVg3PyAhz zEH^hZ2lnDOw~V7B{2^jhCY_7Gs6@wQGCV2SAJhwXhcq;~Y#8j^CFH86DoNqgYLxB{ zCTb8(b}u+@EXae$(!@Swx+tnqPyh@68xXLv?Cm7~?)ucM8tz#ckERmyc6wIrwsakK zjZU@?nOR>p%~#zRtBnU&SWlmPbDM2^F$5+bv*34xwI0(%Nt(@;4KMuIFe~ggapWw7 zT5sOA89LCLlcy1Bs+rE)=>qKz|8pWH)~i-xD-R5-tCO#qibjS8Yiy=W6~d#QZ{>ZC zoHPK{Ek|(0W;LB5{oK_K0J%*xoi=6n>Cc-||Ld!}j}tY^M!xG!tLoM}4{eYfx}+BB zycNm>I_6oV_;`7*fF>?Lv{WtKy2DQF{048jT;e$PSV^n?l#z{$hM!bQq6=E8<35^F z_xyPsHXUt*y?f3YE!2Ap5$c7<@=KvR(ht^;sK6YQs-DHZDirCiF)jgtN+EwOtsPHzL4=Qag-k4bv$eoS9xOTp6G+GM0%ts7LFwst# zEtD_6WD&uTRm|L5+Ap~}CpMtdz@IaJ7v60;nKwN2Ezxgt((5&VQUUhB1ppE|@MIEx z-${$0`v9hAb*rPkxFCX~^1pZ&r+lUyRd{z=xQ$;Ibo8uo6vJ#>sreP!r<(&8DjK?G zcq8bNU^u{ez3n+?UbW?Pmg3I2uonR{<52$~gYlemP56(~LpK^$nm5rAR9HxEZu56B zvTDv%Nl8^zQ3t2hWj04Bs3!|qsDk#=Nkzfz$%FaEUPsnO5ckkbuWtPCo~}NugIYkl z3-D1yYkko%zi}s4rH{tJio|=n)qJaDZvL&QX<&!AHg80Fuxog7R4Ifp4`3HMLiR7D zm6C0Abu`tBxHoBB$No!ELh##nSlxzq7K2u%_JAzGOutVM{>7hm%IHYH ze#s!}q7(qd@{u`joojBaeUt9B(@Gow$TUmC2cNL(AOjnwg<({?X(c?sxL%>Ah|bNc zpn-n|;E8#^Kat;0F$jRBLdzXiK&SmyXW7^HAp!-T8ZZ1UE+4S(E!0u+D+ z989lI-rO`Kox{`Gp&Za}rfqr|E;{clvJMM<0mxvm2p^@U;~QhWb`zi~w(X^tU@{LsH!h}RZdrIOx;dLFm%C85=PjNY7Sa3E zbw58|B17;|NS=A;J@JC=LvwOdOxE1HrcX>A*7!PC#N2%ta03H# zN?jG|4QpoB=l8`6FN6H0f+fUpkQ~`G_Ga1gi}T6aFTr<4+G=^Wb3s!-#{dojVKC)D zGQXgNgyq%p9{&0747u3c($*BnUY``I-{$YiYh`nO+UOpX6Wi;#j4x zpnorr#8%cx3ll&nD1dLD8(?D@e6yRFa2Ogc{-4Bq>s)sLcJ^yr zp62tZwQwAmf=1c(W+s`T#pc%6)7_!=(T@H7^e(N*JuHa~&g4x2)E8=(jBf!ytZ@(f z-^iDDE=S9hiU+hb02cSRmk@vfX3=g~3cw9a zjg~I^-bs98Pwp6L7@wJIO7u!6^0_uCYysRk`jwB_4uh*5HkQh-+}XZZU#1_#gp}R^ zz#70_4s>(|1bP9r=r-r-J!qkD<4lrUJuC5CIe?+QEku;D;ve=f#*qiy0#95j4v(#r zo3RfZHD?h4f?igp35ODW6KcF#E!S2Kkj%+W5D|{3JhEbZoA6u%@QU|geHxcJOZm( z{>n;hYr57e{kbhImLH7QRjIhju%o5((u5R!mq)R5sRe=Fx*zOQyd)S}==y-nHiML{kNPn5nRA|>PzV&ZDVWYqd0I)5tr_CLi%k!Nu zitLT!8UlJB&B0F6nkK}a2ZPMBDHof7?g6k2@;?S}bY825kzE-8VOs=EB=}3uYc$Io zD^i**Yx|zhopDH!M`_^##x5d%-kHRyy~{E%pLU_BNrjy- zHSQJmV~MXtz?@4|3wF+vcDd|ptvt`iLiz4xSIxK*V#370T$jS419RHUxao-Yd23s? z7kxpLp@+2C<)YUVS9LSe_ECH@9EZ6}k^q1B+hF^s;$0Cp0h#+iL)|HfYwrTf0+IA< zABXaCX7xt+=4j4S5HKA85Zeh;0Rs~wJeA@o6%gDE&M#JL+m|w+Is249Kzgp``kmWx z^RMQ{dUSw%&?cTWr%)9X3M6kl%gw2&*!}V45%H_yC8Q-!F!1sYh9k-}R7i%!%14AH zQDS<;nCpreImMsNe{RP1>-B)TF0^%9FGUpDP}&lVHg{+8gkqF#ab`UX))T49MeSFo zWp?%P(HKfGdij}pzi09u2d9%TJBm$0-MHEy+oN`L*4nvt|>87+Ec-WLJJ z^BI6A+L7C;b{B|6sXrShP0NU&)g;u>_T<2@Gaa{FTNhG$%#Wej2(S636{MCV4IZm9 z`mk9(1)L7VIQ_c%rczw4NdP)trsm@VRY}3TYM=CKpOxWq4ir?|Mm~aZE&$QOt)>`E z>AZHf^8A)jzM9I?|ak9JP(AF?VI0myfo>Y=N$lg1s-DHPFhZx%9Gv4HtW%} zUipy=J|d=E!_UmnC**NS*U_|~bfM}04TMd;ow`YD)!D4Bj?b{oJMy9-ZQ~yvsD_33 z1W9H&-q7Zz-UVbSGWn^xNYC}tyaKGY^(^OkwaZJ#8At<`)hQ%GJQJyCW4Ixe5}=Ip zsME87Hd4X@+Sm5Jn>>3~<0YEC&ug8n@Gh}@`RlQFk|2NQZxx33EmDaENx_yQi`eA) zn5WH?`vT3bJaW|XfR_FC)SQnmT7okW_H-tDC!(dySt9YnH|AsoN66+#!j;$b$`(nx zT!j38%D@9Fs*P646X=-#3QG(|*C4T8eno_C^y3$_)NoDO^6!V>`kb|96KYKsea$)qoD zB`14yY~w_&|JlZ&r5K$X%c;o-^F}ab@16Pmj*G8;1paXL^eNoCd0E;upe~X?r$FOc3_4|lXy%oBupafC6^h!(;zln~D zJvfn7g8Cxryi8QT64&>)nQQ|L^hp1STQ|E;)!tQ6A_0?0rkIQSYX*cz@0Q$EerL4O z^?*mrd@SDLf4z2`F<6UAs3+og*DkN<`)*fXJZ@QPTg766qp>rPKJ{@PZ~N=vAoN8w z^W9|a7t z<)}swj_bC^SM|roFfw3s{yO_rr~-9w*8mv^h|tg7qyc>efN<$ZwNe!z4VOcGQ!NXB z(j?+V!0iBRKnfLz96Ed*{*WkGtB~ba&KRrMPtucv>u6xibS^#+x^h z1yhzKPAOX2p4GK}I>3V2C0d9A`ye_QG#fa}v<8+I0oN6Ch!Im(LI2a#0N*oGTe zfNCO@Vo(3Ic|?T2UBxqDau9pK)|$B#_~RpU;2!{(!9bhpg72XxM5rfZywI|u;}{l_ zO@~ows?pZxSoWnpM` zcl`FE^VIFo-X<|m9t_O}EI@EEygczOhMn13wP~B`KVi?NF@#R9z6@Z=WjhTDs<|nN zUNK>1t7KX{>W%c*6bntHO#}c8>lfJoGoXW1Lx#c|qDaOPm)<{*7Ea0@byRqnSorYn zj1Su$Cyj!~Dy33NzZF$x`c-{Sfn-C>25ppyIj7V(XViFKxHRnyc^Rd<)N`vThXcXx z+vA$moT)F!@__MII8cb+`7Q%qx}_bzScg`H4dn6Q6!~;v`CqvwffWXe{~X#>C+yPA zCz=WUP7?47#9zps-!XFLoJI0#0K%tsCOANN3y?_ZU$Jf?9^X;t$5EyAzL6?Vm_vQZ z@Y)X`9Z`%&&xw|NJ729NHMx3Hpl4_f1mvIaC4Ow2Va5&2D{Eo9i*!0*{nohx{*(0@ zBc#*)gq91KcVt8XC}=V`b4CT%TR1Ck1q~SYz^jhi6$HX+8`%}EM`6)xjMfo_V}`Cq zp3q61vXs-nIHKcXp}Dak0P-T%UCki%9(f@#it{o{A8XF_mCY$+te4(SJXdmHt;A~V zVPb0PqNf%e)qNsWASX=DVKd5ShZ-L@lhoteoRG-;r&g&{GOu%~G$!yIpkWz?550f> zV`*bAOZE2`=ItxTIrO0WXj{M^cOYwpl3{^qXjEEk(7vKPfw3b0bBo1fK@vb_eh8BX zGA&v*P&XIKu7H4LrHPWo=)Qa}2f^3L0tk?!^vrc1*r=c<)HrXB*`3B@0c$cDqU~bI zG8TbZRK?BruNkZ|yC8(7I`SrZwEW`E= z(i2yL9miR~gZ4x9oc$J!y_mgIThT>HMID#-g#>`yjLVsBJ7{MPWi2VnzlSvVO^wWX z`U3of&z;q_?O0#pZ5rE|>`iiaA^W_%@90I77nZL=RZ>YnHuvVswX*5gj_Lt@iXKH6 zmyKb$NM$@*9=zu_gz$%p9STJnuqm&4Su|T|MuLI$CbI8BUw*T^23Svhb6o0E%*~zv zvFB4eJJ#lt!Gxh^U2cJ(oqQ)VJtJ<|H7OQ!d>lJ(1>@3-TwVkl_;-BB7jvuY(VsGp z)>vF}$&it}0A(6Cua30Mp9L4IbHt+6Y%CMw*iE>TfBJ`)uYP>B^VEZOUspwWpPKL} z#}x!)13(OgOwjWmya}`nUxf+k4{C&Lh_Sp*bH}C# zTg6XY#gnz#t_O&-XnfCKh;vGDfrq&69-e(%6&4^lIy+CXYNY#t4zX6S6t?;#QcjVY z9yVSS9FlETpS7TV292pcs?kU-VH}3dja27-DeOlLJgI2bYA9B|t^j2*fea%Fb5XVLVCy-JQbW$mD_R^W0(19|*xhWX=j=OuMERuS> zYeCBLuldSPHOfEg+9KZa#yhj)?V+;LI^C>WR zQunporJydvx|ni6s*$FK9L1ZXo}PD7_~ZM-{5g54Zx>loKU4Rl7&?=<^0IyQa#UmtYbBb6!IK3q{l@c00t(c5igSwtC)K3?;n2>KvVWl z(KFfI*E3|~J6TItgRW;fm|h(N-X)zg+c~i(Z7xEC>_YSHEOK|1gW^c*thJ-nxjPU8 zu&O{-wO+BQ&YmbKgN@Nh;e+~O8UE-=%*nmFItalQ-l<6wKT6t9`X1BKLBNuAk<$Xl z4c4^@=Mq3v`yO6iYYX_+y1C2bUa(TRcbNJ zlG&KK;xUK%{DH`7&na9ERc?K~sR(qr$ z9|^GKTl7tkIn`Xz02sx?0l2j9bVN}8Z`eOv5)j3Y)-NnW_5Y-nH}81vR6Sy*KFp^Y;HJ3F^9kk;MS{6d;R>pv5B@f8Wvf=ej1Uh(NY+dPWrPGcJN#MIKan z?=?cT46(E~3*A$xg*>19Q?veyEij$@*uMHI6m(1v=%1S04Q!;N+}D2ZD&}UgP2_4S z_x+S)84$Dr+5*ZaCgi z&%~d3Hf_Gud20&7X1c^xe*>KT0GY^Ql-jnI+D`k|KmXsk5%(?p7tMco2Xu(%U8Mum zN|wNkpe4D{T@*(6=INWKA3v9Bw=KB9hE+!NFxBI-VwUm4W4`*Ao=>^Juw-RhzvrBQ z8a10|&qKzKSJB!rcVO2`A$sNx_Vxx2u(R4&)rZpmdrc45k%QL8$m>lC3R3c!`CI=+ zKs}R=BT5_NeZTQy@`sRuYUO_9{m(Bk4sZq0(GVOJ1WA*9SH;=#{sLe&xez(W!0#}T zl9V4kwNf4#LP0pOMw1QoduE*}@(n2K{un~WSp4PpY|zBlpM<#!zaQb?U6Mq^FCAQO zoiB12k?;L`R>dooK$t0X52r8Ie$K7z(6gMx0pvxbmEagTR*A|0eN%bY{w^KiL&(gJADt^)v)#DfZ>Xh2%rO8g$o-Mjcrpjd z6mMe;3~ziE(kTR7ONywwBy9*KhF^kd1~@`pB`QoYXEL4aZ<~3^ocZFz6fLt$0(}$A z^f5z!AzSiB|JEMjM`+wl`JK~3#MH@zSOXN0z6eIlz~=^C}jG$=#(G5 zFS;r?#H4fcxjK4#rXkL&P)X2{y@ToayHA-T^s}xR`spd!9x@gHw5&Fk=@k^`3W;Bf!;c?Cr;BDcE!K=aytNsK@&nKSnd8rwHiy&4E~1 zpXhD~^^>q`&?Gda>qPr10q*4>HX~4@9GXn*te>?bPpMKb_x|S9vE~w@RZ(M0Lp>)j z1>JF7E==Jj5|3Orwl>(w(FXqm+8}IJ;-!JGkuoqtvjg}rFqp8JtxB3FFMq0wM^YS$ zIDhfgI&FO{>as&-SQL{b(JqKj6PsKuk-b?`0pMpxj*OXga7FUROKI^x&+heq+uJpz zd+Uu6@KZPR7pVxzVt}w$EU; z$KWVV7`>KE0Lr1>klVksI!{PBf=_h5keLi6pmAryQ9g!8htZv}yogZT@Owmr?FF{V zr;dKS=L7+bc?w2(DnIpAtFB_a!W&P25z)nQp!C(rSJ-cKr-dQq*>C@v?_36Se6aC0 zUn_KmO9TR!ORp?W4zm3hG(bq1WNg9sJWDqP&6m$FNgMGW>*J*_t-4S2II=AgLu9G9+3R8&fJO=;oe{x>abR=WE4Z0}L}cF9rrp&TCD zR(do@?wZl!KfnH?*<|#Ii^w6!MY13{L}IiAfu8BzP!!k$k&A(=zZd&|@kn<_M9l~U!5D!CIO#iB8Pi%&u$ z3c)yV0)1=g5!BVAS~_+@X=@h4H0RuK*)Ie8Ku^d5f{#ccopO#W)hIv#1L)0!f@l-a`AzA+Df9RTUU6?J+>vG`D` zC(b8TuaVY2%eAIgOiu{#P|cgn zpbkRYd-3pV2DC`E&iO({lw-`NoN^;49=CLZ_34yp4$$(0qviCMOZwRg;UW^)a?8h% zELQ&v77e<&B>gUpD05+tg#9U?PA z$eBU`l97Q(2I2-Go*1953~gy;5fOZ4emJ$I5Qz`sxw1-ysywz%2js~+V<85n{xv2L zAp9W&i=PG?cyd$2S%{dBPsGs_{wPv+ki^@?huVNYj>9i*N9WdrO%2l6SIX+%T`$3J&E_1FNI@am-}-_-w*BWs zzH^1yUIinZitz@TQr+L&0d3p?mEse_d->b4yXLxkLwIloo2&;5{djOZuKKtLWbey7 zfeIinarn3$Ngf@ac95H5X@yZy`T$u^f>naI5zRIH_DQu|1!_{`I59x&YGuW-AyO*! z2XUwoC)aaj?&`AesxQjamoKS6gbvmCrMJR2Rk zgXaP_rgInQmKyh6&Px~1VPbFUv3O<)h3x%7o%!wx9~8(>IyfKRn`M>2HZq5fDKohy zX*PV40`pXv6l=L5alAP~QgX3SCgK^??;Ur#G(CMr@su+us*ESH6Q^bptG$70?=aNM zB4dbio9AWLa zUsx@$Ozj_}!t3nKh~K>Fg3lJ;#X#JA(jRu8DPi8ImpBakmM*v+vXhM8H#Xa^?W@4F z?rDADMLUQnnBE+#0`YFDrGoLX-?SiGnXZzw7*0M&c($)*YZP$Atk7T8AinUoIf*{Y z9iitF>v z-_OZMM+c9e7SO0m(AGB_ud>VUCT^g4gOpstNKT#^6kkce<+^#2OWbUWsOwy}u-kwy zM^$M=XFjWD%MU3xu9SP1#+3eLN#`+9i21@;|D6y-?GG~w>RVbPY;sJ$_k5an=K@E& z1T4{k5pOhs0y=#{Mw5t8MiM!(Objiqcjhc`z5V=*rZZHt+d8EOQqb>qq|i4fZ9X(7 zd3yki!lru#!w;*{=gX{-cv0}%w*}dhLg3ok0&y{Ze%{QmTa^^|yC)cci?S@9!`M8# zq|!BJ!OaUqN~cv6%PIy2*V`LO_)mZQ;RUWR_M)i6g7)t0!?(5-oxq0H4XUpqS@O{mh1dS?lO$f9}(C?@3 z=7rVXl2F}m!6;u1jad7=r(%<*KYZrqciMbx1xaTcyb$;}`|_ddq{FCB)RiHY@uJ90 z6MqT*NXjOi~r2n?{GjK^}rcT&kHG#l;px=LP>>d+ygy>;L^j3aG3 z#-R^N=H$xI*`c3*zBg4#EP8Jzx5(ox{PJMB-REe#aMX0j72OEp)mTyL6Nr{%HK75e)LVx?+qfl;V$jstOOIN4}r zymot6ec~WG(NIUlN;ACbJ()Z)e*TJg-<#EPmZXO?i?BCTUI{x z1JTx^iR$Wrj0ppkm?BRrIr&!(4V}K9um0ABm6^6Ck+Y@3*2#0P&wXQ-Izii^qOYDJ zj_*tqmRpJccutCn_mek%+oi#boB{&q4PV%_7NfSc`EE|^MI_dr@kSmsoDXC~pL~$a zUoNG>VK8EVj0{{Z_+OuIGM$#LY=>b+4N`)Z(F&aHo=t|^zVuTA&3Js6&nPW%FCn>2 zo48R*JKXw!j<%=ce7f7PI7m)dkAlZup#|mFbZck~)O%{t$kWl;SuT+sLnbQY#%z}* zolnS}k(?R1R%PbGpLq5yJ|7vQP_ugNDkwgP?Dwj5M@}gW(hxCKtEZkRUg^G4g^a^s zp;F&9F+o8`x3ZdBp1$C?adjHs)Wi>t2o1GcQwvio#5lNAngB9+Rt^ga=;&zmnPbPG zgXd6G_49p!5uhZ{OqCm~Bj9DYK#a=qruTH%>tRGoYT-Ixoj!cMpeBzG4Q>4?muFS@nI< zluR7r`@8Kj_AM<&V$i4uz`Z^bS6ZpBR<*3Sz;YAm-TM{OW03g_Pv>OSZbSSt^SyC z|GB{JSecnmNmmw`NJxERm>T>DT;bGv_UMO?k1)HN&2OIi^ZnuqI#5qz`1ynju?VZt zaDjfGXtHGSFJ&&xw8TU@AP2@d@%lVqFe{PU{nx(TeheI*aF*!8>Ti5GQBQ2}<;z2nwu0WB1)1WOn z9=DBMuiOK99NbT)Uh0HOxttN!*iMTJQFz>(%H+pLV@RnroG(!tZM_}jZIMk+70b*t z6?-|`oV+?)T)>Jq)2J*AEWlT4l^1eU7_ycnp1!+#jxuGDll>7P&{+5>N+IO>xY(o0 zbkyc|Mu>lacujTF?HQ#EdbL@+vb(_bF&Sd@)b#A_$#F7xEMFN1G}CxZ;;@<=R6oSb z-P1bkzH`Qhv&`VZzmoo}`L4!ssdzN2!DHo5Au#@j8HdH{A$kD#(6(v;!Ngw+oPJNAjNB${#u`}JAMrvhyo z^JzkS)8Y;W6UQ-!V_B}U`Y&R>oGb~>2Efzz5qrL?`F&TLPqqe;h`*V+Wis@xwdXS$ zYbN zXf~}9D-{#79|dhkLraW$S7ov)jmE8qe+xW*yxjob_fam^hqbZ}xbykdl7~$#Zs&B(G4$?Y6cN_c zXg!_w`}_B4DEuN2y*({WbhAOvsP(|H{h+JIUldF!okvF(Q*5Z#A7e0_R{JTRJSfWT zsIYrEk61n~t6BmI69lh(8`b_eIAVNJ@%Nv~XzAoY(N5LBs;sjwUzhxyY#`~?oq=qi-k0oC#-Yx8Z>l6^@brIpIl*v zMn)=zEWjDGq`!_+0}AO?e02_mn)ym%Mq8flZczBaN<;)J4$ekilvbUqeltIS&cqc3 zqqgCV<*O^-Y9pd1N}u2ISX?4rsH>^GkLU^Bo86nPFOJh4yjmW;b-ON5solQjvT26z zcQQ0zR9L{00252S%It10I(Zur5o4H=*lnoLu$iT_lrD~qEUn5+-R*8~KBXHNnw^31 zF;PiNduz2;qfy-MO&F+cLC4Svgj) z?^0;CkA`79S%iggc==cze8kXrzd| znjH7qio<@9qMAX2xT6aEpyVnk$y_8^&OwM&Nhu20UmN@72tr7s{GHDE<1SpAR6r9Z zOtbfScP;YhmIv#D%EykZ`~5vKGA9SC`ue4SuOomaJi4<;H61V)zvy>ts@B;{L9>fL zlaOSF_4lUhwBtwS{-)uY#%Ko$;cBs_+37iLqkIF@uRd}DIIk_`XzU6F>ZKkm?pmsfbL z7LUdHq6GI6Jin=n+S6p1Y2Ek|Rh&yq= zC(^{tW!_^>Xp)|g#>{JQBirzcJM*4=6uE>%z;YO7rktutd{H9)&`5f z)feZ0^?q}xG-+B$wzPv~$wriwgF}D!K%+xFmVrvOzO9Wi&PKm_l~f#~`A!w#%Aeq( z2q(ei$Q0*q-tk3$f?dlcgyN!tK`~Dp5F@eIdDDpWz zXV%9bSLz(}dblF*FzagT=ISEzCXIH+a`nyhw*caXHACWKN8Tv?b7I~eJ;x*>^ZUKV zq^1j6kxJ##Nvutyi~Uj^-A^B{-KpAQljt+T*=mZk+3L|Ea&pA+W6G7zOQnyrpVj^My{OC7X7*iQx@Fz*}-Abo~ba7!=$fpoRN0* zAT%7-49{x(L5Pva<8der`S@e#YTSZ`mi3~gRSy{Ftmbc|!G^knI9S-TD(Xu^_fx22 zovGPdd=rsuGDMd@C({8!-bm53vJx4Rs#LS}A-{G&FlC?U_%`bhl7rKg`EGLeaWY0) z+SnM}R)=y$din-S`zSc#I^_VLQV98cj;)5zQN>HlLTZ(;q<{>y0pSY+!(=C1A7&Tp#66L;DC=Q;0F7 z;txBb%x3ecN76ETl?&DC4L7j)lNmyNeb5OTbVj3A<2hMrb1+tiMz)N*^{ie7-}&Wv3=T{`n1!#B*YlNJkf^pI+l3Au_lER@U+C z!+y#|$((QT6*yWtJL7%5QMQjep}iDMr&iZzg&{;djZVD-z*N{#5k!$zRj59tq7G-j zBaYI)KG_Eteuhi;ZUk^Vn9U5-)Vw_hlkYm0!$wAc4fI&XyN`BonZ)4ull_RHtJc>G z1g(S{Z9eE1``20k{F;N^Y{tl@c*CnO(X5(&FQ57{Z+r)E$_jxWJ+f(AYcIkl=bc~VQ^|dL!SD`j8YlGQdBby5F!+mE zf5UasCwj`#3wKWMPGBbfY0PF+`7V5(;YTvD#SE*JFqerHOuF;4HpqC|pLjm3_*Xe| zKs}6zFU?J_z!%@A%q9A){iRtkKz%DNrL!}plf;-MR6IyPz<`%2s0aZNVeiAk!ZzTy zokG#D+4{+CySx2``sR$9FP*{jPY^@iQ&F)&KBOwVlC_d8RV(Cj-0YgzulVJ~_QKBA^6N0I@x)|#G39($V>kzVlp$Tcnt`F1F<$Jh zsZm~T)WAc4GE0g^6wyZFioxE@;bQ#Ye$D^S2NFR{DyX}M$C>!nB&qdV9-D% zDzcnLnacP5e!}{J?CBI!*_J$Afd7ffog)8|5`=>$ihgsZ5#(Szw`~+V5ReuSP^6@#VF(2Tq@^2??(VWEVd#(+kY=c%hf+F+9=f}0=r{}gees^} zJ=eL;e`hZK7$)}Kv-Vm~-1ohnr>|R;MXRBf%WCaxz7<;--(|KjRA{=)<0@eGmWj;8 zCl6^RBB#v>-Sj?QK7MYS;iktd8da8`v;5C^;LF~x*6+pnIxd#nnTS-SFkd280#@>H zgRk^(TGp>Ayzw5$_QoJ1PTOO}@lN$A95$yW)Al}?L`=Dv3%5>>=2SI~wquZW#|1iB zb?L2jor2iqUNU)A4s{H9Ve)a@79cfC5P!>}d%(C~grBM-)46TpWBoju<=9{sv^F8* zue6D5!Ln2M%NP)=s&?T|wFZb$6A52YwHq4qCj^M$i1D;#Z$D5u=@MfX14L&}NUZHU zHRYzI<#i=R4Ydlyjn6Oq%ev$19v(@30j<-o_JT;1GQCJAp7rZ+(yz#l@=hT@%G;$F4k3 zbI&!$jnbEtadl)QeLEF;KJgcmi77r8lYPHa4O*SSl{`<&riFT+>L20=cV8@xQ+^Yf z{rUNVHiQ!N^*uw^dC#}36weQtLw#iqhhkGkClcItM{Qk}X>{4>6f?oJGqmBVFCT|Vp~GM^X*L~W9rnL#C=cAd#Er`n^56>eoZbN&!K;*V zDTg*2IInJ2xKBp@w~iJ2}RD&`PDUdO`+mRIR{k@;pD*jT&KR9rvd2y*(MmVneg5U9 z2LzJbuKfx?)f<}|!Tz<6!&URTySp769A*XgtBmGYO;rn&&rw<={K}+6ES@VLokLwG znswe`?jE_eaJ2~Drhdts5^&SJsxCKnX6iy*C!pSQZp9hYk%{n8aGwB_Ky(dU=S6F<9x!}SV>RMKUMq0AQf@b1eL(n zCJ~*PFbIH~nzK@n!{$z;P~(jssR92)0FV8$e=Mr1eYkIXTP$!x(1Nu5Wm_-V&8OB* zcC4qQxPfucMKkKpwNnQ!BpkZ?i)IzW??(pL$>hUeL>Cv*lhv27cNgpAD~tmAU?o!Se?F7#n>3{yv1m^NsV2xnhnt`!%W)6URE$@5-&-UlPZ; ztkT*!H9tycCDGHP)YD7JN`^^NTarxX8#!_evRxmfA#XvL1n))h$D5i$efNXhH=FSo z&qprD%t)Bm#?|&5O_*aO&1RmNb(-Sl{w+U(@u~Og{QDuR7uAG$!wjRX>S~tFn5H4) zeJEvRrT4FYe%RD(h9$`B7kw|J^l5vX1I409z77iiRs|Elrbwxlt%xEnjtd+M?p%x5 z@Rz4Bn{U~FgzI)2)6jVZv8xHMSe8vR4Uf&L_mXy5&paHqvU-nuMz2)CURQRfuI|fN zou`S(H}1cOye=$EM*}xF*Sde9^?@79)lg1OfR0YrK&JWMIWZ0rmuCKb6r}dVd=2_W zZZ7AN8YDq$U)6BF-cbDa-T~=tUIBqEAqx%;CI9PpC~M>Yy|cn~-`3TAQileDc>~+^ z&V%FZf2s@&cl52Nu(Y?HLb!c71Ln$fg-&ec~sIrUB%$!Dca= zV}Vcnmb&wJJ)an;%w*8vhL_#R{YT@^7}2=a41E(J9n{0ar4{g2bU=S!GA`k!mz>%7 z(1BiS>vZ5&+FtSTSob+OkcPzo*Z-K ztJS;N?OyO20J5*vs}b3hT)0Ls?|IN3J5@K^8B@sh%hqJHK=59b&+=7O(>RZIdY`S< z$q7n0PtPyFJEcC`38DKtl{vm*gCFpd4AG=mw=s}+U7Yp~v2gBxUmNf_0EtV$ip+-F zyv2vJo{LJ~AZaN&5bl2s;C`+T^Lvy~WHPNUDpX;Ug+(G%?5*B8bGOgyUNE1_Wt!dP zG&0UaeQ#uU09*_pI(aO!UFzTaxda7Ce-Vj416RK`jvG5tcJ?7ju9X@8F+ua9%}A^t zbPP&zG*x#?qVi7HR><>W-HWAL{=sMSg+?kW?}Jn)q4l9EN;q$xcQbmS6d6?fY(6GV zFJ0kJW=dS#?R(!1L7uNkH0mmsDP5O}z^I+sy?i-f;_G{Nd%E^{iT+B|D*VyxRjTOe z=16(`8N9rBZLCT#1vy=8L3y-wf*D)lV2^OwZn_}D!!uN`bc45Of4unFfVEEK#eLC; zPiG*UfUezjK08<|F&JOdTlN+e)AQmpYAqj1m%uvQbENDoT#heG0OFMj?n-w)t^jrtM{ZU3=1VWOMbo!LKiz!1KEV&E55%Lu%zBwsTS^-FIOuIc#nysiZjL{C zooIWcy!zd|pVO^%+i|?0x6yyz33r{q09P5^Nfi7<=)>xs69`s~Tr1*}Zn_%Z&c2D^ zI*4%(H)lu_M;>*u@132U9Tw0$p~cb@^8B|GmNW>(%YsA3sywFeZA0nO0IQ;*rO{Fv zxHMH(Qp%?L!@$a5lAgWhz2R|YHzES+Z4Nd(N!$Z}F-C#es?4m7)i(9$mU^;s7LB?X zKy0Jr+MM)py`&66wj_mG_x++>+&!>epDtXU#*DqFwLO`6W*eAXdzcP@O zAX1=SYdjF0_wF7JIVF2#;V!~hz8I$E!ey%9v#@gmFVJ=TP_U&F8PDf5GzQI*YgK{2 z9WYWH=nn#vU*UX}%ihvO-Hyygl?BS$R`~8s3;{BaBTC&e=XtQ&MMb_?TIE+YfnYxn z@yNc>j8#Vt^cNP_pFqgTg#f}2m2dWfik~uNW`4f;El(we-NjFLusXOGgk2T3eXl^x zAeDMnbpkwX9!|~?*LBgmM|}1NO^Zzy7Q@!L^o1*vh=g54=5$Cvwog69rITk?&v9l) z0w)D)ntt12Q=VUx6haBegMLV5$W`w)go^SfS)Uzx=|C#h$1-#@-CKN*JBLuBXhp^T z?+=60~?wgsp&Qe(hCpW!S5C$bhApy6~?^$ojB??69DfCu51)ZYT+YS3=wVeI@ zeU+7PhUPJEi~Slh!+NO+>j~3sOuG43h)gW?#(TD8(SpS9WUce%)tNq^&9+88UR)(` zSsnEGM+%+V_BUJ#RuM>JYRJfRl0yzRN2-v0zkeSe-LSEdx1J3ZN;H(Td_v*QJZlKk z)P3lirbsEBTaGUQxP-O@}U|R4F`_o;f7TOaOo4>oaw=u!jQd-e`Z1)00QBl!J5buc{sq68c`*s^e z&SSh%0be%f)MP&rh#eVmK!06RDT72O@{%w{OP!y42II#vU&RL8#U>$sIwr!R#-vd# zo;3iXgQ5LBM;Aw1Ui*!x=ZkH{kpdLRN?~a<sH4qSf4O#X%#_5ZmT?qMv*M9YaX9s-s549ODCf>Y> zft(^s_lIdzxUKG$ZP)J8#@g>MS>=eyhW zm3hix&W7u>^<=+QuTwnK<7o4pjbw8~JrQi?!R=e8f{#Og>?~z}l?bWlvMb$jT_?-+k=4Bt=?KbF$a5l z`Bq)^GWQGrZFx491jU>&ml?@{>^71Cp=W9Ht@2p<$lbWE3d>5Lqr7)kvz>)J&QwBuR*fN|^x|!2!y3vh zBU6I`9J20-OIy!WOn_#ErL}>9j-ujNo&@o{CkvhSCh*CHPcgl(iY=C%{VGn;o1kj( z9bj3N_c87@SgZrF5odz#DuKmQ66d*vI56&=7tRu5!0}C$TOp%Dr(Wq=jPzcT@oaMn zQ1<0Zb$YU&SV1-6-WS6sm_&U1yup+_a}_67KXou>NH8BASddKq4HBj*JysJAS9$y@ z4mUNC%llV9giSgI;~c!>^`5H%dgQX64-V+Yz&4-0RlvlT1-%YAdT$x55s>M_5Y94#s8$M|0`#ndGJ8t4hAa%M_3^Z@9(=aRS7#3 zsrUYyJ$By!Ah1)Sd7Q-s63y#JGNO{P`5VRm`{v-kpT4eR{y#JC>xAduK6VGE>@^VQA^5&b0&4ap zg{aU==DoG}dli2V9r{@%@BP0)xX#CC77s!3?V2AnZtOG}goO5s(#juVGBzN0uHIuW z5`OnVm?hK^osh2!EC=l@@ zZ)ar+XG~tc^QJ&ykuXX?F^;2TKNuNLyz}#>D<0Tg8lH5Nt(KMLaU{6yp+V!9|?y-LTR-T7f;u(H0{T#t^6r+x*V=fD{8cN zsVJ3qa=mlqPL>K+rBoB1lD8_&6LYWW4H?tSDUZiwiADC(X84>qWL zs50NS8Zd)c& ze*!3kC|E!tFykjn#rrbdZIji@O=t6`g78|<^f&2f2%#N^lU(_lX}roRvbASc*q-|` zzQTWh^w#k#Xs(-Gz42=HkOeJ;w5F2p%d&c7EB_$(;eE zJ1^^bI4@l9jkcC85E;6^SIDLBinE12`9@YuTu{wBHrsaNx?avq4(`L-sc277^dmI6 zjBpg^i+2_5Ys0%+{oEa$ldBE8`!|K^RR->g zMa4zdTTQn=X!J;g)~jl3>MAI^GxJ%kjf-9$EmxClV~>|_FZ`Y-enR1}HW6(nim;k; zsPQ<*oR4KkLyX zXrFhL$?QcQ7F7J64Bkhn>b1#MB!puy9VM#%^--sB>?B0g!iMQM3qMs&osUXjCfc$( zVQ8arRD2ds&3Y`wk#VwhAj79(IN4gx?G6oSn6-m;9(P&^mSG^7s`#qMd?W>paL8)t zwbhfOh<0Q&*x#BTb$PgUZk%*RQoUfK8n@pe5DrDI79mUgr&Clk&`BteJD7E1SHBmEAnP2!`?q%sDU zX96)-HC(7fZu+6EkZdyVG@8?fAWH1^3lF2gHSCK&uZ5JcMg6KQ^=z-6tWbmtOeTtB zt!!+VS{%;Mr7`j-R%{B!MXEi)C2i=PoHzSj0;`2o1Rz`|EB|20YIuoKXBifZmDc~v zX5uXx&c2Z(Ch}Qd;!!igo5QQQ#fu?2(=Gi}5W-F8aM7-2J>hb>2eq&I67c2RYl>{# zW@#dWgD!NANWEBJZ+@rxMxAb^hqt$z|jp z4zQC!?6~z&zd4!|)-&}t(_Y{eW;M0wkqZ`a9Boad+lhSsDGO)wq-uzad`I)aMKUmW61Od7#NuHy_2&2-b9L{9i7Ve(asRuga(-F z;T#vS1Vq#^y?=_tzS8zYT=&f`kJ5C&eXNPnvnM1@c2^#YAwo&%lrO4(-;vNx+^C&M zvdm|;&M+eBUmx7-g>OK|F)bYFonn=AKz{+v(f`AOuvuhUNk zjkd#i3&!_DF0#x$s=OdhOesi+`%*-elAa6jZmL;V_Ir|a_Yy|;RT+ljS!qKZ9h}u` zPo9C6qzu*+L<9LUO2P6eJ{6Q(lYH)b$De_Q5a*k}tPSQV3Udx-zJz1=h ze&;Q;Wn9=`?`u9j6$xBNx2uc#VbUMgB_`~`ZQ=PzebA)SU%mzZJ*fU&yo;Km9N+Fv zos>_M4Um_iO#_Z(k&r;%%c8AUXcLRhcXrLt{n|hzbVnLky=0_kSj?>E_2FCH8`9ED zlFLHrRl5&NHiwUYlc92RFm(X{x0x~$^z$S2uK2;5w!Cs936yb)NzgN_d>D7Z#1Fmh;!3Q@y-iZLxA>;0T+KE~k77|_shl4GDMlE&q{;W`z zm#c&Y0AAIwGh585p(49oZcVy0XXvuq(G4OGCv&%vam}OE{=JC|YASw`*b#(MX;wmH zP~_yubDa#lVlk!?crjkkw*t9CBKE-Nlx3Qo*BY}w zTR5iWRjN~;bCPZz z&k9nB-1;W+W}s~*AxFcwB5&BVgOOkuKr8Z37uF1Is$aW1>x!9v0@13GGJSErLPOzN zFdHJvZ_jXXAx}9Tgn^^#TAUB_#_975R{1Ore`WiL=aG+IT^8H1v%I0k6ZgBDTxIJU zP%t6s<9#7yeX3mM~nP}r*D(4$>BR%pQ};Xy_zAM4zQJ8^F-#~~0T9nSVeXteXXGi%d_ z5C5?P13#_Fw-?4qKr;EUn4Y)j5O|h@dL-sBX&b)-N4JDSA=UjgJ@jMS-GBDFo5z`@(lQca!j4YYuiJwNk zegc}87ZR2i6`gmo-YGNJ@V?{=Y|drYT5wnf`=>As%ucFR-s*Z6C%{EB#9WB)H5RV4 z8n99d5y~GWOZ^-+<#5<@pIpCMUHH)HgwNI4{yS4GiwLA(Z)gb}k_^DRfE-B?u(+(% z>qCQH??#LEI6M-Knk`yk5fjF{u@nk-Bl#nv=!$gh&LJF%x4Q<7_}BWQm*NA?w={Z1-6;4R2@C`Zzv z`cd|crSB2TW*mdtH651@J%_5O+zE@&TOIwJ;NikU6<`+T`tAMn z^I?X5$fb1b9s<^_u+w4^a};zXN=zmwT7 zZkU?9jO_UJam(qXb_)OLKz=TA;_)3@r}BE&MOs|9DhQ=8@cNwr1Iq=IrI#}0x3NSvE+&oj$+RbfVX4olKkjx%b;N2(N=;Ljc{2yy>e*PUgd0^5&;9 zRW3oFvxBp35u7%y*S+qjVsWm>?WlMt0ozts)7GmjE#X@}2!LnZJ4TQ5o})cCEtz0U z86Z%@c`EF)({zHNS2*hhQFeNB>$*^#uI!ppmSk3>*8y&zm>6{e=R1!R_LtEIr+0V@ zXtPvE?{!W(lYY75g(%JE)QeAoM$ej%#27ib3%bObs>%fUStan)M8}|)_h3TF1RdW24u$m96F)1dsvSPA-)?O;FIcecwZ4nyO6lKWp7fB@e$IOmFIjO3{Y#U8^ zIBs6lRH7a=mIj5KTQnbH!^i@~MCJ+c3$tu@(_dtZ1EsfFiMO{aSB6p>l))wPsHOxQl&w7~|g`C**dG(hqL3!o$A^YiEu%EArX448r z7fPwXqPD^R1YvoR+&+I#*@t@PSfwY-Bwhs_x9=7Wf4GCztUYNc=7?Pz+KA5p-%j4cm;d04IuVp@BWDK3%brq-*X>Ja# z6xuO9D(xT2tjwQqefVU6Jt3Lkpva_K$kuX19rwMJ4Ub@_uC$zVdm9Pl7a8t}J0eb8 zw*7QYZ35a7BK9~sF86s=G%+ahnJFLpS_zD*H;dXf=Kr%q%ghe66 z)<SDjg-x*%@o1$seK=o ztYyCWwyutIIm^Dajme3gj~%0`=h-HswlG8V(qL5+2;m{6*2+WdH|mlBIJijhi_~Lw ztpj>iRVd~!-wbEM?aQ2OJt7Z$LB)t^_QvjItf}qu*%q9AH8|7y^8D89nzHWmqeELc zWL>0J)~5jb{h+!luQItp@LGFYPiI##4GckOz0Z_&vV?D7KwXwP5M!BI0_m++3B5ch&q4 z&3Np@uaeCb?7LYGY6b03MiLhwT(e@9I=ls5Vu`?Qk zs?;N8rJew;9Jmod67(7vcljkrvOGWiA_ur`1*^gO%_2z=qL z8o#9ss0~j3dk`{fcFbxNy76G9P^)$Qpo(!qEExbj))~gAqCa_3;MWzEguSEr7-Iy0 zM$_^gfN&qxAH!-yW*0t?Eo>|4rhd?v6TeH+rBzz2qWm?-2J6Id?%5WxvEOrIy0dTV z6@m23`*P0Kpc$Td*LWizPvMHO6cMgUTQuD~UUy7Y|GPIh2`i|Bk!NW{&^1==+H^B9 zwow1p!Um;*a*bmEd;(Je(k~nx!CvGzn||*Y%wH}^nqcRoPRQENVB|n!(3mx_C9B3P zxg}3at3y3TwkBCIE5;vI23q3Og-5)9IYLKp|JYL(fLlsAX~2+G^N%NZ+YZ9!b#zmY z9h%GWP4J1PJp^Ei8LIRuAB%hYMck)WP&cLHI0c%7&*VM>Bur9AkBZ;rrCEO|XzNx( zv9e5q8$>~RdiyU69=peYkN0O}+@WG`Y+c2haCmuPMM;s<&h8Jb>}@R4$KlVOy?#vE z0X6KKtVXX5b+KMqKHfPINo{BySOj5Oe%@BQMn#B=vRE%ln3Xul*If|et?oj#*3WIe zT92qdbpuryOG~1lWc|=`mJlNzwo*Ah0cpf%E{~0tPeFb3ZGoOhxSL z>v`;j%s=aANUhS{`NGQ|d&3_<1bZWea+0?+UxbAS(?an%x#rs*z3RmdD3D2zPx3ag zX^Sx7$&rrkpG~VFs(1zZacV%)B(!Th%>oPdclF#~|Ngsn+vP4Ozc(;Np=j0&rUaG} zMY$#3X{Rt*gpCP9RPNn3E{Kf~vN5aQ{mj4?m$-BD7L})jdi)1;RoUdleb>eH5LcFT z)M0jwTrp6+KmmJma;p7zdF}(uV6qHF7r*juGVhDdhjGgJsP$=&#`ARF7oxX9lItq< zL5GJgAB!b*`W>=`VaLb9}OGfz1A+X@>T%5GaRzCq^AnANg3P}YZSgUw{ zWISSUOmS(+zTUrl^*80rIwAh#PF__flcAzeD2lhn8g24hlq?Md{9Y3C#+Rj0<7uPM z0y2C{wGf$l7c~>Vd#dwAgzUtS!5cNv35T*?>zAp(%uj{f%EFZHV2AHpxK#y{48CQ; zJKTJFagz?G2c~ohDx}pRGx8EuRFw6C>9Y2ZnXH=KX!*bW8Q=dH@+GI8$iVUj(GrLd_&N zKAC*gXT0dYhY?D@C8Zfq-^wwSty_rt57$ewa8YxZ#LSp(PDjF=!aw9bE5g!{%IB_p zdA7}MfnwmX9(>CC0e!ZeOAb*c<5s`gy@v|?%FN764pAM>5^B>9x^XuU%hq9PP%hZ zm8eAOLW^;sLu%fMaX~6a?EFc637D#T?{D$Ph1BJU`)a==c*r1&aT0v7jdap6NDKCV z9UG;pt|`grHLpys0vHXqqSG$g_+j{}wQBu*CR9Xhk?Z6C#YKDHFxG4#0#NY;T+7zh$L&5|%$#4~-uUg+Ts7NF%larW;KG@@PYj^D13{n( zjjW}!JfoUZ)kKF#2b+p&{%GWvT=HzHnf+i^)!2e5ehLpaK;Ilw-MD%QPjSRKX;QX0 zVA5Lc(*aG!=n0-6DJ?zSN%in7l9w?hf$ws1w>C|%OOt}-aAvg}USyST@V)XFrUmhh%%?Txphf(_JCvTx# z23B>tb#FX^tk0RMA?Yz%*@B_bMwaJg0Os+1o8jAR{e>dzo9-*2@2C%pehFEFUKIyiY1CYgBqpbl(%VJ|XZM6+93pMlWxGoZszv+jJ{$ z^>65$nB%ScqRJRE=q6rX^{yYO$7kDn?UC;aiN)VOAmb4)t6{g_|6V=49&~B{YO~^M zY;C$0o!nRqh+@KrcfwOYt3YYPB*pZ9J7wP$B}_(zjHqkWa8;vbBX?3`wEilaeCN4#l8p8LzoY< zs4zRmqxUzSJ$j$2<`vNKLV-TO=-r{%^D8xPKwexw{Iajf{02-}hPUK@U%;4sRs8SC zbvO6_Jp1pn0_~*SeA9}KcT-4|l@(Q0S$y;p zp1pv`XQ71GG#Sch>x;fo?Bk|JTO2Qm%48lRQrrFpm((SbTwz?ZH9wtybhZ+7bXV zJyr>}ff90h0_LISL%w`-+SftGp1Uz4JE1qWmc+ z`~SYPlLnBuTxAtkBUO!Aa~d&L157nKj<<2+Vq&flzsd3=Lpfc2F;fiDU_0zZ`{twi zLRI>ql&i{0Ijc|r&PGM4=1-Iguc}suW=UUJ!vrT2gJXHL_9&MMxB5~~02#UX&iZ(+5Hd@@zR}){1s++18L83R}W5oD#$|+ zj+4V3B@W}XxT!b94jRvg05+gmWu_++bpIY?9T2v6kIavn6Px|goCD49hS=!qiwwJC zz5*N!FcV)rnr$Ueq87(HImbW)fOao8QZ}t{mIdX)Oi)%3$1TMOc)As0<-Rox)a6x4 zIHH^E$ku8_NRQKR-RGSAh=rrWzGnVD=fU1XDei4Pil+(|fT#wb>dL|g3-uApdDUFc zI2rAnOS7Ii^e!WW#VKYNk3uzJ;?pmJm>6ppZ?&K=t(3Ewa0X55sEJZUA zTucMNx;8n9&tQjiIp zxh6-4vS|0iisl3XZSwld1!zET!*r}ANLgAs6PVqsb^ESC1d;(0^^`-43W~YRMmFYm zW>q!$b6byaNuk{JKY#TPW4%uR>0by%uNxRGkcWzudY^@Zr3;i8WFzp+-0m}*EF%Xp zo%(r6l(Vep+6jox|ID%brMk2nc$>& zR0J%gc^vj(=Kx z*Er#I)&Pw*!t2t$A4mp(gM_}oH72W2Tuc~-o2^d>-;{NJ!+`5MjGnAH_IoM}vLN9C)HSK^kQISy zMJ^5U|4u>l#K&+8y{gieY?vh7>hGUwS^FHSO97Ta>*IMqpqLm$du6@OQ3RJU(JwMq z@-90lQl}pl9MAdDUo{-tc{ufrcUg^gKl}C%=D;|d%X<|)G|vB(k039=mN?ipH8EJ! z8&B79TmYCx6%C?1===Q#MdeW>?2h(DPWDBDj&mYFn=wVvqfvFjp2J)HE;~bJEJqf< zN+eEA;k=i$yfn;|WZ#zo&CVLB)e%WZ)vpD-0iuT{klzd~RF__^Af zV-pC+%rsm8jg`071PFq*| zk)y-MC!&kIG`c*(Jcgbh?L9x1ltl*z1kkvsNx(C@!6&$L^^x}^M8n!eWq?J&x^l1N zH!@u2y1(aP`l5OQVd3QDJX3A(}@ABhf1K-=#ZAK3e88J#uP8e|b&?D4&5L zR=rw~H$ZCi?iH~A<8y>2*Av3j)D<;V-+N(cX-M&G^2a+eiqaFb5#|EY7XZSK8Yf`p zY5ZjZl^Bu!;}_LnemqN)Rs3dXF&VGppR#FIYy95K(6u}uI4;)Z`hQjXTohfTfO zeb9~>V}0T_Jf8Uy0P(;pgOs({?h?RrK$J!w%jirVtW)ldTmb3d%SS0L+bywG9+Z`) z-97TOSci@diaA_1$m5K7r%lUzh6R_D{f?4+xkBQd6L7HR3_|UL)XLI{o|fPFJ(-9C0dTp!CVuSnR{$ulzphxp#f&^26MrBlSjt@#stb6|xc zIUtvzYL`V>1@t^o&`o8_*K)$2===_+}7Sg!%M z>QAlnFICJ3qA>K39K;2=gQQ#DmWwSHVw@IR{Y}3J0Gh|n*H}z4K+gcnwKOji zPw(R!8GYOr?m;e^tCU&bjRLyqgl4~{+c zC@Tz1SnPD{Lz1eRhEg?vdp9S=U6`N!m@Q*HaT|AWiP-Dv%sff=s+W}IzrxYcspYZb z#Us+%jx$-psEl9Bt{#f}$Cqqs+q#y%}fZ@f7{HaVYGKNl})I zWGDv}2`8>-A|OXp&GPV2E=-Fk={%w^wsc>LXZCdSox5Q5W-L_T9p>;4I$;(&&m)Z&_u>!(m0wD^7*XB0Fhy|l#}E9W9hg-&J1vmvIBk=`se~Q67BAM zUbH2~StKzISd8&ebt0lzG{-6h`+|gkG{kWiegZS+^HUQ>6#t`KB&wT-4iFwJhbKrL;--XeH`>H zGXrY}{XNk7cxb|ii2Y?stHo1Yw~hyXspZV1-Y4}mKu?6VHtGzJ4@|Y~FsUYcUwhN- z!xo&4>^d+RDgYhX+M^x6*PY@#tcr_uv#Lsx(Q4Atdfv}jtH`l45dMInjGu~=EmuEm zw3$F^2)rPN%{}2r{i+X3iwBGB|G|m9cD)R2V z;lq79y0i*$^r^+7GiHuhA?j#->^qsRe)V-=CayxqZuKRRA>;-eYEiz&I0PR}AM16F zc76jJzC>KK0b9cUh$G+TOgP2{>wwJYu#1KY-YO4r5ddLVeNA%G@b#PvNEREca5$LG zbKc;4YGGnPXm0(8Ky4P#^Q_EyrhUA>;^QD79@CYPK{rO+m`R;0_~m=-AutbJL%T!8 zBco#E#lqiAnci`w_JNHM5ou@Hxz_GIe48=)s$=otbG>Iom{5FxvZX3CKvlCD-WHmG zv@Byns&gTRNReXO&bz8;OA3n_f>VVTDW>Tnzf;OEF~(|<$cAZvm>ED+ zr@btvz(62N@QSlf`%9R#R8xxz+#RBSa7%Pc>w3KdBCBg859_&FcGJhy(Qr~66-}0k zk}#Fr&NYk5U!{NgMKsOU9{MT*qJRPRe=SHcyy*M4tNEbn?dQ(UCVc`11|l0`9(i=H`K5T+@EIL zxY2#m{BqG(;FYOGrXExwDqF)}#?JD~mpp3`#eU@)+}Syq1h z7_hyu{POWQFS`n@h1s*)fUeTsE+=np@T_(1P2eR}(waA&cWnpWaU;Hd*|9jEzRWOt z<>e2q{CsVD+jP^$Nx+70F8g^-mOmdBMEP&Za|+rOp(1f-uchEyo1%wqUVgFh- None: + """ + Replace real 12-digit AWS account IDs in the given HTML files with + well-known example account IDs, in place. + + Each distinct real account ID is mapped to a stable placeholder so that + filtering and grouping in the reports keep working. The mapping is shared + across all provided files, so an account that appears in multiple reports + is anonymized to the same placeholder everywhere. + + Args: + html_files: List of Path objects pointing to HTML report files. + """ + print("\n Anonymizing account IDs...") + + # Collect every distinct 12-digit account ID across all files first so the + # placeholder assignment is deterministic regardless of processing order. + account_id_pattern = re.compile(r"\b\d{12}\b") + discovered = [] + file_contents = {} + for html_file in html_files: + if not html_file.exists(): + print(f" WARNING: {html_file} not found, skipping...") + continue + content = html_file.read_text(encoding="utf-8") + file_contents[html_file] = content + for account_id in account_id_pattern.findall(content): + if account_id not in discovered: + discovered.append(account_id) + + if not discovered: + print(" No account IDs found to anonymize.") + return + + if len(discovered) > len(ANONYMIZED_ACCOUNT_IDS): + print( + f" ERROR: Found {len(discovered)} distinct account IDs but only " + f"{len(ANONYMIZED_ACCOUNT_IDS)} placeholders are defined. " + "Add more entries to ANONYMIZED_ACCOUNT_IDS." + ) + sys.exit(1) + + mapping = dict(zip(discovered, ANONYMIZED_ACCOUNT_IDS)) + for real_id, placeholder in mapping.items(): + print(f" {real_id} -> {placeholder}") + + # Apply the mapping to each file. Replace via the same word-boundary regex + # to avoid touching digits that happen to embed a 12-digit run. + def _replace(match: "re.Match") -> str: + return mapping.get(match.group(0), match.group(0)) + + for html_file, content in file_contents.items(): + updated = account_id_pattern.sub(_replace, content) + if updated != content: + html_file.write_text(updated, encoding="utf-8") + print(f" Updated: {html_file.name}") + + def optimize_png(image_path: Path, max_size_kb: int = 300) -> None: """ Optimize PNG image to reduce file size while maintaining quality. @@ -190,6 +262,11 @@ def main(): print(f" Viewport size: {VIEWPORT_WIDTH}x{VIEWPORT_HEIGHT}") print(f" Target: {len(SCREENSHOTS)} screenshots") + # Anonymize account IDs in the source HTML reports before capturing so the + # screenshots (and the reports themselves) never expose real account IDs. + report_files = sorted({SAMPLE_REPORTS_DIR / cfg["file"] for cfg in SCREENSHOTS}) + anonymize_account_ids(report_files) + try: with sync_playwright() as p: # Launch browser diff --git a/sample-reports/security_assessment_multi_account.html b/sample-reports/security_assessment_multi_account.html index ab1ba76..de48422 100644 --- a/sample-reports/security_assessment_multi_account.html +++ b/sample-reports/security_assessment_multi_account.html @@ -66,6 +66,11 @@ .section-title .service-icon svg { border-radius: 8px; } .nav-item .count { margin-left: auto; font-size: 12px; font-weight: 600; background: var(--surface-2); padding: 2px 8px; border-radius: 10px; } .nav-item.active .count { background: var(--accent); color: #fff; } + .nav-section.lens-nav { border-top: 1px solid var(--border); padding-top: 16px; margin-top: -8px; } + .lens-nav .nav-item { background: var(--warning-soft); color: var(--text); box-shadow: inset 3px 0 0 var(--warning); } + .lens-nav .nav-item:hover { background: var(--warning-soft); color: var(--warning); } + .lens-nav .nav-item.active { background: var(--warning-soft); color: var(--warning); } + .lens-nav .nav-item .count { background: var(--warning); color: #fff; } .nav-section.industry-nav { border-top: 1px solid var(--border); padding-top: 16px; margin-top: -8px; } .industry-nav .nav-item { background: var(--accent-soft); color: var(--text); box-shadow: inset 3px 0 0 var(--accent); } .industry-nav .nav-item:hover { background: var(--accent-soft); color: var(--accent); } @@ -182,7 +187,7 @@

Navigation

Security Findings - 723 + 1664 @@ -198,22 +203,23 @@

By Service

Bedrock - 209 + 461 SageMaker - 252 + 423 AgentCore - 123 + 182 - + + @@ -223,41 +229,41 @@

By Service

-
Security Checks
117
Evaluated across 3 regions
-
Total Findings
723
Across 3 accounts · 3 regions
-
Actionable Findings
268
High, Medium, and Low severity
-
High Severity
9/61
14.8% passed · Immediate action required
-
Medium Severity
39/190
20.5% passed · Should be addressed
-
Low Severity
9/17
52.9% passed · Best practices
+
Security Checks
161
Evaluated across 5 regions
+
Total Findings
1664
Across 3 accounts · 5 regions
+
Actionable Findings
598
High, Medium, and Low severity
+
High Severity
28/219
12.8% passed · Immediate action required
+
Medium Severity
82/280
29.3% passed · Should be addressed
+
Low Severity
30/99
30.3% passed · Best practices

Priority Recommendations

1
-
AgentCore IAM Full Access Policy
+
AgentCore Resource-Based Policies Missing
AgentCore
1
-
AgentCore IAM Wildcard Permissions
-
AgentCore
+
Agentic AI Gateway Tool Policy Enforcement Missing
+
Agentic AI
-
2
+
1
-
AgentCore Runtime VPC Configuration
-
AgentCore
+
Agentic AI Resource Policy Boundary
+
Agentic AI
1
-
AgentCore Stale Access
-
AgentCore
+
Amazon Bedrock private connectivity not used
+
Bedrock
@@ -279,16 +285,16 @@

Security Assessment Overview

All Security Findings
-
-
-
+
+
+
-
- - +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2
+ + @@ -297,9 +303,9 @@

Security Assessment Overview

- - - + + + @@ -308,9 +314,9 @@

Security Assessment Overview

- - - + + + @@ -319,9 +325,9 @@

Security Assessment Overview

- - - + + + @@ -330,9 +336,9 @@

Security Assessment Overview

- - - + + + @@ -341,9 +347,9 @@

Security Assessment Overview

- - - + + + @@ -352,9 +358,9 @@

Security Assessment Overview

- - - + + + @@ -363,9 +369,9 @@

Security Assessment Overview

- - - + + + @@ -374,9 +380,9 @@

Security Assessment Overview

- - - + + + @@ -385,9 +391,9 @@

Security Assessment Overview

- - - + + + @@ -396,1644 +402,2212 @@

Security Assessment Overview

- - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - - - - - - - - - - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + + + + + + + + + + + + - - - + + + - - - - - - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - - + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -2042,9 +2616,9 @@

Security Assessment Overview

- - - + + + @@ -2053,9 +2627,9 @@

Security Assessment Overview

- - - + + + @@ -2064,9 +2638,9 @@

Security Assessment Overview

- - - + + + @@ -2075,9 +2649,9 @@

Security Assessment Overview

- - - + + + @@ -2090,9 +2664,9 @@

Security Assessment Overview

- - - + + + @@ -2101,20 +2675,20 @@

Security Assessment Overview

- - - + + + - - + + - - - + + + @@ -2123,9 +2697,9 @@

Security Assessment Overview

- - - + + + @@ -2134,9 +2708,9 @@

Security Assessment Overview

- - - + + + @@ -2145,9 +2719,9 @@

Security Assessment Overview

- - - + + + @@ -2156,427 +2730,19513 @@

Security Assessment Overview

- - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1 AC-01 AgentCore VPC Configuration Check No AgentCore resources found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-04 AgentCore Observability Check No AgentCore resources found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-05 AgentCore Encryption Check No AgentCore resources found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-06 AgentCore Browser Tool Recording Check No AgentCore Runtimes found to check browser tool configuration Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-07 AgentCore Memory Configuration Check No Memory resources found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-13 AgentCore Gateway Configuration Check No Gateway resources found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-08 AgentCore VPC Endpoints Check No AgentCore resources found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-10 AgentCore Resource-Based Policies Check No AgentCore resources found to check for resource-based policies Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-11 AgentCore Policy Engine Encryption Check No Policy Engines found Informational N/A
111111111111ap-southeast-2
111122223333ap-south-1 AC-12 AgentCore Gateway Encryption Check No Gateways found Informational N/A
111111111111ap-southeast-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check
111122223333ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configured
111122223333ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action requiredMediumPassedInformationalN/A
111111111111ap-southeast-2SM-03Data Protection CheckNo SageMaker resources found to check for data protection
111122223333ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
111122223333ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action requiredMediumPassed
111111111111ap-southeast-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
111111111111ap-southeast-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
111122223333ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
111111111111ap-southeast-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
111122223333ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
111111111111ap-southeast-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
111122223333ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
111111111111ap-southeast-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
111122223333ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
111111111111ap-southeast-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
111122223333ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
111111111111ap-southeast-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
111122223333ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
111111111111ap-southeast-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
111122223333ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
111111111111ap-southeast-2SM-11SageMaker Model Network Isolation CheckNo models found
111122223333us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
111122223333us-west-2AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found
111122223333us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access
111122223333us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
111111111111ap-southeast-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores found
111122223333us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
111111111111ap-southeast-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found
111122223333us-west-2AC-13AgentCore Gateway Configuration CheckFound 1 Gateway resources No action requiredInformationalN/AMediumPassed
111111111111ap-southeast-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs found
111122223333us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs found
111122223333us-west-2AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: +1. Implement defense-in-depth access control +2. Enable cross-account access control +3. Restrict access based on source VPC or IP +4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
111111111111ap-southeast-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found
111122223333us-west-2AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control +2. AWS-managed keys are single-tenant and region-specific +3. Consider CMK for enhanced audit capabilities and key rotation controlLowFailed
111122223333us-west-2AG-24Agentic AI Gateway Inbound AuthorizationGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) uses authorizerType CUSTOM_JWT. No action requiredInformationalN/AHighPassed
111111111111ap-southeast-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found
111122223333us-west-2AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-west-2AG-26Agentic AI Gateway Error Detail ExposureGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail. No action requiredMediumPassed
111122223333us-west-2AG-27Agentic AI Gateway WAF Protection MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
111111111111ap-southeast-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
111122223333us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
111111111111ap-southeast-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
111122223333us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
111111111111ap-southeast-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
111111111111ap-southeast-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.HighFailed
111111111111ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
111122223333us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
111111111111GlobalAC-02AgentCore IAM Full Access PolicyThe following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace with least-privilege policies scoped to specific AgentCore resources and actionsHigh
111122223333us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.Low Failed
111111111111
111122223333 GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleScope permissions to specific AgentCore resources using resource ARNsBR-01AmazonBedrockFullAccess role checkRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required access High Failed
111111111111
111122223333 GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (179 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (179 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (179 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (62 days)Review and remove unused AgentCore permissions following least privilege principleMediumBR-01AmazonBedrockFullAccess role checkRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHigh Failed
111111111111
111122223333 GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMediumBR-01AmazonBedrockFullAccess role checkRole 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHigh Failed
111111111111
111122223333 GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. High Failed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. High Failed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. High Failed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. High Failed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. High Failed
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMedium
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMedium
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMedium
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMedium
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMedium
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111
111122223333 us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisBR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7feCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: +- com.amazonaws.region.bedrock +- com.amazonaws.region.bedrock-runtime +- com.amazonaws.region.bedrock-agent +- com.amazonaws.region.bedrock-agent-runtime Medium Failed
111111111111
111122223333 us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingBR-04Bedrock Model Invocation Logging CheckModel invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsNo action required MediumFailedPassed
111111111111
111122223333 us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailedBR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
111111111111
111122223333 us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingBR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity. MediumFailedPassed
111111111111
111122223333 us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailedBR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111111111111
111122223333 us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailedBR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111111111111
111122223333 us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailedBR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111111111111
111122223333 us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedBR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111111111111
111122223333 us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedBR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111111111111
111122223333 us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumBR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}High Failed
111111111111
111122223333 us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedBR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111111111111
111122223333 us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsBR-12Bedrock Invocation Log EncryptionS3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.1. Enable SSE-KMS with a customer-managed key on the S3 bucket +2. Update bucket policy to require encrypted uploads +3. Consider enabling S3 bucket versioning and MFA delete for log integrity Medium Failed
111111111111
111122223333 us-east-1AC-07AgentCore Memory EncryptionMemory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysBR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcement MediumFailedN/A
111111111111
111122223333 us-east-1AC-07AgentCore Memory EncryptionMemory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysBR-16Guardrail Tier Validation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading. Medium Failed
111111111111
111122223333 us-east-1AC-07AgentCore Memory EncryptionMemory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysBR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-east-1BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment. Medium Failed
111111111111
111122223333 us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredBR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion Informational N/A
111111111111
111122223333 us-east-1AC-08AgentCore VPC Endpoints MissingNo AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create VPC interface endpoints for AgentCore services: -1. com.amazonaws.region.bedrock-agentcore -2. com.amazonaws.region.bedrock-agentcore-control -3. com.amazonaws.region.bedrock-agentcore-runtime -This enables private connectivity via AWS PrivateLinkBR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principles HighN/A
111122223333us-east-1BR-22Model Invocation Throttling Limits Check11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-east-1BR-23Guardrail Content Filter Coverage Check1 guardrails have complete content filter coverage (hate, insults, sexual, violence)No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.LowPassed
111122223333us-east-1BR-24Automated Reasoning Policy Implementation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.Medium Failed
111111111111
111122223333 us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalBR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-26Guardrail Sensitive Information Filter Check1 guardrails have sensitive-information (PII) filters configuredNo action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.LowPassed
111122223333us-east-1BR-27Guardrail Contextual Grounding Check1 guardrails have contextual grounding checks enabledNo action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.LowPassed
111122223333us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHigh N/A
111111111111
111122223333 us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalBR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLow N/A
111111111111
111122223333 us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredBR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333us-east-1BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
111122223333us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumPassed
111122223333us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
111122223333GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported. Informational N/A
111111111111eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
111122223333us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
111122223333us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
111122223333us-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
111122223333us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
111122223333us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.LowPassed
111122223333us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required.MediumFailed
111122223333us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configuredConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.LowPassed
111122223333us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabledEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.LowPassed
111122223333us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
111122223333us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources found
111122223333us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
111122223333ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity No action required Informational N/A
111111111111eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found
111122223333ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging No action required Informational N/A
111111111111eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found
111122223333ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails No action required Informational N/A
111111111111eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
111122223333ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage No action required Informational N/A
111111111111eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
111122223333ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates Informational N/A
111111111111eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
111122223333ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account No action required Informational N/A
111111111111GlobalBR-01AmazonBedrockFullAccess role checkRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111111111111GlobalBR-01AmazonBedrockFullAccess role checkRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111111111111GlobalBR-01AmazonBedrockFullAccess role checkRole 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
111122223333ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys HighFailedN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
111122223333ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption HighFailedN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
111122223333ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principles HighFailedN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
111122223333ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds HighFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole '111111111111-us-east-1-kb-bedrock-service-role' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responses MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole '111111111111-us-east-1-kb-setup-function-role' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'agentcore-wildrydes_gateway_role_ab3991f6-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' last accessed Bedrock on 2025-12-21You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D' last accessed Bedrock on 2024-06-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ' last accessed Bedrock on 2025-04-27You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_072pr' last accessed Bedrock on 2024-06-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_byjin' last accessed Bedrock on 2024-11-17You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_h9718' last accessed Bedrock on 2024-11-17You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' last accessed Bedrock on 2026-01-01You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' last accessed Bedrock on 2025-12-28You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_semicon' last accessed Bedrock on 2024-09-01You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_xtwwd' last accessed Bedrock on 2025-10-13You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_y9m7f' last accessed Bedrock on 2025-04-27You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonQInvestigationRole-DefaultInvestigationGroup-8vxyjh' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonSageMaker-ExecutionRole-20231014T200029' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
111122223333ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111122223333ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
111122223333us-west-2BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fcCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: +- com.amazonaws.region.bedrock +- com.amazonaws.region.bedrock-runtime +- com.amazonaws.region.bedrock-agent +- com.amazonaws.region.bedrock-agent-runtime Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'aws-api-mcp-server-execution-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
111122223333us-west-2BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity. MediumPassed
111122223333us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}High Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on 2024-11-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-16Guardrail Tier Validation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-west-2BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSVAPTAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment MediumN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333us-west-2BR-22Model Invocation Throttling Limits Check7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-west-2BR-23Guardrail Content Filter Coverage CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.High Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'BedrockCognitoFederatedRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-24Automated Reasoning Policy Implementation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Low Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-111111111111-us-west-2' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Low Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cfn-contextualChatBot-usi-LambdaExecutionRoleForKno-aHg3J0xel6VU' last accessed Bedrock on 2024-03-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Low Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Low Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Low Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Low Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CustomerSupportStackInfra-CustomerSupportLambdaRole-ujGGiNU6KEnI' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2BR-26Guardrail Sensitive Information Filter CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.High Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-27Guardrail Contextual Grounding CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'e2ebedrockrag-KbRoleStack-2YO19O2NS6FP-KbRole-OgMxcvrnZrHZ' last accessed Bedrock on 2025-11-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'fsi-genai-workshop-bedrock-kb-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'fsi-genai-workshop-lambda-execution-role' last accessed Bedrock on 2025-12-28You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'fsi-genai-workshop-websocket-lambda-role' last accessed Bedrock on 2025-12-28You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-BDASAMPLEPROJECT-SGJRDJI15S-LambdaExecutionRole-MCRJbTEDuyKt' last accessed Bedrock on 2025-08-24You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111122223333us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111122223333us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
111122223333us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.High Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-ChatWithDocumentResolverFunctionRole-ATyH7GeR2ad1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-DOCUMENTBEDROCKKB-CY8-StartIngestionJobFunction-NjNLRuUn8qtp' last accessed Bedrock on 2025-08-24You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
111122223333us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.High Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-EvaluationFunctionRole-LQdnEMAdwWPe' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-PATTERN1STACK-TNHNKPK-ProcessResultsFunctionRol-8z8mNwa6RahP' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
111122223333us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111122223333us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Medium Failed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-PATTERN1STACK-TNHNKPK-SummarizationFunctionRole-MY6sxSMvFNr4' last accessed Bedrock on 2025-10-07You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-PATTERN1STACK-TNHNKPKJY4Q-InvokeBDAFunctionRole-pLHufEKQ0Nu4' last accessed Bedrock on 2025-10-07You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-QueryKnowledgeBaseResolverFunctionRole-p9Mcpfk0BA6z' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' last accessed Bedrock on 2024-07-30You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'LLMEvaluationPromptfoo-Aurora-Bedrock-Role' last accessed Bedrock on 2025-12-30You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'LLMEvaluationPromptfoo-LambdaExecutionRole-umo63kVrhIoy' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' last accessed Bedrock on 2025-12-30You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'Meeting-Note-Bot-Role' last accessed Bedrock on 2025-10-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'myAskMeAnything-role-kmsizqwf' last accessed Bedrock on 2024-01-04You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'resco-aiml-security-19304-BedrockSecurityAssessment-kgYUbi1MIbbb' last accessed Bedrock on 2026-04-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'SAT-PrereqTest-CodeBuildRole-SATv2Stack-PreReqs' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'threat-designer-role' last accessed Bedrock on 2025-07-02You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckUser 'BedrockAPIKey-yhc3' last accessed Bedrock on 2026-04-19You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckUser 'BedrockClientUser' last accessed Bedrock on 2025-04-06You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111us-east-1
111122223333sa-east-1 BR-02 Amazon Bedrock private connectivity check No regional Bedrock resources found to assess private connectivity Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-04 Bedrock Model Invocation Logging Check No regional Bedrock resources found to monitor with invocation logging Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-05 Bedrock Guardrails Check No regional Bedrock resources found to protect with guardrails Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-06 Bedrock CloudTrail Logging Check No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-07 Bedrock Prompt Management Check Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses. Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-08 Bedrock Agent IAM Roles Check No Bedrock agents found in the account Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-09 Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.No Knowledge Bases found in the accountNo action required Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-10 Bedrock Guardrail IAM Enforcement Check No guardrails configured - IAM enforcement check not applicable Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-11 Bedrock Custom Model Encryption Check No custom/fine-tuned models found in the account Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-12 Bedrock Invocation Log Encryption Check Model invocation logging to S3 is not configured Informational N/A
111111111111us-east-1
111122223333sa-east-1 BR-13 Bedrock Flows Guardrails Check No Bedrock Flows found in the account Informational N/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
111122223333sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys HighFailedN/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
111122223333sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption HighFailedN/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
111122223333sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principles HighFailedN/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
111122223333sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds HighFailedN/A
111111111111us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access type
111122223333sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses HighFailedN/A
111111111111us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
111122223333sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications MediumFailedN/A
111111111111us-east-1SM-03Missing Encryption ConfigurationDomain 'QuickSetupDomain-20250525T153160' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced security
111122223333sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics HighFailedN/A
111111111111us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required
111122223333sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumPassedN/A
111111111111us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
111122223333sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action required Informational N/A
111111111111us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
111122223333sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
111122223333sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
111122223333sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
111122223333sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
111122223333sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
111122223333sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
111122223333sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
111122223333sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
111122223333sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
111122223333sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
111122223333sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
111122223333sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
111122223333sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
111122223333GlobalAC-02AgentCore IAM Full Access PolicyThe following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace with least-privilege policies scoped to specific AgentCore resources and actionsHighFailed
111122223333GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleScope permissions to specific AgentCore resources using resource ARNsHighFailed
111122223333GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
111122223333GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Review and remove unused AgentCore permissions following least privilege principle Informational N/A
111111111111
111122223333GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
111122223333 us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/AAC-01AgentCore Runtime VPC ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111
111122223333 us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/AAC-01AgentCore Runtime VPC ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111
111122223333 us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/AAC-01AgentCore Runtime VPC ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111
111122223333 us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/AAC-01AgentCore Runtime VPC ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111
111122223333 us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/AAC-01AgentCore Runtime VPC ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111
111122223333 us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredAC-04AgentCore Runtime CloudWatch LogsRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshooting MediumPassedFailed
111111111111
111122223333 us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassedAC-04AgentCore Runtime X-Ray TracingRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111111111111
111122223333 us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111111111111ap-southeast-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/AAC-04AgentCore Runtime CloudWatch LogsRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111111111111ap-southeast-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111111111111ap-southeast-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111111111111ap-southeast-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111111111111ap-southeast-2
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
111122223333us-east-1AC-13AgentCore Gateway Configuration CheckFound 2 Gateway resourcesNo action requiredMediumPassed
111122223333us-east-1AC-08AgentCore VPC Endpoints MissingNo AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create VPC interface endpoints for AgentCore services: +1. com.amazonaws.region.bedrock-agentcore +2. com.amazonaws.region.bedrock-agentcore-control +3. com.amazonaws.region.bedrock-agentcore-runtime +This enables private connectivity via AWS PrivateLinkHighFailed
111122223333us-east-1AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: +1. Implement defense-in-depth access control +2. Enable cross-account access control +3. Restrict access based on source VPC or IP +4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333us-east-1AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control +2. AWS-managed keys are single-tenant and region-specific +3. Consider CMK for enhanced audit capabilities and key rotation controlLowFailed
111122223333us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) uses authorizerType CUSTOM_JWT.No action requiredHighPassed
111122223333us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.No action requiredMediumPassed
111122223333us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) uses authorizerType CUSTOM_JWT.No action requiredHighPassed
111122223333us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.No action requiredMediumPassed
111122223333us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
111122223333GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.MediumFailed
111122223333GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
111122223333us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create required VPC endpoints for AgentCore services and validate endpoint availability.HighFailed
111122223333us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.HighFailed
111122223333us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowFailed
111122223333sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
111122223333sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
111122223333sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
111122223333sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
111122223333sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
111122223333sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
111122223333sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
111122223333sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111122223333ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
111122223333us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
111122223333us-east-1SM-03Missing Encryption ConfigurationDomain 'QuickSetupDomain-20250525T153160' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
111122223333us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333us-west-2SM-01Non-VPC Only Network AccessSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
111122223333us-west-2SM-02SSO Not Properly ConfiguredSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
111122223333us-west-2SM-03Missing Encryption ConfigurationDomain 'PromptEvaluationDomain' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
111122223333us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111122223333eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111122223333eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111122223333eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
111122223333eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111122223333eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111122223333eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
111122223333eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
111122223333eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
111122223333eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
111122223333eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
111122223333eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
111122223333eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111122223333eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
111122223333sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111122223333sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
111122223333eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
111122223333eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
111122223333eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
111122223333eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
111122223333eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
111122223333eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
111122223333eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
111122223333eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111122223333eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. +2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. +3. Enable Shield Response Team (SRT) access and configure proactive engagement. +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
111122223333us-west-2FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. +2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. +3. Enable Shield Response Team (SRT) access and configure proactive engagement. +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
111122223333us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). +2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. +3. Add AWS Managed Rules for known bad inputs.MediumFailed
111122223333us-west-2FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). +2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. +3. Add AWS Managed Rules for known bad inputs.MediumFailed
111122223333us-east-1FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed
111122223333us-west-2FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed
111122223333us-east-1FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
111122223333us-west-2FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
111122223333us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. +2. Configure alert subscriptions (SNS/email) for anomalies above threshold. +3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
111122223333us-west-2FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. +2. Configure alert subscriptions (SNS/email) for anomalies above threshold. +3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
111122223333us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: +- AWS/Bedrock InvocationThrottles (threshold > 0) +- AWS/Bedrock TokensProcessed (threshold based on quota) +- Custom application-level token counters via EMFMediumFailed
111122223333us-west-2FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: +- AWS/Bedrock InvocationThrottles (threshold > 0) +- AWS/Bedrock TokensProcessed (threshold based on quota) +- Custom application-level token counters via EMFMediumFailed
111122223333us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. +2. Add SNS notifications to on-call channels. +3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
111122223333us-west-2FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. +2. Add SNS notifications to on-call channels. +3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
111122223333us-east-1FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.InformationalN/A
111122223333us-west-2FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.InformationalN/A
111122223333us-east-1FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.HighFailed
111122223333us-west-2FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.HighFailed
111122223333us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. +2. Implement maximum iteration counts in agent orchestration logic. +3. Use Step Functions with MaxConcurrency and timeout states. +4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333us-west-2FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. +2. Implement maximum iteration counts in agent orchestration logic. +3. Use Step Functions with MaxConcurrency and timeout states. +4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
111122223333us-west-2FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
111122223333us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: +- Bedrock agent invocation counts (threshold based on expected max) +- Lambda invocation errors for agent functions +- Step Functions execution failures and timeoutsMediumFailed
111122223333us-west-2FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: +- Bedrock agent invocation counts (threshold based on expected max) +- Lambda invocation errors for agent functions +- Step Functions execution failures and timeoutsMediumFailed
111122223333us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. +2. Use bedrock:ModelId condition key to allowlist approved models. +3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333us-west-2FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. +2. Use bedrock:ModelId condition key to allowlist approved models. +3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333us-east-1FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333us-west-2FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333us-east-1FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
111122223333us-west-2FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
111122223333us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. +2. Use FMEval library for automated robustness testing. +3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333us-west-2FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. +2. Use FMEval library for automated robustness testing. +3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333us-east-1FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333us-west-2FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333us-east-1FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333us-west-2FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333us-east-1FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.HighFailed
111122223333us-west-2FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.HighFailed
111122223333us-east-1FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Admin' allows '*' +- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333us-west-2FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Admin' allows '*' +- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333us-west-2FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
111122223333us-west-2FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
111122223333us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333us-west-2FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333us-east-1FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed
111122223333us-west-2FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed
111122223333us-east-1FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111122223333us-west-2FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111122223333us-east-1FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-west-2FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. +2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. +3. Document disclaimer requirements in the AI use case register. +4. Test disclaimer presence in QA/UAT before production deployment.InformationalN/A
111122223333us-west-2FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. +2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. +3. Document disclaimer requirements in the AI use case register. +4. Test disclaimer presence in QA/UAT before production deployment.InformationalN/A
111122223333us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: +- Fair lending test cases (ECOA, Fair Housing Act) +- UDAP/UDAAP unfair/deceptive practice scenarios +- AML/KYC edge casesInformationalN/A
111122223333us-west-2FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: +- Fair lending test cases (ECOA, Fair Housing Act) +- UDAP/UDAAP unfair/deceptive practice scenarios +- AML/KYC edge casesInformationalN/A
111122223333us-east-1FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago +- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. +2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. +3. Set CloudWatch alarms on sync job failures.MediumFailed
111122223333us-west-2FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago +- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. +2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. +3. Set CloudWatch alarms on sync job failures.MediumFailed
111122223333us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. +2. Include source document references in response post-processing. +3. Test citation accuracy in QA before production deployment. +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
111122223333us-west-2FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. +2. Include source document references in response post-processing. +3. Test citation accuracy in QA before production deployment. +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
111122223333us-east-1FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.MediumFailed
111122223333us-west-2FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.MediumFailed
111122223333us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). +2. Migrate active usage to current model versions. +3. Document training-data cutoff dates for all models in use. +4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
111122223333us-west-2FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). +2. Migrate active usage to current model versions. +3. Document training-data cutoff dates for all models in use. +4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
111122223333us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: +- Toxicity detection +- Hate speech classification +- Violence/self-harm contentInformationalN/A
111122223333us-west-2FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: +- Toxicity detection +- Hate speech classification +- Violence/self-harm contentInformationalN/A
111122223333us-east-1FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-west-2FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. +2. Route flagged outputs to human reviewers via SQS/SNS. +3. Log feedback to DynamoDB/S3 for model improvement. +4. Define SLAs for reviewing flagged content.InformationalN/A
111122223333us-west-2FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. +2. Route flagged outputs to human reviewers via SQS/SNS. +3. Log feedback to DynamoDB/S3 for model improvement. +4. Define SLAs for reviewing flagged content.InformationalN/A
111122223333us-east-1FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: +- Enable AWS managed profanity list +- Add custom denylist for prohibited financial terms +- Add allowlist for required regulatory languageMediumFailed
111122223333us-west-2FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: +- Enable AWS managed profanity list +- Add custom denylist for prohibited financial terms +- Add allowlist for required regulatory languageMediumFailed
111122223333us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. +2. Define protected attributes (age, gender, race proxies). +3. Set bias metric thresholds and alert on violations. +4. Document bias testing results for regulatory examination.HighFailed
111122223333us-west-2FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. +2. Define protected attributes (age, gender, race proxies). +3. Set bias metric thresholds and alert on violations. +4. Document bias testing results for regulatory examination.HighFailed
111122223333us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: +- Demographic parity test cases +- Equal opportunity scenarios +- Counterfactual fairness testsInformationalN/A
111122223333us-west-2FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: +- Demographic parity test cases +- Equal opportunity scenarios +- Counterfactual fairness testsInformationalN/A
111122223333us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. +2. Generate SHAP values for feature importance. +3. Map top features to human-readable adverse action reason codes. +4. Store explanations for regulatory examination.HighFailed
111122223333us-west-2FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. +2. Generate SHAP values for feature importance. +3. Map top features to human-readable adverse action reason codes. +4. Store explanations for regulatory examination.HighFailed
111122223333us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. +2. Document: intended use, out-of-scope uses, training data, bias evaluations. +3. Include regulatory compliance attestations. +4. Review and update cards at each model version release.MediumFailed
111122223333us-west-2FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. +2. Document: intended use, out-of-scope uses, training data, bias evaluations. +3. Include regulatory compliance attestations. +4. Review and update cards at each model version release.MediumFailed
111122223333us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. +2. Enable masking for: SSN, credit card numbers, bank account numbers, email. +3. Apply policies to Bedrock invocation log groups. +4. Test masking with synthetic PII before production deployment.HighFailed
111122223333us-west-2FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. +2. Enable masking for: SSN, credit card numbers, bank account numbers, email. +3. Apply policies to Bedrock invocation log groups. +4. Test masking with synthetic PII before production deployment.HighFailed
111122223333us-east-1FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.HighPassed
111122223333us-west-2FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.HighPassed
111122223333us-east-1FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed
111122223333us-west-2FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed
111122223333us-east-1FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
111122223333us-west-2FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
111122223333us-east-1FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111122223333us-west-2FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111122223333us-east-1FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
111122223333us-west-2FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
111122223333us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' +2. Implement post-processing to append disclaimers. +3. Test disclaimer presence in QA before production.InformationalN/A
111122223333us-west-2FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' +2. Implement post-processing to append disclaimers. +3. Test disclaimer presence in QA before production.InformationalN/A
111122223333us-east-1FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed
111122223333us-west-2FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed
111122223333us-east-1FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. +2. Set input filter strength to HIGH. +3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. +4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. +5. Implement application-level input sanitization as defense-in-depth.HighFailed
111122223333us-west-2FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. +2. Set input filter strength to HIGH. +3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. +4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. +5. Implement application-level input sanitization as defense-in-depth.HighFailed
111122223333us-east-1FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. +2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). +3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). +4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.MediumFailed
111122223333us-west-2FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. +2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). +3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). +4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.MediumFailed
111122223333us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
111122223333us-west-2FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
111122223333us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. +2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. +3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. +4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
111122223333us-west-2FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. +2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. +3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. +4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
111122223333us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. +2. Validate output schema, length, and content before downstream use. +3. Sanitize outputs before rendering in web UIs (XSS prevention). +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
111122223333us-west-2FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. +2. Validate output schema, length, and content before downstream use. +3. Sanitize outputs before rendering in web UIs (XSS prevention). +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
111122223333us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333us-west-2FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. +2. Use parameterized queries when GenAI output is used in database operations. +3. JSON-encode outputs before embedding in JavaScript contexts. +4. Validate output length and format before passing to downstream APIs.InformationalN/A
111122223333us-west-2FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. +2. Use parameterized queries when GenAI output is used in database operations. +3. JSON-encode outputs before embedding in JavaScript contexts. +4. Validate output length and format before passing to downstream APIs.InformationalN/A
111122223333us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. +2. Implement JSON schema validation on Lambda output processors. +3. Reject malformed outputs and return safe error responses. +4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
111122223333us-west-2FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. +2. Implement JSON schema validation on Lambda output processors. +3. Reject malformed outputs and return safe error responses. +4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
111122223333us-east-1FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-west-2FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. +2. Use Bedrock Guardrails relevance grounding filter. +3. Test with off-topic prompts in QA to verify rejection behavior.InformationalN/A
111122223333us-west-2FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. +2. Use Bedrock Guardrails relevance grounding filter. +3. Test with off-topic prompts in QA to verify rejection behavior.InformationalN/A
111122223333us-east-1FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-west-2FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' +2. Expose KB last sync timestamp in application responses. +3. Alert users when KB data is older than defined threshold.InformationalN/A
111122223333us-west-2FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' +2. Expose KB last sync timestamp in application responses. +3. Alert users when KB data is older than defined threshold.InformationalN/A
111122223333us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.MediumPassed
111122223333us-west-2FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.MediumPassed
111122223333us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- semiconductor-demo-9999 +- 111122223333-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. +2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. +3. Integrate alerts into your security incident response workflow.MediumFailed
111122223333us-west-2FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- semiconductor-demo-9999 +- 111122223333-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. +2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. +3. Integrate alerts into your security incident response workflow.MediumFailed
111122223333us-east-1FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: +- origami_expeditions +- neoCyan_Agent +- customer_support_agent +- cdk_agent_core +- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. +2. Propagate the end-user's identity token to downstream tool services. +3. Ensure tool services validate the propagated identity before executing actions. +4. Do not expose propagated identity tokens to unauthorized third parties.HighFailed
111122223333us-west-2FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: +- origami_expeditions +- neoCyan_Agent +- customer_support_agent +- cdk_agent_core +- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. +2. Propagate the end-user's identity token to downstream tool services. +3. Ensure tool services validate the propagated identity before executing actions. +4. Do not expose propagated identity tokens to unauthorized third parties.HighFailed
111122223333us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-111122223333-FinServAssessment +- aiml-security-aiml-security-111122223333-BedrockAssessment +- resco-aiml-BedrockAssessment +- aiml-security-aiml-security-111122223333-AgentCoreAssessment +- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk +- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII +- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
111122223333us-west-2FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-111122223333-FinServAssessment +- aiml-security-aiml-security-111122223333-BedrockAssessment +- resco-aiml-BedrockAssessment +- aiml-security-aiml-security-111122223333-AgentCoreAssessment +- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk +- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII +- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
111122223333us-east-1FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. +2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. +3. Set the max_tokens parameter in Bedrock API calls to cap output length. +4. Implement client-side token counting before submitting requests.MediumFailed
111122223333us-west-2FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. +2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. +3. Set the max_tokens parameter in Bedrock API calls to cap output length. +4. Implement client-side token counting before submitting requests.MediumFailed
111122223333us-east-1FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
111122223333us-west-2FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
111122223333eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
444455556666GlobalBR-03Marketplace Subscription Access CheckNo identities found with overly permissive marketplace subscription accessNo action requiredMediumPassed
444455556666us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
444455556666us-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported.InformationalN/A
444455556666us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666us-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredHighPassed
444455556666GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
444455556666GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
444455556666GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
444455556666us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighPassed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.MediumFailed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
444455556666us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
444455556666us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
777788889999sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. +2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. +3. Enable Shield Response Team (SRT) access and configure proactive engagement. +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
777788889999us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). +2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. +3. Add AWS Managed Rules for known bad inputs.MediumFailed
777788889999us-east-1FS-02No API Gateway Usage Plans FoundNo usage plans configured. GenAI API endpoints may have no rate limits.Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.InformationalN/A
777788889999us-east-1FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
777788889999us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. +2. Configure alert subscriptions (SNS/email) for anomalies above threshold. +3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
777788889999us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: +- AWS/Bedrock InvocationThrottles (threshold > 0) +- AWS/Bedrock TokensProcessed (threshold based on quota) +- Custom application-level token counters via EMFMediumFailed
777788889999us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. +2. Add SNS notifications to on-call channels. +3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
777788889999us-east-1FS-07Agent Action Boundaries Look AppropriateReviewed 1 agent(s); no wildcard sensitive actions found.No action required.HighPassed
777788889999us-east-1FS-08No AgentCore Runtimes FoundNo AgentCore runtimes found; policy engine check not applicable.If using AgentCore, configure the Policy Engine to authorize tool calls.InformationalN/A
777788889999us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-sec-test-resources-SageMakerJobCustomResource-ZA5QCAi0pN3d, AIMLSecurityAssessment-CodeBuildStartBuildLambda-VYOqtzWoNo3m, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, aiml-security-aiml-security-mgmt-IAMPermissionCaching, aiml-security-aiml-security-mgmt-AgentCoreAssessment, aiml-security-aiml-security-mgmt-BedrockAssessment, aiml-security-aiml-security-mgmt-ResolveRegions. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. +2. Implement maximum iteration counts in agent orchestration logic. +3. Use Step Functions with MaxConcurrency and timeout states. +4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
777788889999us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
777788889999us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: +- Bedrock agent invocation counts (threshold based on expected max) +- Lambda invocation errors for agent functions +- Step Functions execution failures and timeoutsMediumFailed
777788889999us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. +2. Use bedrock:ModelId condition key to allowlist approved models. +3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
777788889999us-east-1FS-13Models Missing Provenance Tags2 model(s) missing required provenance tags: +- SageMaker model 'SageMakerModelWithIsolation-JASFpUHjajdk' missing tags: {'version', 'approval-date', 'source'} +- SageMaker model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' missing tags: {'version', 'approval-date', 'source'}Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.MediumFailed
777788889999us-east-1FS-14Model Governance Config Rules PresentFound 13 model-related Config rule(s).No action required.MediumPassed
777788889999us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. +2. Use FMEval library for automated robustness testing. +3. Schedule periodic re-evaluation after model updates.MediumFailed
777788889999us-east-1FS-16ECR Repositories Without Image Scanning2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
777788889999us-east-1FS-20Feature Groups Without Offline Store1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.1. Enable offline store (S3-backed) for all production feature groups. +2. Enable S3 versioning on the offline store bucket. +3. Document rollback procedures for poisoned feature data.MediumFailed
777788889999us-east-1FS-21Training Data Buckets Have VersioningAll 2 training bucket(s) have versioning enabled.No action required.HighPassed
777788889999us-east-1FS-22Overly Permissive Knowledge Base IAM Roles823 role(s) with wildcard KB permissions: +- Role 'Admin' allows '*' +- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*' +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
777788889999us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
777788889999us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 1 encryption policy(ies); 1 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
777788889999us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
777788889999us-east-1FS-27COULD NOT ASSESS: Guardrail Contextual Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
777788889999us-east-1FS-28COULD NOT ASSESS: Financial Denied Topics CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. +2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. +3. Document disclaimer requirements in the AI use case register. +4. Test disclaimer presence in QA/UAT before production deployment.InformationalN/A
777788889999us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: +- Fair lending test cases (ECOA, Fair Housing Act) +- UDAP/UDAAP unfair/deceptive practice scenarios +- AML/KYC edge casesInformationalN/A
777788889999us-east-1FS-31Knowledge Base Data Sources Past Review Threshold1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. +2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. +3. Set CloudWatch alarms on sync job failures.MediumFailed
777788889999us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. +2. Include source document references in response post-processing. +3. Test citation accuracy in QA before production deployment. +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
777788889999us-east-1FS-33KB Data Source Buckets Have VersioningAll reviewed KB data source buckets have versioning enabled.No action required.MediumPassed
777788889999us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). +2. Migrate active usage to current model versions. +3. Document training-data cutoff dates for all models in use. +4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
777788889999us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: +- Toxicity detection +- Hate speech classification +- Violence/self-harm contentInformationalN/A
777788889999us-east-1FS-36COULD NOT ASSESS: Guardrail Content Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. +2. Route flagged outputs to human reviewers via SQS/SNS. +3. Log feedback to DynamoDB/S3 for model improvement. +4. Define SLAs for reviewing flagged content.InformationalN/A
777788889999us-east-1FS-38COULD NOT ASSESS: Guardrail Word Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. +2. Define protected attributes (age, gender, race proxies). +3. Set bias metric thresholds and alert on violations. +4. Document bias testing results for regulatory examination.HighFailed
777788889999us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: +- Demographic parity test cases +- Equal opportunity scenarios +- Counterfactual fairness testsInformationalN/A
777788889999us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. +2. Generate SHAP values for feature importance. +3. Map top features to human-readable adverse action reason codes. +4. Store explanations for regulatory examination.HighFailed
777788889999us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. +2. Document: intended use, out-of-scope uses, training data, bias evaluations. +3. Include regulatory compliance attestations. +4. Review and update cards at each model version release.MediumFailed
777788889999us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. +2. Enable masking for: SSN, credit card numbers, bank account numbers, email. +3. Apply policies to Bedrock invocation log groups. +4. Test masking with synthetic PII before production deployment.HighFailed
777788889999us-east-1FS-44Amazon Macie Not EnabledAmazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.1. Enable Amazon Macie in all regions where AI/ML data is stored. +2. Create Macie classification jobs for training data and KB buckets. +3. Configure Macie findings to route to Security Hub and SNS. +4. Remediate PII findings before using data for model training.HighFailed
777788889999us-east-1FS-45COULD NOT ASSESS: Guardrail PII Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-46AI/ML Buckets Without Data Classification Tags3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
777788889999us-east-1FS-47COULD NOT ASSESS: Guardrail Grounding Threshold CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-48Active Knowledge Bases for RAG PresentFound 1 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
777788889999us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' +2. Implement post-processing to append disclaimers. +3. Test disclaimer presence in QA before production.InformationalN/A
777788889999us-east-1FS-50COULD NOT ASSESS: Guardrail Relevance Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-51COULD NOT ASSESS: Prompt Injection Input Validation CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-52Bedrock Lambda Functions on Current RuntimesAll 10 Bedrock Lambda function(s) use current runtimes.No action required.MediumPassed
777788889999us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
777788889999us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. +2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. +3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. +4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
777788889999us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. +2. Validate output schema, length, and content before downstream use. +3. Sanitize outputs before rendering in web UIs (XSS prevention). +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
777788889999us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
777788889999us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. +2. Use parameterized queries when GenAI output is used in database operations. +3. JSON-encode outputs before embedding in JavaScript contexts. +4. Validate output length and format before passing to downstream APIs.InformationalN/A
777788889999us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. +2. Implement JSON schema validation on Lambda output processors. +3. Reject malformed outputs and return safe error responses. +4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
777788889999us-east-1FS-59COULD NOT ASSESS: Guardrail Topic Allowlist CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. +2. Use Bedrock Guardrails relevance grounding filter. +3. Test with off-topic prompts in QA to verify rejection behavior.InformationalN/A
777788889999us-east-1FS-61No Automated KB Sync Schedules DetectedFound 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
777788889999us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' +2. Expose KB last sync timestamp in application responses. +3. Alert users when KB data is older than defined threshold.InformationalN/A
777788889999us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 11 lifecycle-related Config rule(s) found.No action required.MediumPassed
777788889999us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. +2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. +3. Integrate alerts into your security incident response workflow.MediumFailed
777788889999us-east-1FS-66No AgentCore Runtimes FoundNo AgentCore runtimes found; identity propagation check not applicable.If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.InformationalN/A
777788889999us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-mgmt-FinServAssessment +- aiml-security-aiml-security-mgmt-AgentCoreAssessment +- aiml-security-aiml-security-mgmt-BedrockAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
777788889999us-east-1FS-68API Gateway Request Body Size Limits — Not ApplicableNo API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.InformationalN/A
777788889999us-east-1FS-69Prompt Input Validation Functions PresentFound 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
777788889999us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
777788889999eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
777788889999ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVScope permissions to specific AgentCore resources using resource ARNsHighFailed
777788889999GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
777788889999GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
777788889999us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'aiml-sec-test-agentcore-no-encryption' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
777788889999us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
777788889999GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
777788889999us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999GlobalSM-02SageMaker Full Access Policy UsedRole 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
777788889999us-east-1SM-01Direct Internet Access EnabledSageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabledConfigure the notebook instance to use VPC connectivity and disable direct internet accessHighFailed
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationNotebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing VPC EncryptionTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabledEnable encryption for inter-container traffic and VPC communicationMediumFailed
777788889999us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999us-east-1SM-05SageMaker Model Registry IssueModel group 'aiml-sec-test-model-package-group' has minimal versioningImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentLowFailed
777788889999us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999us-east-1SM-08Model Registry Empty Model GroupModel group aiml-sec-test-model-package-group has no registered modelsImplement proper model versioning and approval workflowsLowFailed
777788889999us-east-1SM-09SageMaker Notebook Root Access EnabledNotebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.HighFailed
777788889999us-east-1SM-10SageMaker Notebook Not in VPCNotebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.HighFailed
777788889999us-east-1SM-11SageMaker Model Network Isolation DisabledModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.HighFailed
777788889999us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999us-east-1SM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
777788889999us-east-1SM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
777788889999us-east-1SM-15SageMaker Feature Store Offline Encryption MissingFeature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.MediumFailed
777788889999us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999us-east-1SM-17SageMaker Processing Job Encryption CheckAll 1 processing jobs have volume encryption configuredNo action requiredMediumPassed
777788889999us-east-1SM-18SageMaker Transform Job Encryption CheckAll 1 transform jobs have volume encryption configuredNo action requiredMediumPassed
777788889999us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-22Model Approval Workflow CheckChecked 1 model package groups. Approval workflows appear to be properly configured.No action requiredMediumPassed
777788889999us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999GlobalBR-01AmazonBedrockFullAccess role checkRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999us-east-1BR-02Amazon Bedrock private connectivityBedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtimeNo action requiredHighPassed
777788889999us-east-1BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.MediumFailed
777788889999us-east-1BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
777788889999us-east-1BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
777788889999us-east-1BR-07Bedrock Prompt Management CheckPrompt Management is being used with 1 promptsNo action required. Continue using Prompt Management for consistent and optimized prompts.LowPassed
777788889999us-east-1BR-08Bedrock Agent IAM Roles CheckError during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.Investigate error and retry assessmentHighFailed
777788889999us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
777788889999us-east-1BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-RoleAdd IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
777788889999us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
777788889999us-east-1BR-16Guardrail Tier Validation CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-east-1BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
777788889999us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
777788889999us-east-1BR-22Model Invocation Throttling Limits Check9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
777788889999us-east-1BR-23Guardrail Content Filter Coverage CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
777788889999us-east-1BR-26Guardrail Sensitive Information Filter CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-27Guardrail Contextual Grounding CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-28Agent Guardrail Association Check1 agents have an associated guardrailNo action required. Continue associating guardrails with new agents.LowPassed
777788889999us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-east-1BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
777788889999us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumFailed
777788889999us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
777788889999GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported.InformationalN/A
777788889999us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
777788889999us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
777788889999us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrailAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.LowPassed
777788889999us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
777788889999us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
777788889999us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
+ +
+
Risk Distribution
+

Pass Rate by Severity

+
+
HIGH
12.8%
28 of 219 checks passed
+
MEDIUM
29.3%
82 of 280 checks passed
+
LOW
30.3%
30 of 99 checks passed
+
Overall
23.4%
140 of 598 actionable checks
+
+

Risk by Account

+
111122223333
193
78 High · 95 Med · 20 Low
444455556666
3
0 High · 3 Med · 0 Low
777788889999
64
28 High · 31 Med · 5 Low
+

Risk by Region

+
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
157
52 High · 90 Med · 15 Low
us-west-2
64
22 High · 32 Med · 10 Low
+

Findings by Assessment Area

+
+
Bedrock
461
50 Failed · 18 Passed
+
SageMaker
423
34 Failed · 61 Passed
+
AgentCore
182
39 Failed · 3 Passed
+
Agentic AI Security
388
47 Failed · 18 Passed
+
Financial Services Risk
210
90 Failed · 40 Passed
+
+
+
+
Amazon Bedrock Findings
+
+
+
+
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2589,9 +22249,9 @@

Security Assessment Overview

- - - + + + @@ -2600,20 +22260,20 @@

Security Assessment Overview

- - - + + + - - + + - - - + + + @@ -2622,9 +22282,9 @@

Security Assessment Overview

- - - + + + @@ -2633,9 +22293,9 @@

Security Assessment Overview

- - - + + + @@ -2644,9 +22304,9 @@

Security Assessment Overview

- - - + + + @@ -2655,9 +22315,196 @@

Security Assessment Overview

- - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2666,9 +22513,9 @@

Security Assessment Overview

- - - + + + @@ -2677,9 +22524,9 @@

Security Assessment Overview

- - - + + + @@ -2688,9 +22535,9 @@

Security Assessment Overview

- - - + + + @@ -2699,9 +22546,9 @@

Security Assessment Overview

- - - + + + @@ -2714,9 +22561,9 @@

Security Assessment Overview

- - - + + + @@ -2725,20 +22572,20 @@

Security Assessment Overview

- - - + + + - - + + - - - + + + @@ -2747,9 +22594,9 @@

Security Assessment Overview

- - - + + + @@ -2758,9 +22605,9 @@

Security Assessment Overview

- - - + + + @@ -2769,9 +22616,9 @@

Security Assessment Overview

- - - + + + @@ -2780,1402 +22627,1795 @@

Security Assessment Overview

- - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - + + + - + - - + + - - - - - + + + + + - - - - - - - - - - - - - + + - - - + + + - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - + - - + + - - - - - + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - + - - + + - - - - - - + + + + + + - - + + - - - - - + + + + + - + - - + + - - - - - + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333GlobalBR-01AmazonBedrockFullAccess role checkRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333GlobalBR-01AmazonBedrockFullAccess role checkRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333GlobalBR-01AmazonBedrockFullAccess role checkRole 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333us-east-1BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7feCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: +- com.amazonaws.region.bedrock +- com.amazonaws.region.bedrock-runtime +- com.amazonaws.region.bedrock-agent +- com.amazonaws.region.bedrock-agent-runtimeMediumFailed
111122223333us-east-1BR-04Bedrock Model Invocation Logging CheckModel invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsNo action requiredMediumPassed
111122223333us-east-1BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
111122223333us-east-1BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
111122223333us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-east-1BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
111122223333us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333us-east-1BR-12Bedrock Invocation Log EncryptionS3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.1. Enable SSE-KMS with a customer-managed key on the S3 bucket +2. Update bucket policy to require encrypted uploads +3. Consider enabling S3 bucket versioning and MFA delete for log integrityMediumFailed
111122223333us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
111122223333us-east-1BR-16Guardrail Tier Validation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.MediumFailed
111122223333us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-east-1BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
111122223333us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333us-east-1BR-22Model Invocation Throttling Limits Check11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-east-1BR-23Guardrail Content Filter Coverage Check1 guardrails have complete content filter coverage (hate, insults, sexual, violence)No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.LowPassed
111122223333us-east-1BR-24Automated Reasoning Policy Implementation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.MediumFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-26Guardrail Sensitive Information Filter Check1 guardrails have sensitive-information (PII) filters configuredNo action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.LowPassed
111122223333us-east-1BR-27Guardrail Contextual Grounding Check1 guardrails have contextual grounding checks enabledNo action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.LowPassed
111122223333us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333us-east-1BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
111122223333ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111122223333us-west-2BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fcCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: +- com.amazonaws.region.bedrock +- com.amazonaws.region.bedrock-runtime +- com.amazonaws.region.bedrock-agent +- com.amazonaws.region.bedrock-agent-runtimeMediumFailed
111122223333us-west-2BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.MediumFailed
111122223333us-west-2BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
111122223333us-west-2BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
111122223333us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
111122223333us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-16Guardrail Tier Validation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.MediumFailed
111122223333us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-west-2BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
111122223333us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333us-west-2BR-22Model Invocation Throttling Limits Check7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-west-2BR-23Guardrail Content Filter Coverage CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.HighFailed
111122223333us-west-2BR-24Automated Reasoning Policy Implementation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.MediumFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-26Guardrail Sensitive Information Filter CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.HighFailed
111122223333us-west-2BR-27Guardrail Contextual Grounding CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.MediumFailed
111122223333us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333us-west-2BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
111122223333sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111122223333eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
111122223333eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
444455556666GlobalBR-03Marketplace Subscription Access CheckNo identities found with overly permissive marketplace subscription accessNo action requiredMediumPassed
444455556666us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
444455556666us-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
444455556666eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666sa-east-1 BR-07 Bedrock Prompt Management Check Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses. Informational N/A
111111111111ap-southeast-2
444455556666sa-east-1 BR-08 Bedrock Agent IAM Roles Check No Bedrock agents found in the account Informational N/A
111111111111ap-southeast-2
444455556666sa-east-1 BR-09 Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.No Knowledge Bases found in the accountNo action required Informational N/A
111111111111ap-southeast-2
444455556666sa-east-1 BR-10 Bedrock Guardrail IAM Enforcement Check No guardrails configured - IAM enforcement check not applicable Informational N/A
111111111111ap-southeast-2
444455556666sa-east-1 BR-11 Bedrock Custom Model Encryption Check No custom/fine-tuned models found in the account Informational N/A
111111111111ap-southeast-2
444455556666sa-east-1 BR-12 Bedrock Invocation Log Encryption Check Model invocation logging to S3 is not configured Informational N/A
111111111111ap-southeast-2
444455556666sa-east-1 BR-13 Bedrock Flows Guardrails Check No Bedrock Flows found in the account Informational N/A
111111111111eu-west-1
444455556666sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666us-west-2 BR-02 Amazon Bedrock private connectivity check No regional Bedrock resources found to assess private connectivity Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-04 Bedrock Model Invocation Logging Check No regional Bedrock resources found to monitor with invocation logging Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-05 Bedrock Guardrails Check No regional Bedrock resources found to protect with guardrails Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-06 Bedrock CloudTrail Logging Check No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-07 Bedrock Prompt Management Check Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses. Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-08 Bedrock Agent IAM Roles Check No Bedrock agents found in the account Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-09 Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.No Knowledge Bases found in the accountNo action required Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-10 Bedrock Guardrail IAM Enforcement Check No guardrails configured - IAM enforcement check not applicable Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-11 Bedrock Custom Model Encryption Check No custom/fine-tuned models found in the account Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-12 Bedrock Invocation Log Encryption Check Model invocation logging to S3 is not configured Informational N/A
111111111111eu-west-1
444455556666us-west-2 BR-13 Bedrock Flows Guardrails Check No Bedrock Flows found in the account Informational N/A
111111111111eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check
444455556666us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
111111111111eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configured
444455556666us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotas No action requiredInformationalN/A
444455556666us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responses MediumPassedN/A
444455556666us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
777788889999sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111111111111eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protection
777788889999sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
111111111111eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required
777788889999sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment MediumPassedN/A
111111111111eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformational
777788889999sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHigh N/A
111111111111eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformational
777788889999sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHigh N/A
111111111111eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
777788889999sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action required Informational N/A
111111111111eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformational
777788889999sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
111111111111eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformational
777788889999sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMedium N/A
111111111111eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformational
777788889999sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
111111111111eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformational
777788889999sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHigh N/A
111111111111eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformational
777788889999sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMedium N/A
111111111111eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformational
777788889999sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHigh N/A
111111111111eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
777788889999sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarms No action required Informational N/A
111111111111
777788889999 eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundBR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity No action required Informational N/A
111111111111
777788889999 eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessBR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging No action required Informational N/A
111111111111
777788889999 eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundBR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails No action required Informational N/A
111111111111
777788889999 eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundBR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage No action required Informational N/A
111111111111
777788889999 eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredBR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates Informational N/A
111111111111
777788889999 eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundBR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account No action required Informational N/A
111111111111
777788889999 eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundBR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the account No action required Informational N/A
111111111111
777788889999 eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredBR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies Informational N/A
111111111111
777788889999 eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundBR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account No action required Informational N/A
111111111111
777788889999 eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption Informational N/A
111111111111eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111111111111
777788889999 eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account No action requiredLowPassed
111111111111eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
111111111111us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
111111111111us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.MediumFailed
111111111111us-east-1FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
777788889999eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protection MediumFailedN/A
111111111111us-east-1FS-03Bedrock Token Quotas At DefaultAll 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.1. Review current Bedrock TPM/TPD quotas in the Service Quotas console. -2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review. -3. Implement client-side token counting and pre-flight quota checks. -4. Use Bedrock cross-region inference profiles to distribute load.Medium
777788889999eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
777788889999eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111111111111us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMF
777788889999eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment MediumFailedN/A
111111111111us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
777788889999eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111111111111us-east-1FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.
777788889999eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action required Informational N/A
111111111111us-east-1FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
777788889999eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds HighFailedN/A
111111111111us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111111111111-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111111111111-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111111111111-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111111111111-CleanupBucket, aiml-security-aiml-security-111111111111-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.
777788889999eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responses MediumFailedN/A
111111111111us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.Informational
777788889999eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
111111111111us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeouts
777788889999eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications MediumFailedN/A
111111111111us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.
777788889999eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics HighFailedN/A
111111111111us-east-1FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
777788889999eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111111111111us-east-1FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
777788889999eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111111111111us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.
777788889999eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumFailedN/A
111111111111us-east-1FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111111111111-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
777788889999eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111111111111us-east-1FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.
777788889999ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action required Informational N/A
111111111111us-east-1FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111111111111-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111111111111-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111111111111-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.HighFailed
777788889999ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111111111111us-east-1FS-22Overly Permissive Knowledge Base IAM Roles722 role(s) with wildcard KB permissions: -- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Admin' allows '*' -- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocations' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
777788889999ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
777788889999ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111111111111us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.
777788889999ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action required Informational N/A
111111111111us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
777788889999ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111111111111us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
777788889999ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys HighFailedN/A
111111111111us-east-1FS-27No Guardrails — Contextual Grounding Not ApplicableNo Bedrock Guardrails configured. Configure guardrails first (see BR-05).Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).
777788889999ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action required Informational N/A
111111111111us-east-1FS-27Automated Reasoning Policies — Access CheckAccess denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml. -2. Check for an Organizations SCP / permission boundary denying the action. -3. Confirm the assessed region supports Automated Reasoning checks. -4. Re-run the assessment after re-deploying.Low
777788889999ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMedium N/A
111111111111us-east-1FS-28No Guardrails — Denied Topics Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with denied topics for regulated financial content.Informational
777788889999ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHigh N/A
111111111111us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.Informational
777788889999ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHigh N/A
111111111111us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge cases
777788889999ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action required Informational N/A
111111111111us-east-1FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 702 days ago -- KB '111111111111-us-east-1-kb' source '111111111111-us-east-1-kb-datasource' last synced 180 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.
777788889999ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responses MediumFailedN/A
111111111111us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.Informational
777788889999ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
111111111111us-east-1FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111111111111-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
777788889999ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications MediumFailedN/A
111111111111us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.Informational
777788889999ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHigh N/A
111111111111us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm contentInformational
777788889999ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLow N/A
111111111111us-east-1FS-36No Guardrails — Content Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with content filters.Informational
777788889999ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.Low N/A
111111111111us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.Informational
777788889999ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMedium N/A
111111111111us-east-1FS-38No Guardrails — Word Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with word filters.
777788889999ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action required Informational N/A
111111111111us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.
777788889999GlobalBR-01AmazonBedrockFullAccess role checkRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required access High Failed
111111111111us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness testsInformationalN/A
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. High Failed
111111111111us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.Medium
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High Failed
111111111111
777788889999 us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.BR-02Amazon Bedrock private connectivityBedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtimeNo action required HighPassed
777788889999us-east-1BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.Medium Failed
111111111111
777788889999 us-east-1FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed. High Passed
111111111111
777788889999 us-east-1FS-45No Guardrails — PII Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with PII/sensitive information filters.InformationalN/ABR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
111111111111
777788889999 us-east-1FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111111111111-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111111111111-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111111111111.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumBR-07Bedrock Prompt Management CheckPrompt Management is being used with 1 promptsNo action required. Continue using Prompt Management for consistent and optimized prompts.LowPassed
777788889999us-east-1BR-08Bedrock Agent IAM Roles CheckError during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.Investigate error and retry assessmentHigh Failed
111111111111
777788889999 us-east-1FS-47No Guardrails — Grounding Threshold Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with contextual grounding checks.BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion Informational N/A
111111111111
777788889999 us-east-1FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassedBR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-RoleAdd IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
111111111111
777788889999 us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action required Informational N/A
111111111111
777788889999 us-east-1FS-50No Guardrails With Relevance Grounding FiltersNo guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.MediumFailedBR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111111111111
777788889999 us-east-1FS-51No Guardrails — Prompt Attack Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with prompt attack filters.BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action required Informational N/A
111111111111us-east-1FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. -2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). -3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). -4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
777788889999GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcement MediumFailedN/A
111111111111
777788889999 us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).BR-16Guardrail Tier Validation CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists. Informational N/A
111111111111
777788889999 us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalBR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111
777788889999 us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment. Medium Failed
111111111111
777788889999 us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalBR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMedium N/A
111111111111
777788889999 us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion Informational N/A
111111111111
777788889999 us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.BR-22Model Invocation Throttling Limits Check9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
777788889999us-east-1BR-23Guardrail Content Filter Coverage CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists. Informational N/A
111111111111
777788889999 us-east-1FS-59No Guardrails — Topic Allowlist Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with topic policies to restrict off-topic responses.BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
777788889999us-east-1BR-26Guardrail Sensitive Information Filter CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists. Informational N/A
111111111111
777788889999 us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.BR-27Guardrail Contextual Grounding CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists. Informational N/A
111111111111
777788889999 us-east-1FS-61COULD NOT ASSESS: Knowledge Base Sync Schedule CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-FinServSecurityAssessment-G8d5dEiMJsZB/aiml-security-aiml-security-111111111111-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:111111111111:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.BR-28Agent Guardrail Association Check1 agents have an associated guardrailNo action required. Continue associating guardrails with new agents. LowN/APassed
111111111111
777788889999 us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.InformationalBR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111
777788889999 us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumPassedN/A
111111111111
777788889999 us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- semiconductor-demo-9999 -- 111111111111-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification. Medium Failed
111111111111us-east-1FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: -- origami_expeditions -- neoCyan_Agent -- customer_support_agent -- cdk_agent_core -- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. -2. Propagate the end-user's identity token to downstream tool services. -3. Ensure tool services validate the propagated identity before executing actions. -4. Do not expose propagated identity tokens to unauthorized third parties.HighFailed
777788889999us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111111111111us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-111111111111-FinServAssessment -- aiml-security-aiml-security-111111111111-BedrockAssessment -- resco-aiml-BedrockAssessment -- aiml-security-aiml-security-111111111111-AgentCoreAssessment -- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk -- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII -- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
777788889999us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111111111111us-east-1FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. -2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. -3. Set the max_tokens parameter in Bedrock API calls to cap output length. -4. Implement client-side token counting before submitting requests.MediumFailed
777788889999us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111111111111us-east-1FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111111111111-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
777788889999us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111111111111eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
777788889999us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates Informational N/A
111111111111ap-southeast-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
777788889999us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action required Informational N/A
333333333333ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources found
777788889999us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the account No action required Informational N/A
333333333333ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
777788889999us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies Informational N/A
333333333333ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources found
777788889999us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account No action required Informational N/A
333333333333ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
777788889999us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption Informational N/A
333333333333ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources found
777788889999us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account No action required Informational N/A
333333333333ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformational
777788889999us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMedium N/A
333333333333ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformational
777788889999us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
333333333333ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
777788889999us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
333333333333ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformational
777788889999us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMedium N/A
333333333333ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformational
777788889999us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHigh N/A
333333333333eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformational
777788889999us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHigh N/A
333333333333eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources found
777788889999us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotas No action required Informational N/A
333333333333eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformational
777788889999us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
333333333333eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformational
777788889999us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMedium N/A
333333333333eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformational
777788889999us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
333333333333eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformational
777788889999us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHigh N/A
333333333333eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformational
777788889999us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMedium N/A
333333333333eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformational
777788889999us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHigh N/A
333333333333eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformational
777788889999us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLow N/A
333333333333eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarms No action required Informational N/A
333333333333eu-west-1
+
+
+
Amazon SageMaker Findings
+
+
+
+
+
+
+ +
+
+ + @@ -4184,9 +24424,9 @@

Security Assessment Overview

- - - + + + @@ -4195,9 +24435,9 @@

Security Assessment Overview

- - - + + + @@ -4206,9 +24446,9 @@

Security Assessment Overview

- - - + + + @@ -4217,9 +24457,9 @@

Security Assessment Overview

- - - + + + @@ -4228,9 +24468,9 @@

Security Assessment Overview

- - - + + + @@ -4239,9 +24479,9 @@

Security Assessment Overview

- - - + + + @@ -4250,9 +24490,9 @@

Security Assessment Overview

- - - + + + @@ -4261,9 +24501,9 @@

Security Assessment Overview

- - - + + + @@ -4272,9 +24512,9 @@

Security Assessment Overview

- - - + + + @@ -4283,9 +24523,9 @@

Security Assessment Overview

- - - + + + @@ -4294,9 +24534,9 @@

Security Assessment Overview

- - - + + + @@ -4305,9 +24545,9 @@

Security Assessment Overview

- - - + + + @@ -4316,9 +24556,9 @@

Security Assessment Overview

- - - + + + @@ -4327,9 +24567,9 @@

Security Assessment Overview

- - - + + + @@ -4338,9 +24578,9 @@

Security Assessment Overview

- - - + + + @@ -4349,9 +24589,9 @@

Security Assessment Overview

- - - + + + @@ -4360,9 +24600,9 @@

Security Assessment Overview

- - - + + + @@ -4371,9 +24611,9 @@

Security Assessment Overview

- - - + + + @@ -4382,9 +24622,9 @@

Security Assessment Overview

- - - + + + @@ -4393,9 +24633,9 @@

Security Assessment Overview

- - - + + + @@ -4404,9 +24644,9 @@

Security Assessment Overview

- - - + + + @@ -4415,9 +24655,9 @@

Security Assessment Overview

- - - + + + @@ -4426,9 +24666,9 @@

Security Assessment Overview

- - - + + + @@ -4437,9 +24677,9 @@

Security Assessment Overview

- - - + + + @@ -4448,74 +24688,140 @@

Security Assessment Overview

- - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - + + - - - + + + - + - - + + - - - + + + - - + + - - + + - - - + + + - + - - + + - - - - - - + + + + + + - - + + @@ -4525,8 +24831,8 @@

Security Assessment Overview

- - + + @@ -4536,8 +24842,8 @@

Security Assessment Overview

- - + + @@ -4547,8 +24853,8 @@

Security Assessment Overview

- - + + @@ -4558,8 +24864,8 @@

Security Assessment Overview

- - + + @@ -4569,8 +24875,8 @@

Security Assessment Overview

- - + + @@ -4580,8 +24886,8 @@

Security Assessment Overview

- - + + @@ -4591,8 +24897,8 @@

Security Assessment Overview

- - + + @@ -4602,8 +24908,8 @@

Security Assessment Overview

- - + + @@ -4613,8 +24919,8 @@

Security Assessment Overview

- - + + @@ -4624,8 +24930,8 @@

Security Assessment Overview

- - + + @@ -4635,8 +24941,8 @@

Security Assessment Overview

- - + + @@ -4646,8 +24952,8 @@

Security Assessment Overview

- - + + @@ -4657,8 +24963,8 @@

Security Assessment Overview

- - + + @@ -4668,8 +24974,8 @@

Security Assessment Overview

- - + + @@ -4679,8 +24985,8 @@

Security Assessment Overview

- - + + @@ -4690,8 +24996,8 @@

Security Assessment Overview

- - + + @@ -4701,8 +25007,8 @@

Security Assessment Overview

- - + + @@ -4712,8 +25018,8 @@

Security Assessment Overview

- - + + @@ -4723,8 +25029,8 @@

Security Assessment Overview

- - + + @@ -4734,8 +25040,8 @@

Security Assessment Overview

- - + + @@ -4745,8 +25051,8 @@

Security Assessment Overview

- - + + @@ -4756,8 +25062,8 @@

Security Assessment Overview

- - + + @@ -4767,8 +25073,8 @@

Security Assessment Overview

- - + + @@ -4778,42 +25084,42 @@

Security Assessment Overview

- - - + + + - - - + + + - - + + - - - + + + - - - + + + - + - - - + + + - - - - - - + + + + + + - - - + + + @@ -4822,9 +25128,9 @@

Security Assessment Overview

- - - + + + @@ -4833,9 +25139,9 @@

Security Assessment Overview

- - - + + + @@ -4844,9 +25150,9 @@

Security Assessment Overview

- - - + + + @@ -4855,9 +25161,9 @@

Security Assessment Overview

- - - + + + @@ -4866,9 +25172,9 @@

Security Assessment Overview

- - - + + + @@ -4877,9 +25183,9 @@

Security Assessment Overview

- - - + + + @@ -4888,9 +25194,9 @@

Security Assessment Overview

- - - + + + @@ -4899,9 +25205,9 @@

Security Assessment Overview

- - - + + + @@ -4910,9 +25216,9 @@

Security Assessment Overview

- - - + + + @@ -4921,9 +25227,9 @@

Security Assessment Overview

- - - + + + @@ -4932,9 +25238,9 @@

Security Assessment Overview

- - - + + + @@ -4943,9 +25249,9 @@

Security Assessment Overview

- - - + + + @@ -4954,9 +25260,9 @@

Security Assessment Overview

- - - + + + @@ -4965,9 +25271,9 @@

Security Assessment Overview

- - - + + + @@ -4976,9 +25282,9 @@

Security Assessment Overview

- - - + + + @@ -4987,9 +25293,9 @@

Security Assessment Overview

- - - + + + @@ -4998,9 +25304,9 @@

Security Assessment Overview

- - - + + + @@ -5009,9 +25315,9 @@

Security Assessment Overview

- - - + + + @@ -5020,9 +25326,9 @@

Security Assessment Overview

- - - + + + @@ -5031,9 +25337,9 @@

Security Assessment Overview

- - - + + + @@ -5042,9 +25348,9 @@

Security Assessment Overview

- - - + + + @@ -5053,9 +25359,9 @@

Security Assessment Overview

- - - + + + @@ -5064,9 +25370,9 @@

Security Assessment Overview

- - - + + + @@ -5075,1741 +25381,1505 @@

Security Assessment Overview

- - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - - - + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - + + + + + + + + + + + + - - - + + + @@ -6818,9 +26888,9 @@

Security Assessment Overview

- - - + + + @@ -6829,9 +26899,9 @@

Security Assessment Overview

- - - + + + @@ -6840,9 +26910,9 @@

Security Assessment Overview

- - - + + + @@ -6851,9 +26921,9 @@

Security Assessment Overview

- - - + + + @@ -6862,9 +26932,9 @@

Security Assessment Overview

- - - + + + @@ -6873,9 +26943,9 @@

Security Assessment Overview

- - - + + + @@ -6884,9 +26954,9 @@

Security Assessment Overview

- - - + + + @@ -6895,9 +26965,9 @@

Security Assessment Overview

- - - + + + @@ -6906,9 +26976,9 @@

Security Assessment Overview

- - - + + + @@ -6917,9 +26987,9 @@

Security Assessment Overview

- - - + + + @@ -6928,9 +26998,9 @@

Security Assessment Overview

- - - + + + @@ -6939,9 +27009,9 @@

Security Assessment Overview

- - - + + + @@ -6950,9 +27020,9 @@

Security Assessment Overview

- - - + + + @@ -6961,9 +27031,9 @@

Security Assessment Overview

- - - + + + @@ -6972,9 +27042,9 @@

Security Assessment Overview

- - - + + + @@ -6983,9 +27053,9 @@

Security Assessment Overview

- - - + + + @@ -6994,9 +27064,9 @@

Security Assessment Overview

- - - + + + @@ -7005,9 +27075,9 @@

Security Assessment Overview

- - - + + + @@ -7016,9 +27086,9 @@

Security Assessment Overview

- - - + + + @@ -7027,9 +27097,9 @@

Security Assessment Overview

- - - + + + @@ -7038,9 +27108,9 @@

Security Assessment Overview

- - - + + + @@ -7049,9 +27119,9 @@

Security Assessment Overview

- - - + + + @@ -7060,9 +27130,9 @@

Security Assessment Overview

- - - + + + @@ -7071,9 +27141,9 @@

Security Assessment Overview

- - - + + + @@ -7082,9 +27152,9 @@

Security Assessment Overview

- - - + + + @@ -7093,9 +27163,9 @@

Security Assessment Overview

- - - + + + @@ -7104,20 +27174,9 @@

Security Assessment Overview

- - - - - - - - - - - - - - + + + @@ -7126,9 +27185,9 @@

Security Assessment Overview

- - - + + + @@ -7137,9 +27196,9 @@

Security Assessment Overview

- - - + + + @@ -7148,9 +27207,9 @@

Security Assessment Overview

- - - + + + @@ -7159,9 +27218,9 @@

Security Assessment Overview

- - - + + + @@ -7170,9 +27229,9 @@

Security Assessment Overview

- - - + + + @@ -7181,9 +27240,9 @@

Security Assessment Overview

- - - + + + @@ -7192,9 +27251,9 @@

Security Assessment Overview

- - - + + + @@ -7203,9 +27262,9 @@

Security Assessment Overview

- - - + + + @@ -7214,9 +27273,9 @@

Security Assessment Overview

- - - + + + @@ -7225,9 +27284,9 @@

Security Assessment Overview

- - - + + + @@ -7236,9 +27295,9 @@

Security Assessment Overview

- - - + + + @@ -7247,9 +27306,9 @@

Security Assessment Overview

- - - + + + @@ -7258,9 +27317,9 @@

Security Assessment Overview

- - - + + + @@ -7269,9 +27328,9 @@

Security Assessment Overview

- - - + + + @@ -7280,9 +27339,9 @@

Security Assessment Overview

- - - + + + @@ -7291,9 +27350,9 @@

Security Assessment Overview

- - - + + + @@ -7302,9 +27361,9 @@

Security Assessment Overview

- - - + + + @@ -7313,9 +27372,9 @@

Security Assessment Overview

- - - + + + @@ -7324,9 +27383,9 @@

Security Assessment Overview

- - - + + + @@ -7335,9 +27394,9 @@

Security Assessment Overview

- - - + + + @@ -7346,9 +27405,9 @@

Security Assessment Overview

- - - + + + @@ -7357,9 +27416,9 @@

Security Assessment Overview

- - - + + + @@ -7368,9 +27427,9 @@

Security Assessment Overview

- - - + + + @@ -7379,9 +27438,9 @@

Security Assessment Overview

- - - + + + @@ -7390,9 +27449,9 @@

Security Assessment Overview

- - - + + + @@ -7401,9 +27460,9 @@

Security Assessment Overview

- - - + + + @@ -7412,167 +27471,9 @@

Security Assessment Overview

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -7581,9 +27482,9 @@

Security Assessment Overview

- - - + + + @@ -7592,9 +27493,9 @@

Security Assessment Overview

- - - + + + @@ -7603,9 +27504,9 @@

Security Assessment Overview

- - - + + + @@ -7614,9 +27515,9 @@

Security Assessment Overview

- - - + + + @@ -7625,9 +27526,9 @@

Security Assessment Overview

- - - + + + @@ -7636,9 +27537,9 @@

Security Assessment Overview

- - - + + + @@ -7647,9 +27548,9 @@

Security Assessment Overview

- - - + + + @@ -7658,9 +27559,9 @@

Security Assessment Overview

- - - + + + @@ -7669,9 +27570,9 @@

Security Assessment Overview

- - - + + + @@ -7680,9 +27581,9 @@

Security Assessment Overview

- - - + + + @@ -7691,9 +27592,9 @@

Security Assessment Overview

- - - + + + @@ -7702,9 +27603,9 @@

Security Assessment Overview

- - - + + + @@ -7713,9 +27614,9 @@

Security Assessment Overview

- - - + + + @@ -7724,9 +27625,9 @@

Security Assessment Overview

- - - + + + @@ -7735,9 +27636,9 @@

Security Assessment Overview

- - - + + + @@ -7746,9 +27647,9 @@

Security Assessment Overview

- - - + + + @@ -7757,9 +27658,9 @@

Security Assessment Overview

- - - + + + @@ -7768,9 +27669,9 @@

Security Assessment Overview

- - - + + + @@ -7779,9 +27680,9 @@

Security Assessment Overview

- - - + + + @@ -7790,9 +27691,9 @@

Security Assessment Overview

- - - + + + @@ -7801,9 +27702,9 @@

Security Assessment Overview

- - - + + + @@ -7812,9 +27713,9 @@

Security Assessment Overview

- - - + + + @@ -7823,9 +27724,9 @@

Security Assessment Overview

- - - + + + @@ -7834,9 +27735,9 @@

Security Assessment Overview

- - - + + + @@ -7845,9 +27746,9 @@

Security Assessment Overview

- - - + + + @@ -7856,7201 +27757,7615 @@

Security Assessment Overview

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - + + - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - + + + - - - - - - - - - - - - - - + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - - - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - + + + - + - - + + - - - + + + - - - + + + - - + + - - - + + + - - - + + + - - + + - - - - - - - - - - - - - - + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - + - - + + - - - + + + - - - + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - + + + - + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1 SM-01 SageMaker Internet Access Check No SageMaker notebook instances or domains found to check Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-02 SageMaker SSO Configuration Check No SageMaker domains found, or all domains use SSO with IAM Identity Center configured Medium Passed
333333333333eu-west-1
111122223333ap-south-1 SM-03 Data Protection Check No SageMaker resources found to check for data protection Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-04 GuardDuty Enabled Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. Medium Passed
333333333333eu-west-1
111122223333ap-south-1 SM-05 SageMaker Model Registry Issue No model package groups found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-05 SageMaker Feature Store Issue No feature groups found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-05 SageMaker Pipelines Issue No ML pipelines found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-06 SageMaker Clarify No Clarify Usage No SageMaker Clarify jobs found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-07 SageMaker Model Monitor No Model Monitoring No Model Monitor schedules found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-08 Model Registry Registry Not Used Model Registry is not being utilized Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-09 SageMaker Notebook Root Access Check No notebook instances found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-10 SageMaker Notebook VPC Deployment Check No notebook instances found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-11 SageMaker Model Network Isolation Check No models found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-12 SageMaker Endpoint Instance Count Check No InService endpoints found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-13 SageMaker Monitoring Network Isolation Check No monitoring schedules found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-14 SageMaker Model Repository Access Check No models found or all use default Platform access Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-15 SageMaker Feature Store Encryption Check No feature groups with offline stores found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-16 SageMaker Data Quality Job Encryption Check No data quality job definitions found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-17 SageMaker Processing Job Encryption Check No processing jobs found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-18 SageMaker Transform Job Encryption Check No transform jobs found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-19 SageMaker Hyperparameter Tuning Job Encryption Check No hyperparameter tuning jobs found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-20 SageMaker Compilation Job Encryption Check No compilation jobs found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-21 SageMaker AutoML Job Network Isolation Check No AutoML jobs found Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-22 Model Approval Workflow Check No model package groups found. Model Registry is not being used for model governance. Informational N/A
333333333333eu-west-1
111122223333ap-south-1 SM-23 Model Drift Detection Check No InService endpoints found to monitor. Medium Passed
333333333333eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
333333333333eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
333333333333
111122223333 Global SM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredSageMaker Full Access Policy UsedRole 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege HighPassedFailed
333333333333
111122223333 us-east-1 SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredNon-VPC Only Network AccessSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access type InformationalN/AHighFailed
333333333333
111122223333 us-east-1 SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredSSO Not Properly ConfiguredSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. MediumPassedFailed
333333333333
111122223333 us-east-1 SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/AMissing Encryption ConfigurationDomain 'QuickSetupDomain-20250525T153160' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
333333333333
111122223333 us-east-1 SM-04 GuardDuty Enabled Medium Passed
333333333333
111122223333 us-east-1 SM-05 SageMaker Model Registry Issue Informational N/A
333333333333
111122223333 us-east-1 SM-05 SageMaker Feature Store Issue Informational N/A
333333333333
111122223333 us-east-1 SM-05 SageMaker Pipelines Issue Informational N/A
333333333333
111122223333 us-east-1 SM-06 SageMaker Clarify No Clarify Usage Informational N/A
333333333333
111122223333 us-east-1 SM-07 SageMaker Model Monitor No Model Monitoring Informational N/A
333333333333
111122223333 us-east-1 SM-08 Model Registry Registry Not Used Informational N/A
333333333333
111122223333 us-east-1 SM-09 SageMaker Notebook Root Access Check Informational N/A
333333333333
111122223333 us-east-1 SM-10 SageMaker Notebook VPC Deployment Check Informational N/A
333333333333
111122223333 us-east-1 SM-11 SageMaker Model Network Isolation Check Informational N/A
333333333333
111122223333 us-east-1 SM-12 SageMaker Endpoint Instance Count Check Informational N/A
333333333333
111122223333 us-east-1 SM-13 SageMaker Monitoring Network Isolation Check Informational N/A
333333333333
111122223333 us-east-1 SM-14 SageMaker Model Repository Access Check Informational N/A
333333333333
111122223333 us-east-1 SM-15 SageMaker Feature Store Encryption Check Informational N/A
333333333333
111122223333 us-east-1 SM-16 SageMaker Data Quality Job Encryption Check Informational N/A
333333333333
111122223333 us-east-1 SM-17 SageMaker Processing Job Encryption Check Informational N/A
333333333333
111122223333 us-east-1 SM-18 SageMaker Transform Job Encryption Check Informational N/A
333333333333
111122223333 us-east-1 SM-19 SageMaker Hyperparameter Tuning Job Encryption Check Informational N/A
333333333333
111122223333 us-east-1 SM-20 SageMaker Compilation Job Encryption Check Informational N/A
333333333333
111122223333 us-east-1 SM-21 SageMaker AutoML Job Network Isolation Check Informational N/A
333333333333
111122223333 us-east-1 SM-22 Model Approval Workflow Check Informational N/A
333333333333
111122223333 us-east-1 SM-23 Model Drift Detection Check Medium Passed
333333333333
111122223333 us-east-1 SM-24 A/B Testing and Shadow Deployment Check Low Passed
333333333333
111122223333 us-east-1 SM-25 ML Lineage Tracking - Experiments Not Used Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredNon-VPC Only Network AccessSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access type InformationalN/AHighFailed
333333333333ap-southeast-2
111122223333us-west-2 SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredSSO Not Properly ConfiguredSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. MediumPassedFailed
333333333333ap-southeast-2
111122223333us-west-2 SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/AMissing Encryption ConfigurationDomain 'PromptEvaluationDomain' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
333333333333ap-southeast-2
111122223333us-west-2 SM-04 GuardDuty Enabled Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. Medium Passed
333333333333ap-southeast-2
111122223333us-west-2 SM-05 SageMaker Model Registry Issue No model package groups found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-05 SageMaker Feature Store Issue No feature groups found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-05 SageMaker Pipelines Issue No ML pipelines found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-06 SageMaker Clarify No Clarify Usage No SageMaker Clarify jobs found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-07 SageMaker Model Monitor No Model Monitoring No Model Monitor schedules found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-08 Model Registry Registry Not Used Model Registry is not being utilized Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-09 SageMaker Notebook Root Access Check No notebook instances found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-10 SageMaker Notebook VPC Deployment Check No notebook instances found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-11 SageMaker Model Network Isolation Check No models found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-12 SageMaker Endpoint Instance Count Check No InService endpoints found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-13 SageMaker Monitoring Network Isolation Check No monitoring schedules found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-14 SageMaker Model Repository Access Check No models found or all use default Platform access Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-15 SageMaker Feature Store Encryption Check No feature groups with offline stores found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-16 SageMaker Data Quality Job Encryption Check No data quality job definitions found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-17 SageMaker Processing Job Encryption Check No processing jobs found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-18 SageMaker Transform Job Encryption Check No transform jobs found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-19 SageMaker Hyperparameter Tuning Job Encryption Check No hyperparameter tuning jobs found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-20 SageMaker Compilation Job Encryption Check No compilation jobs found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-21 SageMaker AutoML Job Network Isolation Check No AutoML jobs found Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-22 Model Approval Workflow Check No model package groups found. Model Registry is not being used for model governance. Informational N/A
333333333333ap-southeast-2
111122223333us-west-2 SM-23 Model Drift Detection Check No InService endpoints found to monitor. Medium Passed
333333333333ap-southeast-2
111122223333us-west-2 SM-24 A/B Testing and Shadow Deployment Check No InService endpoints found. Low Passed
333333333333ap-southeast-2
111122223333us-west-2 SM-25 ML Lineage Tracking - Experiments Not Used No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized. Informational N/A
333333333333GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policy
111122223333sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check No action requiredHighPassed
333333333333GlobalBR-03Marketplace Subscription Access CheckRole 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_7erx6' last accessed Bedrock on 2025-05-13You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AWSVAPTAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-333333333333-us-east-1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-333333333333-us-east-2' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailedInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-333333333333-us-west-2' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required MediumFailedPassed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required MediumFailedPassed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'Nova-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerApp-EC2-Role' last accessed Bedrock on 2026-03-29You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerScanRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'resco-aiml-security-mgmt-BedrockSecurityAssessmentF-espswsHIf9by' last accessed Bedrock on 2026-04-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
333333333333us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
111122223333sa-east-1SM-11SageMaker Model Network Isolation CheckNo models found No action required Informational N/A
333333333333us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
111122223333sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found No action required Informational N/A
333333333333us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
111122223333sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found No action required Informational N/A
333333333333us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
111122223333sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access No action required Informational N/A
333333333333us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
111122223333sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required Informational N/A
333333333333us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
111122223333sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found No action required Informational N/A
333333333333us-east-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
111122223333sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required Informational N/A
333333333333us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
111122223333sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required Informational N/A
333333333333us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
111122223333sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found No action required Informational N/A
333333333333us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
111122223333sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required Informational N/A
333333333333us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
111122223333sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found No action required Informational N/A
333333333333us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
111122223333sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
333333333333us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.
111122223333sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action required MediumFailedPassed
333333333333us-east-1FS-02No API Gateway Usage Plans FoundNo usage plans configured. GenAI API endpoints may have no rate limits.Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.
111122223333sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
333333333333us-east-1FS-03Bedrock Token Quotas At DefaultAll 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.1. Review current Bedrock TPM/TPD quotas in the Service Quotas console. -2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review. -3. Implement client-side token counting and pre-flight quota checks. -4. Use Bedrock cross-region inference profiles to distribute load.Medium
111122223333eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformational N/A
333333333333us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.
111122223333eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required MediumFailedPassed
333333333333us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMFMediumFailed
111122223333eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
333333333333us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.
111122223333eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required MediumFailedPassed
111122223333eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
333333333333us-east-1FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.
111122223333eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production Informational N/A
333333333333us-east-1FS-08No AgentCore Runtimes FoundNo AgentCore runtimes found; policy engine check not applicable.If using AgentCore, configure the Policy Engine to authorize tool calls.
111122223333eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment Informational N/A
333333333333us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, resco-aiml-CleanupBucket, aiml-security-aiml-security-mgmt-IAMPermissionCaching, AIMLSecurity-Assessment-CodeBuildStartBuildLambda-Ul2QNob2S042, resco-aiml-BedrockAssessment, resco-aiml-AgentCoreAssessment, resco-aiml-GenerateReport. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
333333333333us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
111122223333eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules Informational N/A
333333333333us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeoutsMediumFailed
111122223333eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
333333333333us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
333333333333us-east-1FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
333333333333us-east-1FS-14Model Governance Config Rules PresentFound 13 model-related Config rule(s).No action required.MediumPassed
111122223333eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
333333333333us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
333333333333us-east-1FS-16ECR Repositories Without Image Scanning1 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-333333333333-us-east-1.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
333333333333us-east-1FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.
111122223333eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required Informational N/A
333333333333us-east-1FS-21No Training Data Buckets IdentifiedNo S3 buckets with training/model naming found.Tag training data buckets and enable versioning.
111122223333eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required Informational N/A
333333333333us-east-1FS-22Overly Permissive Knowledge Base IAM Roles710 role(s) with wildcard KB permissions: -- Role 'Admin' allows '*' -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListModelInvocations' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListPrompts' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetPrompt' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListAgents' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetAgent' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListCustomModels' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
333333333333us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.
111122223333eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required Informational N/A
333333333333us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 1 encryption policy(ies); 1 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
111122223333eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
333333333333us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
333333333333us-east-1FS-27No Guardrails — Contextual Grounding Not ApplicableNo Bedrock Guardrails configured. Configure guardrails first (see BR-05).Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).
111122223333eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required Informational N/A
333333333333us-east-1FS-27Automated Reasoning Policies — Access CheckAccess denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml. -2. Check for an Organizations SCP / permission boundary denying the action. -3. Confirm the assessed region supports Automated Reasoning checks. -4. Re-run the assessment after re-deploying.Low
111122223333eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformational N/A
333333333333us-east-1FS-28No Guardrails — Denied Topics Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with denied topics for regulated financial content.
111122223333eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment. Informational N/A
333333333333us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.
111122223333eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
333333333333us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge cases
444455556666eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required Informational N/A
333333333333us-east-1FS-31Knowledge Base Data Sources Past Review Threshold1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 403 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.
444455556666eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required MediumFailedPassed
333333333333us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
444455556666eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required Informational N/A
333333333333us-east-1FS-33KB Data Source Buckets Have VersioningAll reviewed KB data source buckets have versioning enabled.No action required.
444455556666eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required Medium Passed
333333333333us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.
444455556666eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
333333333333us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm content
444455556666eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production Informational N/A
333333333333us-east-1FS-36No Guardrails — Content Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with content filters.
444455556666eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment Informational N/A
333333333333us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.
444455556666eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection Informational N/A
333333333333us-east-1FS-38No Guardrails — Word Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with word filters.
444455556666eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules Informational N/A
333333333333us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.HighFailed
333333333333us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness tests
444455556666eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows Informational N/A
333333333333us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.HighFailed
333333333333us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.MediumFailed
333333333333us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.HighFailed
333333333333us-east-1FS-44Amazon Macie Not EnabledAmazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.1. Enable Amazon Macie in all regions where AI/ML data is stored. -2. Create Macie classification jobs for training data and KB buckets. -3. Configure Macie findings to route to Security Hub and SNS. -4. Remediate PII findings before using data for model training.HighFailed
444455556666eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
333333333333us-east-1FS-45No Guardrails — PII Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with PII/sensitive information filters.
444455556666eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required Informational N/A
333333333333us-east-1FS-46No AI/ML Data Buckets IdentifiedNo S3 buckets with AI/ML naming found.Tag AI/ML data buckets with data-classification labels.
444455556666eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required Informational N/A
333333333333us-east-1FS-47No Guardrails — Grounding Threshold Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with contextual grounding checks.
444455556666eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required Informational N/A
333333333333us-east-1FS-48Active Knowledge Bases for RAG PresentFound 1 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
333333333333us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.
444455556666eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required Informational N/A
333333333333us-east-1FS-50No Guardrails With Relevance Grounding FiltersNo guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.MediumFailed
333333333333us-east-1FS-51No Guardrails — Prompt Attack Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with prompt attack filters.
444455556666eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required Informational N/A
333333333333us-east-1FS-52Bedrock Lambda Functions on Current RuntimesAll 16 Bedrock Lambda function(s) use current runtimes.No action required.MediumPassed
333333333333us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).
444455556666eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required Informational N/A
333333333333us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
444455556666eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required Informational N/A
333333333333us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
333333333333us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.
444455556666eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required Informational N/A
333333333333us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.
444455556666eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required Informational N/A
333333333333us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.
444455556666eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required Informational N/A
333333333333us-east-1FS-59No Guardrails — Topic Allowlist Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with topic policies to restrict off-topic responses.
444455556666eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required Informational N/A
333333333333us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.
444455556666eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required Informational N/A
333333333333us-east-1FS-61COULD NOT ASSESS: Knowledge Base Sync Schedule CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-FinServSecurityAssessmentFunctio-pwj9by1swQWa/aiml-security-aiml-security-mgmt-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:333333333333:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
333333333333us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.
444455556666eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment. Informational N/A
333333333333us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 11 lifecycle-related Config rule(s) found.No action required.
444455556666eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action required Medium Passed
333333333333us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.MediumFailed
444455556666eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
333333333333us-east-1FS-66No AgentCore Runtimes FoundNo AgentCore runtimes found; identity propagation check not applicable.If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.
444455556666eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
333333333333us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-mgmt-FinServAssessment -- resco-aiml-BedrockAssessment -- resco-aiml-AgentCoreAssessment -- aiml-security-aiml-security-mgmt-AgentCoreAssessment -- aiml-security-aiml-security-mgmt-BedrockAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
444455556666GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action required HighFailedPassed
333333333333
444455556666 us-east-1FS-68API Gateway Request Body Size Limits — Not ApplicableNo API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required Informational N/A
333333333333
444455556666 us-east-1FS-69Prompt Input Validation Functions PresentFound 2 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket, resco-aiml-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required Medium Passed
333333333333eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
444455556666us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required Informational N/A
333333333333ap-southeast-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
444455556666us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
333333333333ap-southeast-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action required
444455556666us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production Informational N/A
333333333333ap-southeast-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action required
444455556666us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment Informational N/A
333333333333ap-southeast-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action required
444455556666us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection Informational N/A
333333333333ap-southeast-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action required
444455556666us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules Informational N/A
333333333333ap-southeast-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows Informational N/A
333333333333ap-southeast-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances found No action required Informational N/A
333333333333ap-southeast-2BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required Informational N/A
333333333333ap-southeast-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
444455556666us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required Informational N/A
333333333333ap-southeast-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
444455556666us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found No action required Informational N/A
333333333333ap-southeast-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
444455556666us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required Informational N/A
333333333333ap-southeast-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
444455556666us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access No action required Informational N/A
333333333333eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
444455556666us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores found No action required Informational N/A
333333333333eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
444455556666us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found No action required Informational N/A
333333333333eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
444455556666us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs found No action required Informational N/A
333333333333eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
444455556666us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs found No action required Informational N/A
333333333333eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required Informational N/A
333333333333eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found No action required Informational N/A
333333333333eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required Informational N/A
333333333333eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
444455556666us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment. Informational N/A
333333333333eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
444455556666us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor. No action requiredInformationalN/AMediumPassed
333333333333eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
444455556666us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
333333333333eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
444455556666ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check No action required Informational N/A
333333333333GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access found
444455556666ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configured No action requiredHighMedium Passed
333333333333GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-mgmt-AgentCoreSecurityAssessmen-JrbYHkz9UslU' (62 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
444455556666ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
333333333333GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principle
444455556666ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required MediumFailedPassed
333333333333GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
444455556666ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
333333333333us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
444455556666ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production Informational N/A
333333333333us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
444455556666ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment Informational N/A
333333333333us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
444455556666ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection Informational N/A
333333333333us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
444455556666ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules Informational N/A
333333333333us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources found
444455556666ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances found No action required Informational N/A
333333333333us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found
444455556666ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found No action required Informational N/A
333333333333us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found
444455556666ap-south-1SM-11SageMaker Model Network Isolation CheckNo models found No action required Informational N/A
333333333333us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
444455556666ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found No action required Informational N/A
333333333333us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
444455556666ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found No action required Informational N/A
333333333333us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
444455556666ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access No action required Informational N/A
222222222222eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found
444455556666ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores found No action required Informational N/A
222222222222eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources found
444455556666ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found No action required Informational N/A
222222222222eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources found
444455556666ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs found No action required Informational N/A
222222222222eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration
444455556666ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs found No action required Informational N/A
222222222222eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources found
444455556666ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found No action required Informational N/A
222222222222eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found
444455556666ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found No action required Informational N/A
222222222222eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found
444455556666ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found No action required Informational N/A
222222222222eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
444455556666ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment. Informational N/A
222222222222eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
444455556666ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor. No action requiredInformationalN/AMediumPassed
222222222222eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
444455556666ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found. No action requiredLowPassed
444455556666ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-01 SageMaker Internet Access Check No SageMaker notebook instances or domains found to check Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-02 SageMaker SSO Configuration Check No SageMaker domains found, or all domains use SSO with IAM Identity Center configured Medium Passed
222222222222eu-west-1
444455556666sa-east-1 SM-03 Data Protection Check No SageMaker resources found to check for data protection Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-04 GuardDuty Enabled Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. Medium Passed
222222222222eu-west-1
444455556666sa-east-1 SM-05 SageMaker Model Registry Issue No model package groups found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-05 SageMaker Feature Store Issue No feature groups found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-05 SageMaker Pipelines Issue No ML pipelines found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-06 SageMaker Clarify No Clarify Usage No SageMaker Clarify jobs found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-07 SageMaker Model Monitor No Model Monitoring No Model Monitor schedules found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-08 Model Registry Registry Not Used Model Registry is not being utilized Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-09 SageMaker Notebook Root Access Check No notebook instances found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-10 SageMaker Notebook VPC Deployment Check No notebook instances found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-11 SageMaker Model Network Isolation Check No models found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-12 SageMaker Endpoint Instance Count Check No InService endpoints found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-13 SageMaker Monitoring Network Isolation Check No monitoring schedules found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-14 SageMaker Model Repository Access Check No models found or all use default Platform access Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-15 SageMaker Feature Store Encryption Check No feature groups with offline stores found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-16 SageMaker Data Quality Job Encryption Check No data quality job definitions found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-17 SageMaker Processing Job Encryption Check No processing jobs found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-18 SageMaker Transform Job Encryption Check No transform jobs found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-19 SageMaker Hyperparameter Tuning Job Encryption Check No hyperparameter tuning jobs found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-20 SageMaker Compilation Job Encryption Check No compilation jobs found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-21 SageMaker AutoML Job Network Isolation Check No AutoML jobs found Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-22 Model Approval Workflow Check No model package groups found. Model Registry is not being used for model governance. Informational N/A
222222222222eu-west-1
444455556666sa-east-1 SM-23 Model Drift Detection Check No InService endpoints found to monitor. Medium Passed
222222222222eu-west-1
444455556666sa-east-1 SM-24 A/B Testing and Shadow Deployment Check No InService endpoints found. Low Passed
222222222222eu-west-1
444455556666sa-east-1 SM-25 ML Lineage Tracking - Experiments Not Used No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized. Informational N/A
222222222222GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
222222222222us-east-1
444455556666us-west-2 SM-01 SageMaker Internet Access Check No SageMaker notebook instances or domains found to check Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-02 SageMaker SSO Configuration Check No SageMaker domains found, or all domains use SSO with IAM Identity Center configured Medium Passed
222222222222us-east-1
444455556666us-west-2 SM-03 Data Protection Check No SageMaker resources found to check for data protection Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-04 GuardDuty Enabled Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. Medium Passed
222222222222us-east-1
444455556666us-west-2 SM-05 SageMaker Model Registry Issue No model package groups found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-05 SageMaker Feature Store Issue No feature groups found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-05 SageMaker Pipelines Issue No ML pipelines found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-06 SageMaker Clarify No Clarify Usage No SageMaker Clarify jobs found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-07 SageMaker Model Monitor No Model Monitoring No Model Monitor schedules found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-08 Model Registry Registry Not Used Model Registry is not being utilized Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-09 SageMaker Notebook Root Access Check No notebook instances found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-10 SageMaker Notebook VPC Deployment Check No notebook instances found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-11 SageMaker Model Network Isolation Check No models found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-12 SageMaker Endpoint Instance Count Check No InService endpoints found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-13 SageMaker Monitoring Network Isolation Check No monitoring schedules found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-14 SageMaker Model Repository Access Check No models found or all use default Platform access Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-15 SageMaker Feature Store Encryption Check No feature groups with offline stores found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-16 SageMaker Data Quality Job Encryption Check No data quality job definitions found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-17 SageMaker Processing Job Encryption Check No processing jobs found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-18 SageMaker Transform Job Encryption Check No transform jobs found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-19 SageMaker Hyperparameter Tuning Job Encryption Check No hyperparameter tuning jobs found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-20 SageMaker Compilation Job Encryption Check No compilation jobs found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-21 SageMaker AutoML Job Network Isolation Check No AutoML jobs found Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-22 Model Approval Workflow Check No model package groups found. Model Registry is not being used for model governance. Informational N/A
222222222222us-east-1
444455556666us-west-2 SM-23 Model Drift Detection Check No InService endpoints found to monitor. Medium Passed
222222222222us-east-1
444455556666us-west-2 SM-24 A/B Testing and Shadow Deployment Check No InService endpoints found. Low Passed
222222222222us-east-1
444455556666us-west-2 SM-25 ML Lineage Tracking - Experiments Not Used No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized. Informational N/A
222222222222us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
222222222222eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
222222222222ap-southeast-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
222222222222ap-southeast-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
222222222222ap-southeast-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
222222222222ap-southeast-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
222222222222ap-southeast-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
222222222222ap-southeast-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
222222222222ap-southeast-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
222222222222ap-southeast-2BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.InformationalN/A
222222222222ap-southeast-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
222222222222ap-southeast-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
222222222222ap-southeast-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
222222222222ap-southeast-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-01 SageMaker Internet Access Check No SageMaker notebook instances or domains found to check Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-02 SageMaker SSO Configuration Check No SageMaker domains found, or all domains use SSO with IAM Identity Center configured Medium Passed
222222222222ap-southeast-2
777788889999ap-south-1 SM-03 Data Protection Check No SageMaker resources found to check for data protection Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-04 GuardDuty Enabled Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. Medium Passed
222222222222ap-southeast-2
777788889999ap-south-1 SM-05 SageMaker Model Registry Issue No model package groups found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-05 SageMaker Feature Store Issue No feature groups found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-05 SageMaker Pipelines Issue No ML pipelines found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-06 SageMaker Clarify No Clarify Usage No SageMaker Clarify jobs found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-07 SageMaker Model Monitor No Model Monitoring No Model Monitor schedules found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-08 Model Registry Registry Not Used Model Registry is not being utilized Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-09 SageMaker Notebook Root Access Check No notebook instances found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-10 SageMaker Notebook VPC Deployment Check No notebook instances found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-11 SageMaker Model Network Isolation Check No models found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-12 SageMaker Endpoint Instance Count Check No InService endpoints found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-13 SageMaker Monitoring Network Isolation Check No monitoring schedules found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-14 SageMaker Model Repository Access Check No models found or all use default Platform access Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-15 SageMaker Feature Store Encryption Check No feature groups with offline stores found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-16 SageMaker Data Quality Job Encryption Check No data quality job definitions found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-17 SageMaker Processing Job Encryption Check No processing jobs found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-18 SageMaker Transform Job Encryption Check No transform jobs found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-19 SageMaker Hyperparameter Tuning Job Encryption Check No hyperparameter tuning jobs found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-20 SageMaker Compilation Job Encryption Check No compilation jobs found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-21 SageMaker AutoML Job Network Isolation Check No AutoML jobs found Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-22 Model Approval Workflow Check No model package groups found. Model Registry is not being used for model governance. Informational N/A
222222222222ap-southeast-2
777788889999ap-south-1 SM-23 Model Drift Detection Check No InService endpoints found to monitor. Medium Passed
222222222222ap-southeast-2
777788889999ap-south-1 SM-24 A/B Testing and Shadow Deployment Check No InService endpoints found. Low Passed
222222222222ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
222222222222GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
222222222222GlobalBR-03Marketplace Subscription Access CheckNo identities found with overly permissive marketplace subscription accessNo action requiredMediumPassed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
222222222222
777788889999 GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumSM-02SageMaker Full Access Policy UsedRole 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHigh Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
777788889999us-east-1SM-01Direct Internet Access EnabledSageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabledConfigure the notebook instance to use VPC connectivity and disable direct internet accessHigh Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHigh Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHigh Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on 2025-08-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. Medium Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. Medium Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. Medium Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. Medium Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'resco-aiml-security-23026-BedrockSecurityAssessment-xNwSsmlzindY' last accessed Bedrock on 2026-04-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
777788889999us-east-1SM-03Missing Encryption ConfigurationNotebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHigh Failed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.Medium
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHigh Failed
222222222222
777788889999 us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/ASM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
222222222222
777788889999 us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/ASM-03Missing Encryption ConfigurationTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
222222222222
777788889999 us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/ASM-03Missing VPC EncryptionTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabledEnable encryption for inter-container traffic and VPC communicationMediumFailed
222222222222
777788889999 us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageSM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. No action requiredInformationalN/A
222222222222us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/AMediumPassed
222222222222
777788889999 us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/ASM-05SageMaker Model Registry IssueModel group 'aiml-sec-test-model-package-group' has minimal versioningImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentLowFailed
222222222222
777788889999 us-east-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment Informational N/A
222222222222
777788889999 us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesSM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection Informational N/A
222222222222
777788889999 us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredSM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules Informational N/A
222222222222
777788889999 us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/ASM-08Model Registry Empty Model GroupModel group aiml-sec-test-model-package-group has no registered modelsImplement proper model versioning and approval workflowsLowFailed
222222222222
777788889999 us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
222222222222GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredSM-09SageMaker Notebook Root Access EnabledNotebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access. HighPassed
222222222222GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (62 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
222222222222GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMedium Failed
222222222222GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.Medium
777788889999us-east-1SM-10SageMaker Notebook Not in VPCNotebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.High Failed
222222222222
777788889999 us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/ASM-11SageMaker Model Network Isolation DisabledModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.HighFailed
222222222222
777788889999 us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundSM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found No action required Informational N/A
222222222222
777788889999 us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundSM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found No action required Informational N/A
222222222222
777788889999 us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/ASM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
222222222222
777788889999 us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/ASM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
222222222222
777788889999 us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/ASM-15SageMaker Feature Store Offline Encryption MissingFeature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.MediumFailed
222222222222
777788889999 us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundSM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found No action required Informational N/A
222222222222
777788889999 us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesSM-17SageMaker Processing Job Encryption CheckAll 1 processing jobs have volume encryption configured No action requiredInformationalN/AMediumPassed
222222222222
777788889999 us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundSM-18SageMaker Transform Job Encryption CheckAll 1 transform jobs have volume encryption configured No action requiredInformationalN/AMediumPassed
222222222222
777788889999 us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
222222222222ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundSM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found No action required Informational N/A
222222222222ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources found
777788889999us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found No action required Informational N/A
222222222222ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources found
777788889999us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found No action required Informational N/A
222222222222ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration
777788889999us-east-1SM-22Model Approval Workflow CheckChecked 1 model package groups. Approval workflows appear to be properly configured. No action requiredInformationalN/AMediumPassed
222222222222ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources found
777788889999us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor. No action requiredInformationalN/AMediumPassed
222222222222ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources found
777788889999us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found. No action requiredInformationalN/ALowPassed
222222222222ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
777788889999us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
222222222222ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
777788889999eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check No action required Informational N/A
222222222222ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
777788889999eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configured No action requiredInformationalN/AMediumPassed
222222222222ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protection No action required Informational N/A
222222222222
777788889999 eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivitySM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads. No action requiredInformationalN/AMediumPassed
222222222222
777788889999 eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredSM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
222222222222
777788889999 eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredSM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production Informational N/A
222222222222
777788889999 eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredSM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment Informational N/A
222222222222
777788889999 eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesSM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection Informational N/A
222222222222
777788889999 eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredSM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules Informational N/A
222222222222
777788889999 eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows Informational N/A
222222222222
777788889999 eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesSM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required Informational N/A
222222222222
777788889999 eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountSM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found No action required Informational N/A
222222222222
777788889999 eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionSM-11SageMaker Model Network Isolation CheckNo models foundNo action required Informational N/A
222222222222
777788889999 eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountSM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found No action required Informational N/A
-
-
-
Risk Distribution
-

Pass Rate by Severity

-
-
HIGH
14.8%
9 of 61 checks passed
-
MEDIUM
20.5%
39 of 190 checks passed
-
LOW
52.9%
9 of 17 checks passed
-
Overall
21.3%
57 of 268 actionable checks
-
-

Risk by Account

-
111111111111
146
42 High · 101 Med · 3 Low
222222222222
14
0 High · 14 Med · 0 Low
333333333333
45
10 High · 34 Med · 1 Low
-

Risk by Region

-
ap-southeast-2
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
80
28 High · 48 Med · 4 Low
-

Findings by Service

-
-
Bedrock
209
107 Failed · 3 Passed
-
SageMaker
252
10 Failed · 37 Passed
-
AgentCore
123
37 Failed · 2 Passed
-
Financial Services Risk
139
51 Failed · 15 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
-
-
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111GlobalBR-01AmazonBedrockFullAccess role checkRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111111111111GlobalBR-01AmazonBedrockFullAccess role checkRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111111111111GlobalBR-01AmazonBedrockFullAccess role checkRole 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole '111111111111-us-east-1-kb-bedrock-service-role' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole '111111111111-us-east-1-kb-setup-function-role' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'agentcore-wildrydes_gateway_role_ab3991f6-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' last accessed Bedrock on 2025-12-21You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D' last accessed Bedrock on 2024-06-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ' last accessed Bedrock on 2025-04-27You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_072pr' last accessed Bedrock on 2024-06-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_byjin' last accessed Bedrock on 2024-11-17You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_h9718' last accessed Bedrock on 2024-11-17You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' last accessed Bedrock on 2026-01-01You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' last accessed Bedrock on 2025-12-28You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_semicon' last accessed Bedrock on 2024-09-01You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_xtwwd' last accessed Bedrock on 2025-10-13You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_y9m7f' last accessed Bedrock on 2025-04-27You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonQInvestigationRole-DefaultInvestigationGroup-8vxyjh' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonSageMaker-ExecutionRole-20231014T200029' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'aws-api-mcp-server-execution-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action required MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on 2024-11-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSVAPTAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'BedrockCognitoFederatedRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-111111111111-us-west-2' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cfn-contextualChatBot-usi-LambdaExecutionRoleForKno-aHg3J0xel6VU' last accessed Bedrock on 2024-03-25You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' last accessed Bedrock on 2025-12-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CustomerSupportStackInfra-CustomerSupportLambdaRole-ujGGiNU6KEnI' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'e2ebedrockrag-KbRoleStack-2YO19O2NS6FP-KbRole-OgMxcvrnZrHZ' last accessed Bedrock on 2025-11-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'fsi-genai-workshop-bedrock-kb-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'fsi-genai-workshop-lambda-execution-role' last accessed Bedrock on 2025-12-28You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'fsi-genai-workshop-websocket-lambda-role' last accessed Bedrock on 2025-12-28You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-BDASAMPLEPROJECT-SGJRDJI15S-LambdaExecutionRole-MCRJbTEDuyKt' last accessed Bedrock on 2025-08-24You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-ChatWithDocumentResolverFunctionRole-ATyH7GeR2ad1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-DOCUMENTBEDROCKKB-CY8-StartIngestionJobFunction-NjNLRuUn8qtp' last accessed Bedrock on 2025-08-24You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-EvaluationFunctionRole-LQdnEMAdwWPe' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-PATTERN1STACK-TNHNKPK-ProcessResultsFunctionRol-8z8mNwa6RahP' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-PATTERN1STACK-TNHNKPK-SummarizationFunctionRole-MY6sxSMvFNr4' last accessed Bedrock on 2025-10-07You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-PATTERN1STACK-TNHNKPKJY4Q-InvokeBDAFunctionRole-pLHufEKQ0Nu4' last accessed Bedrock on 2025-10-07You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDP-QueryKnowledgeBaseResolverFunctionRole-p9Mcpfk0BA6z' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action required MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' last accessed Bedrock on 2024-07-30You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'LLMEvaluationPromptfoo-Aurora-Bedrock-Role' last accessed Bedrock on 2025-12-30You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'LLMEvaluationPromptfoo-LambdaExecutionRole-umo63kVrhIoy' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' last accessed Bedrock on 2025-12-30You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
777788889999sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required MediumFailedPassed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'Meeting-Note-Bot-Role' last accessed Bedrock on 2025-10-22You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'myAskMeAnything-role-kmsizqwf' last accessed Bedrock on 2024-01-04You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'resco-aiml-security-19304-BedrockSecurityAssessment-kgYUbi1MIbbb' last accessed Bedrock on 2026-04-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'SAT-PrereqTest-CodeBuildRole-SATv2Stack-PreReqs' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'threat-designer-role' last accessed Bedrock on 2025-07-02You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckUser 'BedrockAPIKey-yhc3' last accessed Bedrock on 2026-04-19You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckUser 'BedrockClientUser' last accessed Bedrock on 2025-04-06You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
777788889999sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111111111111us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
777788889999sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found No action required Informational N/A
111111111111us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
777788889999sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access No action required Informational N/A
111111111111us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
777788889999sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores found No action required Informational N/A
111111111111us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
777788889999sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found No action required Informational N/A
111111111111us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
777788889999sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required Informational N/A
111111111111us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
777788889999sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs found No action required Informational N/A
111111111111us-east-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
777788889999sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required Informational N/A
111111111111us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
777788889999sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required Informational N/A
111111111111us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
777788889999sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found No action required Informational N/A
111111111111us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
777788889999sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment. Informational N/A
111111111111us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
777788889999sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor. No action requiredMediumPassed
777788889999sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
111111111111ap-southeast-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
+
+
+
Amazon Bedrock AgentCore Findings
+
+
+
+
+
+
+ +
+
+ + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
111122223333ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
111122223333ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
111122223333ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
111111111111ap-southeast-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
111122223333ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required Informational N/A
111111111111ap-southeast-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
111122223333ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
111111111111ap-southeast-2BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
111122223333ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required Informational N/A
111111111111ap-southeast-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
111122223333ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required Informational N/A
111111111111ap-southeast-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
111122223333ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
111111111111ap-southeast-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
111122223333ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required Informational N/A
111111111111ap-southeast-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
111122223333us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
111111111111eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
111122223333us-west-2AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
111111111111eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
111122223333us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
111111111111eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
111122223333us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
111111111111eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
111122223333us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
111111111111eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
111122223333us-west-2AC-13AgentCore Gateway Configuration CheckFound 1 Gateway resourcesNo action requiredMediumPassed
111122223333us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required Informational N/A
111111111111eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
111122223333us-west-2AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: +1. Implement defense-in-depth access control +2. Enable cross-account access control +3. Restrict access based on source VPC or IP +4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
111111111111eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
111122223333us-west-2AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control +2. AWS-managed keys are single-tenant and region-specific +3. Consider CMK for enhanced audit capabilities and key rotation controlLowFailed
111122223333GlobalAC-02AgentCore IAM Full Access PolicyThe following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace with least-privilege policies scoped to specific AgentCore resources and actionsHighFailed
111122223333GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleScope permissions to specific AgentCore resources using resource ARNsHighFailed
111122223333GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
111122223333GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Review and remove unused AgentCore permissions following least privilege principle Informational N/A
111111111111eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111111111111eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111111111111eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111111111111eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
333333333333GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
333333333333GlobalBR-03Marketplace Subscription Access CheckRole 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.High
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLow Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifacts Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_7erx6' last accessed Bedrock on 2025-05-13You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifacts Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifacts Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifacts Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifacts Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'AWSVAPTAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keys Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-333333333333-us-east-1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keys Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-333333333333-us-east-2' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keys Medium Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-333333333333-us-west-2' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
111122223333us-east-1AC-13AgentCore Gateway Configuration CheckFound 2 Gateway resourcesNo action required MediumPassed
111122223333us-east-1AC-08AgentCore VPC Endpoints MissingNo AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create VPC interface endpoints for AgentCore services: +1. com.amazonaws.region.bedrock-agentcore +2. com.amazonaws.region.bedrock-agentcore-control +3. com.amazonaws.region.bedrock-agentcore-runtime +This enables private connectivity via AWS PrivateLinkHighFailed
111122223333us-east-1AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: +1. Implement defense-in-depth access control +2. Enable cross-account access control +3. Restrict access based on source VPC or IP +4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333us-east-1AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control +2. AWS-managed keys are single-tenant and region-specific +3. Consider CMK for enhanced audit capabilities and key rotation controlLow Failed
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'Nova-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerApp-EC2-Role' last accessed Bedrock on 2026-03-29You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerScanRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'resco-aiml-security-mgmt-BedrockSecurityAssessmentF-espswsHIf9by' last accessed Bedrock on 2026-04-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
333333333333GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111122223333eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
333333333333us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
111122223333eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
333333333333us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
111122223333eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
333333333333us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
111122223333eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
333333333333us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
111122223333eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found No action required Informational N/A
333333333333us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required Informational N/A
333333333333us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
333333333333us-east-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required Informational N/A
333333333333us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
444455556666ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required Informational N/A
333333333333us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
444455556666ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
333333333333us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
444455556666ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required Informational N/A
333333333333us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
444455556666ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
333333333333ap-southeast-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
444455556666ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
333333333333ap-southeast-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
444455556666ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
333333333333ap-southeast-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
444455556666us-west-2AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
333333333333ap-southeast-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
444455556666us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
333333333333ap-southeast-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required Informational N/A
333333333333ap-southeast-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
333333333333ap-southeast-2BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required Informational N/A
333333333333ap-southeast-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
444455556666us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required Informational N/A
333333333333ap-southeast-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
444455556666us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
333333333333ap-southeast-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
444455556666us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required Informational N/A
333333333333ap-southeast-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
444455556666us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways found No action required Informational N/A
333333333333eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
444455556666sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
333333333333eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
444455556666sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
333333333333eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
444455556666sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
333333333333eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
444455556666sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
333333333333eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required Informational N/A
333333333333eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
333333333333eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required Informational N/A
333333333333eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
444455556666sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required Informational N/A
333333333333eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
444455556666sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
333333333333eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
444455556666sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required Informational N/A
333333333333eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
444455556666GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access found No action requiredHighPassed
444455556666GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
444455556666GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principle Informational N/A
222222222222ap-southeast-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
444455556666GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
444455556666us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
222222222222ap-southeast-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
444455556666us-east-1AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
222222222222ap-southeast-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
444455556666us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
222222222222ap-southeast-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
444455556666us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
222222222222ap-southeast-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required Informational N/A
222222222222ap-southeast-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
222222222222ap-southeast-2BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required Informational N/A
222222222222ap-southeast-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
444455556666us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required Informational N/A
222222222222ap-southeast-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
444455556666us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
222222222222ap-southeast-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
444455556666us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required Informational N/A
222222222222ap-southeast-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
444455556666eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
222222222222GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policy
444455556666eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources found No action requiredHighPassedInformationalN/A
222222222222GlobalBR-03Marketplace Subscription Access CheckNo identities found with overly permissive marketplace subscription access
444455556666eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources found No action requiredMediumPassed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on 2025-08-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'resco-aiml-security-23026-BedrockSecurityAssessment-xNwSsmlzindY' last accessed Bedrock on 2026-04-18You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
222222222222GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailedInformationalN/A
222222222222us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
444455556666eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
222222222222us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
444455556666eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
222222222222us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
444455556666eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
222222222222us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
444455556666eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
222222222222us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
444455556666eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required Informational N/A
222222222222us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
444455556666eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
222222222222us-east-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
444455556666eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required Informational N/A
222222222222us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
777788889999ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required Informational N/A
222222222222us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
777788889999ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
222222222222us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
777788889999ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required Informational N/A
222222222222us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
777788889999ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
222222222222eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity
777788889999ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
222222222222eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging
777788889999ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
222222222222eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
777788889999ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
222222222222eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
777788889999ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
222222222222eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
777788889999ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required Informational N/A
222222222222eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
777788889999ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways found No action required Informational N/A
222222222222eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
777788889999us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required Informational N/A
222222222222eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
777788889999us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required Informational N/A
222222222222eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
777788889999us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
222222222222eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
777788889999us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required Informational N/A
222222222222eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account
777788889999us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
-
-
-
Amazon SageMaker Findings
-
-
-
-
-
-
- -
-
- - - - - + + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - - - - - - - - - - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - - + + + + + + - - + + - - - + + + - - - - - - - - - - - - + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - + + + - + - - - - - - - +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check
777788889999us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
111111111111ap-southeast-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configured
777788889999us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action requiredMediumPassedInformationalN/A
111111111111ap-southeast-2SM-03Data Protection CheckNo SageMaker resources found to check for data protection
777788889999us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
111111111111ap-southeast-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
777788889999us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action requiredMediumPassed
111111111111ap-southeast-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
111111111111ap-southeast-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
777788889999us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required Informational N/A
111111111111ap-southeast-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
777788889999sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required Informational N/A
111111111111ap-southeast-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
777788889999sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required Informational N/A
111111111111ap-southeast-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
777788889999sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required Informational N/A
111111111111ap-southeast-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
777788889999sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required Informational N/A
111111111111ap-southeast-2SM-09SageMaker Notebook Root Access CheckNo notebook instances found
777788889999sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
111111111111ap-southeast-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found
777788889999sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
111111111111ap-southeast-2SM-11SageMaker Model Network Isolation CheckNo models found
777788889999sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
777788889999sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
111111111111ap-southeast-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found
777788889999sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
111111111111ap-southeast-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access
777788889999sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways found No action required Informational N/A
111111111111ap-southeast-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores found
777788889999eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found
777788889999eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs found
777788889999eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs found
777788889999eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action required Informational N/A
111111111111ap-southeast-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found
777788889999eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources found No action required Informational N/A
111111111111ap-southeast-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found
777788889999eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
111111111111ap-southeast-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found
777788889999eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
777788889999eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required Informational N/A
111111111111ap-southeast-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.
777788889999eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action requiredMediumPassedInformationalN/A
111111111111ap-southeast-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.
777788889999eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found No action requiredLowPassed
111111111111ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111111111111GlobalSM-02SageMaker Full Access Policy UsedRole 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111111111111
777788889999 GlobalSM-02SageMaker Full Access Policy UsedRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVScope permissions to specific AgentCore resources using resource ARNs High Failed
111111111111
777788889999 GlobalSM-02SageMaker Full Access Policy UsedRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailedAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
111111111111
777788889999 GlobalSM-02SageMaker Full Access Policy UsedRole 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.Medium Failed
111111111111
777788889999 us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailedAC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111111111111
777788889999 us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailedAC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111111111111
777788889999 us-east-1SM-03Missing Encryption ConfigurationDomain 'QuickSetupDomain-20250525T153160' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighAC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'aiml-sec-test-agentcore-no-encryption' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLow Failed
111111111111
777788889999 us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configuration No action requiredMediumPassed
111111111111us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
111111111111
777788889999 us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionAC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required Informational N/A
111111111111
777788889999 us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentAC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required Informational N/A
111111111111
777788889999 us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionAC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required Informational N/A
111111111111
777788889999 us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesAC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required Informational N/A
111111111111
777788889999 us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsAC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required Informational N/A
111111111111
777788889999 us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundAC-12AgentCore Gateway Encryption CheckNo Gateways found No action required Informational N/A
111111111111us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found
+
+
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
+ + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - - + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - - - - - - - - - - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - + + + + + + + + + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - - - + + + - - - - - - + + + + + + - - - + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
111111111111us-east-1SM-11SageMaker Model Network Isolation CheckNo models found
111122223333ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
111111111111us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
111122223333ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
111111111111us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found
111122223333ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
111111111111us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
111122223333ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
111111111111us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
111122223333ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
111111111111us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
111122223333ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
111111111111us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
111122223333ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
111111111111us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
111122223333ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
111111111111us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found
111122223333ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333us-west-2AG-24Agentic AI Gateway Inbound AuthorizationGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) uses authorizerType CUSTOM_JWT. No action requiredHighPassed
111122223333us-west-2AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-west-2AG-26Agentic AI Gateway Error Detail ExposureGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.No action requiredMediumPassed
111122223333us-west-2AG-27Agentic AI Gateway WAF Protection MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
111122223333us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
111122223333us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
111122223333us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
111111111111
111122223333us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.HighFailed
111122223333us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowFailed
111122223333 us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredAG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumPassed
111122223333us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
111122223333GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported. Informational N/A
111111111111
111122223333 us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredAG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
111122223333us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111
111122223333 us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111
111122223333 us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredAG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
111122223333us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.LowPassed
111122223333us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required. MediumFailed
111122223333us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configuredConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.Low Passed
111111111111
111122223333 us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredAG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabledEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Low Passed
111111111111
111122223333 us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required
111122223333us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required
111122223333us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. MediumPassedFailed
111111111111eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required
111122223333ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111122223333ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
111122223333ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111122223333ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111122223333ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
111122223333ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
111122223333ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
111111111111eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
111122223333ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
111122223333ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
111122223333ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
111122223333ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
111122223333ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
111122223333us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumFailed
111122223333us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
111122223333us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
111122223333us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
111122223333us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
111122223333us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
111122223333us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.HighFailed
111122223333us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required.MediumFailed
111122223333us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.HighFailed
111122223333us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.MediumFailed
111122223333us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
111122223333us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
111122223333us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
111122223333sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
111122223333sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
111122223333sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
111122223333sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
111122223333sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
111122223333sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
111122223333sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
111122223333sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
111122223333sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
111122223333sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
111122223333sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.
111122223333sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111122223333sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
111122223333us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) uses authorizerType CUSTOM_JWT. No action requiredMediumHigh Passed
111111111111eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.
111122223333us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail. No action requiredMediumPassed
111122223333us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection. LowFailed
111122223333us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) uses authorizerType CUSTOM_JWT.No action requiredHigh Passed
111111111111eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
111122223333us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.No action requiredMediumPassed
111122223333us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
111122223333GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.MediumFailed
111122223333GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Remove or restrict stale AgentCore permissions for principals that no longer need access. Informational N/A
333333333333eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
333333333333eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. MediumPassedFailed
333333333333eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
333333333333eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. MediumPassedFailed
333333333333eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
333333333333eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
333333333333eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
333333333333eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create required VPC endpoints for AgentCore services and validate endpoint availability.HighFailed
333333333333eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.HighFailed
333333333333eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
111122223333us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances found
111122223333us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowFailed
111122223333sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found
111122223333sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1SM-11SageMaker Model Network Isolation CheckNo models found
111122223333sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
111122223333sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
111122223333sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
333333333333eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
111122223333sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
333333333333eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
111122223333sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
333333333333eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
111122223333sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
333333333333eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
111122223333sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
333333333333eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
111122223333sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
111122223333sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333
111122223333 eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredAG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
333333333333
111122223333 eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredAG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
333333333333
111122223333 eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
333333333333eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
333333333333eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
333333333333
111122223333 eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
333333333333GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
333333333333us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required
111122223333eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
333333333333us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
333333333333us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required
111122223333eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
333333333333us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
333333333333us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
111122223333eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
111122223333eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
333333333333us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
111122223333eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
333333333333us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
111122223333eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
333333333333us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
111122223333eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
333333333333us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
111122223333eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
333333333333us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
111122223333eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
333333333333us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances found
111122223333eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found
111122223333eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-11SageMaker Model Network Isolation CheckNo models found
111122223333eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
111122223333eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
111122223333eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
333333333333us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
111122223333eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
333333333333us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
111122223333eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
333333333333us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
111122223333eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
333333333333us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
111122223333eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
333333333333us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs found
111122223333eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs found
444455556666ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found
444455556666ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found
444455556666ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
444455556666ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
333333333333us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
333333333333us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
333333333333us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
444455556666ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
333333333333ap-southeast-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required
444455556666ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
333333333333ap-southeast-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
333333333333ap-southeast-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required
444455556666ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333ap-southeast-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
333333333333ap-southeast-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
444455556666ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
333333333333ap-southeast-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
444455556666ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
333333333333ap-southeast-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
444455556666ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
333333333333ap-southeast-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
444455556666ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
333333333333ap-southeast-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
444455556666ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
333333333333ap-southeast-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
444455556666ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
333333333333ap-southeast-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
444455556666ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
333333333333ap-southeast-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
444455556666ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
333333333333ap-southeast-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
444455556666ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
333333333333ap-southeast-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
444455556666ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
333333333333ap-southeast-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
444455556666ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
333333333333ap-southeast-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
444455556666ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported. Informational N/A
333333333333ap-southeast-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
444455556666us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
333333333333ap-southeast-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
444455556666us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
333333333333ap-southeast-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
444455556666us-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
333333333333ap-southeast-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
444455556666us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
333333333333ap-southeast-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
444455556666us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
333333333333ap-southeast-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
444455556666us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
333333333333ap-southeast-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
444455556666us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
333333333333ap-southeast-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
444455556666us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
333333333333ap-southeast-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
333333333333ap-southeast-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
333333333333ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
444455556666us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
222222222222eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to check
444455556666us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configured
444455556666us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action requiredMediumPassedInformationalN/A
222222222222eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protection
444455556666us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
444455556666us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action requiredMediumPassed
222222222222eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment Informational N/A
222222222222eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
444455556666us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
222222222222eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
444455556666us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
222222222222eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
444455556666us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
222222222222eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
444455556666us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
222222222222eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
444455556666us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
222222222222eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
444455556666us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
444455556666us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222eu-west-1SM-11SageMaker Model Network Isolation CheckNo models found
444455556666sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
444455556666sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found
444455556666sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform access
444455556666sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
444455556666sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
222222222222eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
444455556666sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
222222222222eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
444455556666sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
222222222222eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
444455556666sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
222222222222eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
444455556666sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
222222222222eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
444455556666sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
444455556666sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222
444455556666 eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
222222222222eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
222222222222eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
222222222222
444455556666 eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
222222222222GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
222222222222us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required
444455556666eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
222222222222us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
222222222222us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required
444455556666eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
222222222222us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
222222222222us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
444455556666eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
222222222222us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
444455556666eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
222222222222us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
444455556666eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
222222222222us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
444455556666eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
222222222222us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
444455556666eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
222222222222us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
444455556666eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
222222222222us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
444455556666eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
222222222222
444455556666 us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundAG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
222222222222
444455556666 us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundAG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
222222222222
444455556666 us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundAG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
222222222222
444455556666 us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundAG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
222222222222us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
444455556666GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighPassed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.MediumFailed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access. Informational N/A
222222222222
444455556666 us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredAG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
222222222222
444455556666 us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredAG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
222222222222
444455556666 us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredAG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
222222222222
444455556666 us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredAG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
222222222222
444455556666 us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredAG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
222222222222
444455556666 us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredAG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222
444455556666 us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundAG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
222222222222us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
444455556666eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required Informational N/A
222222222222us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.
444455556666eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action requiredMediumPassedInformationalN/A
222222222222us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.
444455556666eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action requiredLowPassedInformationalN/A
222222222222us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
444455556666eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
222222222222ap-southeast-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action required
444455556666eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
222222222222ap-southeast-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
222222222222ap-southeast-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action required
444455556666eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
222222222222ap-southeast-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
222222222222ap-southeast-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
444455556666eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222ap-southeast-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
444455556666eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222ap-southeast-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
444455556666sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
222222222222ap-southeast-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
444455556666sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
222222222222ap-southeast-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
444455556666sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
222222222222ap-southeast-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
444455556666sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
222222222222ap-southeast-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
444455556666sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
222222222222ap-southeast-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
444455556666sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
222222222222ap-southeast-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
444455556666sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
222222222222ap-southeast-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
444455556666sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
222222222222ap-southeast-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
444455556666sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
222222222222ap-southeast-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
444455556666sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
222222222222ap-southeast-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
444455556666sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
222222222222ap-southeast-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
444455556666sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
222222222222ap-southeast-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
444455556666sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
222222222222ap-southeast-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
444455556666us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
222222222222ap-southeast-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
444455556666us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
222222222222ap-southeast-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
444455556666us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
222222222222ap-southeast-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
444455556666us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
222222222222ap-southeast-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
444455556666us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
222222222222ap-southeast-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
222222222222ap-southeast-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
222222222222ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
444455556666us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
-
-
-
Amazon Bedrock AgentCore Findings
-
-
-
-
-
-
- -
-
- - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - - - + + + - - + + - - - - - - + + + + + + - - + + - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
444455556666us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
444455556666us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
444455556666us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found
777788889999ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
777788889999ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
777788889999ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
111111111111GlobalAC-02AgentCore IAM Full Access PolicyThe following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace with least-privilege policies scoped to specific AgentCore resources and actionsHighFailed
111111111111GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleScope permissions to specific AgentCore resources using resource ARNsHighFailed
111111111111GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (179 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (179 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (179 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (62 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
111111111111GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMediumFailed
111111111111GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111111111111us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
777788889999ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
777788889999ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
777788889999ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
777788889999ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
777788889999ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
777788889999ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
777788889999ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
777788889999sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
777788889999sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
777788889999sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
111111111111us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
777788889999sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111111111111us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
777788889999sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111111111111us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
777788889999sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
111111111111us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
777788889999sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
111111111111us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
777788889999sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
111111111111us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
777788889999sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
111111111111us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
777788889999sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
111111111111us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
777788889999sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
111111111111us-east-1AC-07AgentCore Memory EncryptionMemory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
777788889999sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111111111111us-east-1AC-07AgentCore Memory EncryptionMemory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
777788889999sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
111111111111us-east-1AC-07AgentCore Memory EncryptionMemory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
777788889999eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
777788889999eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111us-east-1AC-08AgentCore VPC Endpoints MissingNo AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create VPC interface endpoints for AgentCore services: -1. com.amazonaws.region.bedrock-agentcore -2. com.amazonaws.region.bedrock-agentcore-control -3. com.amazonaws.region.bedrock-agentcore-runtime -This enables private connectivity via AWS PrivateLinkHighFailed
777788889999eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
111111111111us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
777788889999eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
777788889999eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required
777788889999eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111
777788889999 eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredAG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111
777788889999 eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredAG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111
777788889999 eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredAG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111
777788889999 eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredAG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111
777788889999 eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredAG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111
777788889999 eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredAG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
777788889999ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
777788889999ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
777788889999ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required
777788889999ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
333333333333ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
777788889999ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
333333333333ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
777788889999ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
333333333333ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
777788889999ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
333333333333ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
777788889999ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
333333333333ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
777788889999ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
333333333333ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
777788889999ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
333333333333ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
777788889999ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
333333333333ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
777788889999us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
333333333333ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
777788889999us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
333333333333ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found
777788889999us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
777788889999us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
333333333333eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
777788889999us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
333333333333eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
777788889999us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
333333333333eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
777788889999us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
333333333333eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
777788889999us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
333333333333eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
777788889999us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
777788889999us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
777788889999sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
333333333333eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
333333333333GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access found
777788889999sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action requiredHighPassed
333333333333GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-mgmt-AgentCoreSecurityAssessmen-JrbYHkz9UslU' (62 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
333333333333GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMediumFailed
333333333333GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailedInformationalN/A
333333333333us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources found
777788889999sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
777788889999sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
333333333333us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
777788889999sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
333333333333us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
777788889999sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
333333333333us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
777788889999sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
333333333333us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
777788889999sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
333333333333us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
777788889999sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
777788889999sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
333333333333us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
777788889999eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
333333333333us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
222222222222
777788889999 eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundAG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
222222222222
777788889999 eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundAG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
222222222222
777788889999 eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredAG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
222222222222
777788889999 eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredAG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
222222222222
777788889999 eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredAG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
222222222222
777788889999 eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredAG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222
777788889999 eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredAG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
777788889999us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found
777788889999us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
222222222222eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways found
777788889999us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
222222222222GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access found
777788889999us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action requiredHighPassedInformationalN/A
222222222222
777788889999 GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (62 days)Review and remove unused AgentCore permissions following least privilege principleMediumAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.High Failed
222222222222
777788889999 GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMediumFailedAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
222222222222GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
777788889999us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
222222222222
777788889999 us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredAG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
222222222222
777788889999 us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredAG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
222222222222
777788889999 us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredAG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
222222222222
777788889999 us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredAG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
222222222222
777788889999 us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredAG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222
777788889999 us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredAG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
222222222222
777788889999 us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredAG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumFailed
777788889999us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
777788889999GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported. Informational N/A
222222222222
777788889999 us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredAG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
777788889999us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
222222222222
777788889999 us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredAG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
777788889999us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
222222222222
777788889999 us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredAG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
222222222222ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
777788889999us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
222222222222ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
777788889999us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrailAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.LowPassed
777788889999us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
777788889999us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
222222222222ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required
777788889999us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
222222222222ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
777788889999us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
222222222222ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
777788889999us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
222222222222ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
777788889999us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
222222222222ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
777788889999us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
222222222222ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
777788889999us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
222222222222ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
777788889999us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
222222222222ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required
777788889999us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
-
-
Financial Services GenAI Risk Findings
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).
- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111
777788889999us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
+
Financial Services GenAI Risk Findings
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).
+ @@ -15063,8 +35378,22 @@

Low

- - + + + + + + + + + + + + + @@ -15076,8 +35405,21 @@

Medium

- - + + + + + + + + + + + + + @@ -15087,22 +35429,41 @@

Medium

- - + + + + + + + + + + + + + - - - + + + - + + + + + + + + + + + + - - + + @@ -15114,9 +35475,36 @@

Medium

- - - + + + + + + + + + + + + + + + + + + + + + + + + + @@ -15128,8 +35516,8 @@

Medium

- - + + @@ -15141,8 +35529,21 @@

Medium

- - + + + + + + + + + + + + + @@ -15152,8 +35553,19 @@

Informational

- - + + + + + + + + + + + + + @@ -15163,12 +35575,37 @@

High

- - + + + + + + + + + + + + + - + + + + + + + + + + + + - - + + @@ -15188,8 +35625,19 @@

Informational

- - + + + + + + + + + + + + + @@ -15202,8 +35650,22 @@

Medium

- - + + + + + + + + + + + + + @@ -15215,8 +35677,21 @@

High

- - + + + + + + + + + + + + + @@ -15226,8 +35701,19 @@

Medium

- - + + + + + + + + + + + + + @@ -15237,8 +35723,19 @@

Medium

- - + + + + + + + + + + + + + @@ -15250,19 +35747,43 @@

Medium

- - + + + + + + + + + + + + + - + + + + + + + + + + + + - - + + @@ -15272,25 +35793,68 @@

Informational

- - + + + + + + + + + + + + + - + + + + + + + + + + + + - - + + - + + + + + + + + + + + +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases) + - - + + @@ -15317,8 +35881,21 @@

Informational

- - + + + + + + + + + + + + + @@ -15328,8 +35905,19 @@

High

- - + + + + + + + + + + + + + @@ -15339,45 +35927,108 @@

High

- - + + + + + + + + + + + + + - - - + + + - - + + + + + + + + + + + + + - - + + - - - - - - + + + + + + - - + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + @@ -15389,8 +36040,8 @@

Informational

- - + + @@ -15403,14 +36054,44 @@

Informational

- - + + + + + + + + + + + + + + + + + + + + + + + + - - + + @@ -15433,23 +36114,62 @@

Informational

- - + + + + + + + + + + + + + - + + + + + + + + + + + + - - + + - + + + + + + + + + + + + - - + + @@ -15472,20 +36192,59 @@

Informational

- - + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + @@ -15497,19 +36256,36 @@

Informational

- - + + - - - + + + - - + + + + + + + + + + + + + - - + + @@ -15522,8 +36298,22 @@

High

- - + + + + + + + + + + + + + @@ -15536,8 +36326,22 @@

Informational

- - + + + + + + + + + + + + + @@ -15550,8 +36354,22 @@

High

- - + + + + + + + + + + + + + @@ -15564,8 +36382,22 @@

Medium

- - + + + + + + + + + + + + + @@ -15578,8 +36410,22 @@

High

- - + + + + + + + + + + + + + @@ -15589,41 +36435,85 @@

High

- - + + + + + + + + + + + + + - - - + + + - - + + + + + + + + + + + + + - - + + - + - - + + + + + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - - + + @@ -15633,8 +36523,19 @@

Medium

- - + + + + + + + + + + + + + @@ -15646,30 +36547,73 @@

Informational

- - + + + + + + + + + + + + + - - - + + + - + + + + + + + + + + + + - - + + - - - - - - + + + + + + + + + + + + + + + + + - - + + @@ -15682,8 +36626,22 @@

Medium

- - + + + + + + + + + + + + + @@ -15693,8 +36651,19 @@

Informational

- - + + + + + + + + + + + + + @@ -15708,8 +36677,23 @@

Informational

- - + + + + + + + + + + + + + @@ -15722,8 +36706,22 @@

Medium

- - + + + + + + + + + + + + + @@ -15733,8 +36731,19 @@

Informational

- - + + + + + + + + + + + + + @@ -15747,8 +36756,22 @@

Informational

- - + + + + + + + + + + + + + @@ -15761,20 +36784,58 @@

Informational

- - + + + + + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + @@ -15785,23 +36846,50 @@

Informational

- - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + @@ -15812,8 +36900,8 @@

Informational

- - + + @@ -15823,14 +36911,40 @@

Medium

- - + + + + + + + + + + + + + +- 111122223333-us-east-1-kb-data-bucket + + + + + + + + + + + @@ -15838,8 +36952,8 @@

Medium

- - + + @@ -15857,16 +36971,56 @@

High

- - + + + + + + + + + + + + + + + + + + + + + + + + @@ -15878,8 +37032,8 @@

High

- - + + @@ -15892,19 +37046,99 @@

Medium

- - + + + + + + + + + + + + + - + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -15914,19 +37148,30 @@

Informational

- - - + + + + + + + + + + + + + + - + - - + + @@ -15939,8 +37184,8 @@

Low

- - + + @@ -15952,8 +37197,8 @@

Medium

- - + + @@ -15963,22 +37208,19 @@

Informational

- - + + - - - + + + - + - - + + @@ -15990,8 +37232,8 @@

Medium

- - + + @@ -16004,8 +37246,8 @@

Medium

- - + + @@ -16017,19 +37259,19 @@

Medium

- - + + - - + + - - + + - - + + @@ -16039,12 +37281,12 @@

Informational

- - + + - + - - + + @@ -16064,8 +37306,8 @@

Informational

- - + + @@ -16078,8 +37320,8 @@

Medium

- - + + @@ -16091,19 +37333,21 @@

High

- - + + - - - + + + - + - - + + @@ -16113,8 +37357,8 @@

Medium

- - + + @@ -16126,62 +37370,64 @@

Medium

- - + + - + - - + + - - - - - - + + + + + + - - + + - - - + + + - - + + - - + + - - +- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*' +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases) + - - + + @@ -16193,8 +37439,8 @@

Informational

- - + + @@ -16204,8 +37450,8 @@

High

- - + + @@ -16215,44 +37461,51 @@

High

- - + + - - - - - + + + + + - - + + - - - - - - + + + + + + - - + + - - - - - + + + + + - - + + @@ -16265,8 +37518,8 @@

Informational

- - + + @@ -16279,13 +37532,13 @@

Informational

- - + + - - + + @@ -16308,8 +37561,8 @@

Informational

- - + + @@ -16319,12 +37572,12 @@

Medium

- - + + - + - - + + @@ -16347,19 +37600,22 @@

Informational

- - + + - - - - - + + + + + - - + + @@ -16372,19 +37628,22 @@

Informational

- - + + - - - - - + + + + + - - + + @@ -16397,8 +37656,8 @@

High

- - + + @@ -16411,8 +37670,8 @@

Informational

- - + + @@ -16425,8 +37684,8 @@

High

- - + + @@ -16439,8 +37698,8 @@

Medium

- - + + @@ -16453,8 +37712,8 @@

High

- - + + @@ -16467,41 +37726,47 @@

High

- - + + - - - - - + + + + + - - + + - - - + + + - - + + - - + + - - - - - + + + + + - - + + @@ -16511,8 +37776,8 @@

Medium

- - + + @@ -16524,41 +37789,47 @@

Informational

- - + + - - - - - - + + + + + + - - + + - - - - - + + + + + - - + + - + - - + + @@ -16568,8 +37839,8 @@

Informational

- - + + @@ -16583,8 +37854,8 @@

Informational

- - + + @@ -16597,8 +37868,8 @@

Medium

- - + + @@ -16608,8 +37879,8 @@

Informational

- - + + @@ -16622,8 +37893,8 @@

Informational

- - + + @@ -16636,19 +37907,22 @@

Informational

- - + + - - - - - + + + + + - - + + @@ -16660,22 +37934,22 @@

Informational

- - + + - - - - - - + + + + + + - - + + @@ -16687,8 +37961,8 @@

Informational

- - + + @@ -16698,8 +37972,8 @@

Medium

- - + + @@ -16712,8 +37986,8 @@

Medium

- - + + @@ -16723,15 +37997,13 @@

Informational

- - + + - - + + @@ -16753,67 +38025,56 @@

Informational

- - + + - + - - - - - - - - - - - - - - + + + - + - - - + + + - + - - - + + + - + - - - + + + - + @@ -16824,7 +38085,7 @@

Severity Levels & Status Values

Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333 us-east-1 FS-01 AWS Shield Advanced Not EnabledFailed
111111111111
111122223333us-west-2FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. +2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. +3. Enable Shield Response Team (SRT) access and configure proactive engagement. +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
111122223333 us-east-1 FS-01 No Regional WAF Web ACLs FoundFailed
111111111111
111122223333us-west-2FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). +2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. +3. Add AWS Managed Rules for known bad inputs.MediumFailed
111122223333 us-east-1 FS-02 API Gateway Usage Plans Missing ThrottleFailed
111111111111
111122223333us-west-2FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed
111122223333 us-east-1 FS-03Bedrock Token Quotas At DefaultAll 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.1. Review current Bedrock TPM/TPD quotas in the Service Quotas console. -2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review. -3. Implement client-side token counting and pre-flight quota checks. -4. Use Bedrock cross-region inference profiles to distribute load.Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load. MediumN/APassed
111122223333us-west-2FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
111111111111
111122223333 us-east-1 FS-04 No Cost Anomaly Detection MonitorsFailed
111111111111us-east-1
111122223333us-west-2FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. +2. Configure alert subscriptions (SNS/email) for anomalies above threshold. +3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
111122223333us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: +- AWS/Bedrock InvocationThrottles (threshold > 0) +- AWS/Bedrock TokensProcessed (threshold based on quota) +- Custom application-level token counters via EMFMediumFailed
111122223333us-west-2 FS-05 No Bedrock CloudWatch Alarms Found No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Failed
111111111111
111122223333 us-east-1 FS-06 No AI/ML Service Budgets ConfiguredFailed
111111111111
111122223333us-west-2FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. +2. Add SNS notifications to on-call channels. +3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
111122223333 us-east-1 FS-07 Agent Action Boundary CheckN/A
111111111111
111122223333us-west-2FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.InformationalN/A
111122223333 us-east-1 FS-08 AgentCore Runtimes Missing Policy EngineFailed
111111111111
111122223333us-west-2FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.HighFailed
111122223333 us-east-1 FS-09 Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111111111111-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111111111111-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111111111111-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111111111111-CleanupBucket, aiml-security-aiml-security-111111111111-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.Agent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. +2. Implement maximum iteration counts in agent orchestration logic. +3. Use Step Functions with MaxConcurrency and timeout states. +4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333us-west-2FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits. 1. Set reserved concurrency on agent Lambda functions. 2. Implement maximum iteration counts in agent orchestration logic. 3. Use Step Functions with MaxConcurrency and timeout states. @@ -15177,8 +35614,8 @@

Medium

Failed
111111111111
111122223333 us-east-1 FS-10 Human-in-the-Loop Check — No Agent Workflows FoundN/A
111111111111
111122223333us-west-2FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
111122223333 us-east-1 FS-11 No Agent Rate Alarms FoundFailed
111111111111
111122223333us-west-2FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: +- Bedrock agent invocation counts (threshold based on expected max) +- Lambda invocation errors for agent functions +- Step Functions execution failures and timeoutsMediumFailed
111122223333 us-east-1 FS-12 No Bedrock-Scoped SCPs FoundFailed
111111111111
111122223333us-west-2FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. +2. Use bedrock:ModelId condition key to allowlist approved models. +3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333 us-east-1 FS-13 Model Provenance Tags PresentPassed
111111111111
111122223333us-west-2FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333 us-east-1 FS-14 Model Governance Config Rules PresentPassed
111111111111
111122223333us-west-2FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
111122223333 us-east-1 FS-15 No Bedrock Evaluation Jobs FoundFailed
111111111111
111122223333us-west-2FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. +2. Use FMEval library for automated robustness testing. +3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333 us-east-1 FS-16 ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111111111111-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333us-west-2FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions. Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection. High Failed
111111111111
111122223333 us-east-1 FS-20 No SageMaker Feature Groups FoundN/A
111111111111
111122223333us-west-2FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333 us-east-1 FS-21 Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111111111111-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111111111111-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111111111111-huo1mvme4t.13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.HighFailed
111122223333us-west-2FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t. Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning. High Failed
111111111111
111122223333 us-east-1 FS-22 Overly Permissive Knowledge Base IAM Roles722 role(s) with wildcard KB permissions: -- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) + 827 role(s) with wildcard KB permissions: +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Admin' allows '*' +- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333us-west-2FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) - Role 'Admin' allows '*' - Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' - Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) @@ -15298,14 +35862,14 @@

Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.

Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs. High Failed
111111111111
111122223333 us-east-1 FS-24 ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333 us-east-1 FS-25 OpenSearch Serverless Encryption Policies PresentPassed
111111111111
111122223333us-west-2FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
111122223333 us-east-1 FS-26 OpenSearch Serverless Collections Not VPC-RestrictedFailed
111111111111
111122223333us-west-2FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333 us-east-1 FS-27No Guardrails — Contextual Grounding Not ApplicableNo Bedrock Guardrails configured. Configure guardrails first (see BR-05).Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification. InformationalN/AHighPassed
111122223333us-west-2FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed
111111111111
111122223333 us-east-1 FS-27Automated Reasoning Policies — Access CheckAccess denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml. -2. Check for an Organizations SCP / permission boundary denying the action. -3. Confirm the assessed region supports Automated Reasoning checks. -4. Re-run the assessment after re-deploying.LowN/ANo Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111111111111
111122223333us-west-2FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111122223333 us-east-1 FS-28No Guardrails — Denied Topics Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with denied topics for regulated financial content.Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-west-2FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. +2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. +3. Document disclaimer requirements in the AI use case register. +4. Test disclaimer presence in QA/UAT before production deployment. Informational N/A
111111111111us-east-1
111122223333us-west-2 FS-29 ADVISORY: Compliance Disclaimer — Manual Review Required Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.N/A
111111111111
111122223333 us-east-1 FS-30 ADVISORY: Compliance Dataset Coverage — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: +- Fair lending test cases (ECOA, Fair Housing Act) +- UDAP/UDAAP unfair/deceptive practice scenarios +- AML/KYC edge casesInformationalN/A
111122223333 us-east-1 FS-31 Knowledge Base Data Sources Past Review Threshold 2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 702 days ago -- KB '111111111111-us-east-1-kb' source '111111111111-us-east-1-kb-datasource' last synced 180 days ago +- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago +- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. +2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. +3. Set CloudWatch alarms on sync job failures.MediumFailed
111122223333us-west-2FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago +- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently. 1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. 2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. @@ -15419,8 +36100,8 @@

Medium

Failed
111111111111
111122223333 us-east-1 FS-32 ADVISORY: Source Attribution — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. +2. Include source document references in response post-processing. +3. Test citation accuracy in QA before production deployment. +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
111122223333 us-east-1 FS-33 KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111111111111-us-east-1-kb-data-bucket.KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.MediumFailed
111122223333us-west-2FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket. Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection. Medium Failed
111111111111
111122223333 us-east-1 FS-34 Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). +2. Migrate active usage to current model versions. +3. Document training-data cutoff dates for all models in use. +4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
111122223333us-west-2FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use. 1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). 2. Migrate active usage to current model versions. 3. Document training-data cutoff dates for all models in use. @@ -15458,8 +36178,8 @@

Informational

N/A
111111111111
111122223333 us-east-1 FS-35 ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: +- Toxicity detection +- Hate speech classification +- Violence/self-harm contentInformationalN/A
111122223333 us-east-1 FS-36No Guardrails — Content Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with content filters.Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-west-2FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile. HighPassed
111122223333us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. +2. Route flagged outputs to human reviewers via SQS/SNS. +3. Log feedback to DynamoDB/S3 for model improvement. +4. Define SLAs for reviewing flagged content. Informational N/A
111111111111us-east-1
111122223333us-west-2 FS-37 ADVISORY: User Feedback Mechanism — Manual Review Required User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.N/A
111111111111
111122223333 us-east-1 FS-38No Guardrails — Word Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with word filters.No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: +- Enable AWS managed profanity list +- Add custom denylist for prohibited financial terms +- Add allowlist for required regulatory language InformationalN/AMediumFailed
111122223333us-west-2FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: +- Enable AWS managed profanity list +- Add custom denylist for prohibited financial terms +- Add allowlist for required regulatory languageMediumFailed
111111111111
111122223333 us-east-1 FS-39 No SageMaker Clarify Bias MonitoringFailed
111111111111
111122223333us-west-2FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. +2. Define protected attributes (age, gender, race proxies). +3. Set bias metric thresholds and alert on violations. +4. Document bias testing results for regulatory examination.HighFailed
111122223333 us-east-1 FS-40 ADVISORY: Bias Dataset Coverage — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: +- Demographic parity test cases +- Equal opportunity scenarios +- Counterfactual fairness testsInformationalN/A
111122223333 us-east-1 FS-41 No SageMaker Clarify Explainability MonitoringFailed
111111111111
111122223333us-west-2FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. +2. Generate SHAP values for feature importance. +3. Map top features to human-readable adverse action reason codes. +4. Store explanations for regulatory examination.HighFailed
111122223333 us-east-1 FS-42 No SageMaker Model Cards FoundFailed
111111111111
111122223333us-west-2FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. +2. Document: intended use, out-of-scope uses, training data, bias evaluations. +3. Include regulatory compliance attestations. +4. Review and update cards at each model version release.MediumFailed
111122223333 us-east-1 FS-43 No CloudWatch Logs Data Protection PoliciesFailed
111111111111
111122223333us-west-2FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. +2. Enable masking for: SSN, credit card numbers, bank account numbers, email. +3. Apply policies to Bedrock invocation log groups. +4. Test masking with synthetic PII before production deployment.HighFailed
111122223333 us-east-1 FS-44 Amazon Macie EnabledPassed
111111111111
111122223333us-west-2FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.HighPassed
111122223333 us-east-1 FS-45No Guardrails — PII Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with PII/sensitive information filters.Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required. InformationalN/AHighPassed
111122223333us-west-2FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed
111111111111
111122223333 us-east-1 FS-46 AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111111111111-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111111111111-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111111111111.18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333. Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule. Medium Failed
111111111111
111122223333us-west-2FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
111122223333 us-east-1 FS-47No Guardrails — Grounding Threshold Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with contextual grounding checks.InformationalN/AGuardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111122223333us-west-2FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111111111111
111122223333 us-east-1 FS-48 Active Knowledge Bases for RAG PresentPassed
111111111111
111122223333us-west-2FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
111122223333 us-east-1 FS-49 ADVISORY: Hallucination Disclaimer — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' +2. Implement post-processing to append disclaimers. +3. Test disclaimer presence in QA before production.InformationalN/A
111122223333 us-east-1 FS-50No Guardrails With Relevance Grounding FiltersNo guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required. MediumFailedPassed
111122223333us-west-2FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed
111111111111
111122223333 us-east-1 FS-51No Guardrails — Prompt Attack Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with prompt attack filters.InformationalN/ANo Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. +2. Set input filter strength to HIGH. +3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. +4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. +5. Implement application-level input sanitization as defense-in-depth.HighFailed
111122223333us-west-2FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. +2. Set input filter strength to HIGH. +3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. +4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. +5. Implement application-level input sanitization as defense-in-depth.HighFailed
111111111111
111122223333 us-east-1 FS-52 Bedrock Lambda Functions on Deprecated RuntimesFailed
111111111111
111122223333us-west-2FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. +2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). +3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). +4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.MediumFailed
111122223333 us-east-1 FS-53 No WAF Web ACLs — Injection Rules Not ApplicableN/A
111111111111
111122223333us-west-2FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
111122223333 us-east-1 FS-54 ADVISORY: Penetration Testing — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. +2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. +3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. +4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
111122223333 us-east-1 FS-55 No Output Validation Functions FoundFailed
111111111111
111122223333us-west-2FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. +2. Validate output schema, length, and content before downstream use. +3. Sanitize outputs before rendering in web UIs (XSS prevention). +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
111122223333 us-east-1 FS-56 No WAF ACLs — XSS Prevention Not ApplicableN/A
111111111111
111122223333us-west-2FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333 us-east-1 FS-57 ADVISORY: Output Encoding — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. +2. Use parameterized queries when GenAI output is used in database operations. +3. JSON-encode outputs before embedding in JavaScript contexts. +4. Validate output length and format before passing to downstream APIs.InformationalN/A
111122223333 us-east-1 FS-58 ADVISORY: Output Schema Validation — Manual Review RequiredN/A
111111111111
111122223333us-west-2FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. +2. Implement JSON schema validation on Lambda output processors. +3. Reject malformed outputs and return safe error responses. +4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
111122223333 us-east-1 FS-59No Guardrails — Topic Allowlist Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with topic policies to restrict off-topic responses.Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-west-2FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile). MediumPassed
111122223333us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. +2. Use Bedrock Guardrails relevance grounding filter. +3. Test with off-topic prompts in QA to verify rejection behavior. Informational N/A
111111111111us-east-1
111122223333us-west-2 FS-60 ADVISORY: Contextual Grounding for Off-Topic Prevention Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.N/A
111111111111
111122223333 us-east-1 FS-61COULD NOT ASSESS: Knowledge Base Sync Schedule CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-FinServSecurityAssessment-G8d5dEiMJsZB/aiml-security-aiml-security-111111111111-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:111111111111:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowNo Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-west-2FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' +2. Expose KB last sync timestamp in application responses. +3. Alert users when KB data is older than defined threshold.Informational N/A
111111111111us-east-1
111122223333us-west-2 FS-62 ADVISORY: Data Currency Disclaimer — Manual Review Required Data currency disclaimers cannot be verified via AWS APIs. Manual review required.N/A
111111111111
111122223333 us-east-1 FS-63 Foundation Model Lifecycle ManagementPassed
111111111111
111122223333us-west-2FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.MediumPassed
111122223333 us-east-1 FS-65 KB Data Source Buckets Missing S3 Event Notifications The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: - semiconductor-demo-9999 -- 111111111111-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. +2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. +3. Integrate alerts into your security incident response workflow.MediumFailed
111122223333us-west-2FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- semiconductor-demo-9999 +- 111122223333-us-east-1-kb-data-bucket 1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. 2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. 3. Integrate alerts into your security incident response workflow.Failed
111111111111
111122223333 us-east-1 FS-66 AgentCore Runtimes Missing End-User Identity PropagationFailed
111111111111
111122223333us-west-2FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: +- origami_expeditions +- neoCyan_Agent +- customer_support_agent +- cdk_agent_core +- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. +2. Propagate the end-user's identity token to downstream tool services. +3. Ensure tool services validate the propagated identity before executing actions. +4. Do not expose propagated identity tokens to unauthorized third parties.HighFailed
111122223333 us-east-1 FS-67 Agent Action-Group Lambdas May Lack Transaction Thresholds The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-111111111111-FinServAssessment -- aiml-security-aiml-security-111111111111-BedrockAssessment +- aiml-security-aiml-security-111122223333-FinServAssessment +- aiml-security-aiml-security-111122223333-BedrockAssessment +- resco-aiml-BedrockAssessment +- aiml-security-aiml-security-111122223333-AgentCoreAssessment +- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk +- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII +- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
111122223333us-west-2FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-111122223333-FinServAssessment +- aiml-security-aiml-security-111122223333-BedrockAssessment - resco-aiml-BedrockAssessment -- aiml-security-aiml-security-111111111111-AgentCoreAssessment +- aiml-security-aiml-security-111122223333-AgentCoreAssessment - e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk - e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII - resco-aiml-AgentCoreAssessmentFailed
111111111111
111122223333 us-east-1 FS-68 API Gateway Request Body Size Limits Not EnforcedFailed
111111111111
111122223333us-west-2FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. +2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. +3. Set the max_tokens parameter in Bedrock API calls to cap output length. +4. Implement client-side token counting before submitting requests.MediumFailed
111122223333 us-east-1 FS-69 Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111111111111-CleanupBucket.Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
111122223333us-west-2FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket. Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection. Medium Passed
111111111111
111122223333eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666 eu-west-1 FS-00 FinServ Regional Scope Not ApplicableN/A
111111111111ap-southeast-2
444455556666ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666sa-east-1 FS-00 FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region. No action required unless GenAI workloads are expected in this region. Informational N/A
333333333333
777788889999 us-east-1 FS-01 AWS Shield Advanced Not EnabledFailed
333333333333
777788889999 us-east-1 FS-01 No Regional WAF Web ACLs FoundFailed
333333333333
777788889999 us-east-1 FS-02 No API Gateway Usage Plans FoundN/A
333333333333
777788889999 us-east-1 FS-03Bedrock Token Quotas At DefaultAll 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.1. Review current Bedrock TPM/TPD quotas in the Service Quotas console. -2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review. -3. Implement client-side token counting and pre-flight quota checks. -4. Use Bedrock cross-region inference profiles to distribute load.Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load. MediumN/APassed
333333333333
777788889999 us-east-1 FS-04 No Cost Anomaly Detection MonitorsFailed
333333333333
777788889999 us-east-1 FS-05 No Bedrock CloudWatch Alarms FoundFailed
333333333333
777788889999 us-east-1 FS-06 No AI/ML Service Budgets ConfiguredFailed
333333333333
777788889999 us-east-1 FS-07Agent Action Boundary CheckNo Bedrock agents found.Agent Action Boundaries Look AppropriateReviewed 1 agent(s); no wildcard sensitive actions found. No action required. InformationalN/AHighPassed
333333333333
777788889999 us-east-1 FS-08 No AgentCore Runtimes FoundN/A
333333333333
777788889999 us-east-1 FS-09 Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, resco-aiml-CleanupBucket, aiml-security-aiml-security-mgmt-IAMPermissionCaching, AIMLSecurity-Assessment-CodeBuildStartBuildLambda-Ul2QNob2S042, resco-aiml-BedrockAssessment, resco-aiml-AgentCoreAssessment, resco-aiml-GenerateReport. Unlimited concurrency allows runaway agent loops to exhaust account limits.Agent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-sec-test-resources-SageMakerJobCustomResource-ZA5QCAi0pN3d, AIMLSecurityAssessment-CodeBuildStartBuildLambda-VYOqtzWoNo3m, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, aiml-security-aiml-security-mgmt-IAMPermissionCaching, aiml-security-aiml-security-mgmt-AgentCoreAssessment, aiml-security-aiml-security-mgmt-BedrockAssessment, aiml-security-aiml-security-mgmt-ResolveRegions. Unlimited concurrency allows runaway agent loops to exhaust account limits. 1. Set reserved concurrency on agent Lambda functions. 2. Implement maximum iteration counts in agent orchestration logic. 3. Use Step Functions with MaxConcurrency and timeout states. @@ -16053,8 +37295,8 @@

Medium

Failed
333333333333
777788889999 us-east-1 FS-10 Human-in-the-Loop Check — No Agent Workflows FoundN/A
333333333333
777788889999 us-east-1 FS-11 No Agent Rate Alarms FoundFailed
333333333333
777788889999 us-east-1 FS-12 No Bedrock-Scoped SCPs FoundFailed
333333333333
777788889999 us-east-1 FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.Models Missing Provenance Tags2 model(s) missing required provenance tags: +- SageMaker model 'SageMakerModelWithIsolation-JASFpUHjajdk' missing tags: {'version', 'approval-date', 'source'} +- SageMaker model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' missing tags: {'version', 'approval-date', 'source'}Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule. MediumPassedFailed
333333333333
777788889999 us-east-1 FS-14 Model Governance Config Rules PresentPassed
333333333333
777788889999 us-east-1 FS-15 No Bedrock Evaluation Jobs FoundFailed
333333333333
777788889999 us-east-1 FS-16 ECR Repositories Without Image Scanning1 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-333333333333-us-east-1.2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption. Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection. High Failed
333333333333
777788889999 us-east-1 FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/AFeature Groups Without Offline Store1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.1. Enable offline store (S3-backed) for all production feature groups. +2. Enable S3 versioning on the offline store bucket. +3. Document rollback procedures for poisoned feature data.MediumFailed
333333333333
777788889999 us-east-1 FS-21No Training Data Buckets IdentifiedNo S3 buckets with training/model naming found.Tag training data buckets and enable versioning.Training Data Buckets Have VersioningAll 2 training bucket(s) have versioning enabled.No action required. InformationalN/AHighPassed
333333333333
777788889999 us-east-1 FS-22 Overly Permissive Knowledge Base IAM Roles710 role(s) with wildcard KB permissions: + 823 role(s) with wildcard KB permissions: - Role 'Admin' allows '*' -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListModelInvocations' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListPrompts' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetPrompt' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListAgents' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetAgent' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListCustomModels' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs. High Failed
333333333333
777788889999 us-east-1 FS-24 ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-25 OpenSearch Serverless Encryption Policies PresentPassed
333333333333
777788889999 us-east-1 FS-26 OpenSearch Serverless Collections Not VPC-RestrictedFailed
333333333333
777788889999 us-east-1 FS-27No Guardrails — Contextual Grounding Not ApplicableNo Bedrock Guardrails configured. Configure guardrails first (see BR-05).Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).InformationalCOULD NOT ASSESS: Guardrail Contextual Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-27Automated Reasoning Policies — Access CheckAccess denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml. -2. Check for an Organizations SCP / permission boundary denying the action. -3. Confirm the assessed region supports Automated Reasoning checks. -4. Re-run the assessment after re-deploying.LowN/ANo Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
333333333333
777788889999 us-east-1 FS-28No Guardrails — Denied Topics Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with denied topics for regulated financial content.InformationalCOULD NOT ASSESS: Financial Denied Topics CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-29 ADVISORY: Compliance Disclaimer — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-30 ADVISORY: Compliance Dataset Coverage — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-31 Knowledge Base Data Sources Past Review Threshold 1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 403 days ago +- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently. 1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. 2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. @@ -16294,8 +37547,8 @@

Medium

Failed
333333333333
777788889999 us-east-1 FS-32 ADVISORY: Source Attribution — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-33 KB Data Source Buckets Have VersioningPassed
333333333333
777788889999 us-east-1 FS-34 Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use. 1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). 2. Migrate active usage to current model versions. 3. Document training-data cutoff dates for all models in use. @@ -16333,8 +37586,8 @@

Informational

N/A
333333333333
777788889999 us-east-1 FS-35 ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-36No Guardrails — Content Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with content filters.InformationalCOULD NOT ASSESS: Guardrail Content Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-37 ADVISORY: User Feedback Mechanism — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-38No Guardrails — Word Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with word filters.InformationalCOULD NOT ASSESS: Guardrail Word Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-39 No SageMaker Clarify Bias MonitoringFailed
333333333333
777788889999 us-east-1 FS-40 ADVISORY: Bias Dataset Coverage — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-41 No SageMaker Clarify Explainability MonitoringFailed
333333333333
777788889999 us-east-1 FS-42 No SageMaker Model Cards FoundFailed
333333333333
777788889999 us-east-1 FS-43 No CloudWatch Logs Data Protection PoliciesFailed
333333333333
777788889999 us-east-1 FS-44 Amazon Macie Not EnabledFailed
333333333333
777788889999 us-east-1 FS-45No Guardrails — PII Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with PII/sensitive information filters.InformationalCOULD NOT ASSESS: Guardrail PII Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-46No AI/ML Data Buckets IdentifiedNo S3 buckets with AI/ML naming found.Tag AI/ML data buckets with data-classification labels.AI/ML Buckets Without Data Classification Tags3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule. InformationalN/AMediumFailed
333333333333
777788889999 us-east-1 FS-47No Guardrails — Grounding Threshold Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with contextual grounding checks.InformationalCOULD NOT ASSESS: Guardrail Grounding Threshold CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-48 Active Knowledge Bases for RAG PresentPassed
333333333333
777788889999 us-east-1 FS-49 ADVISORY: Hallucination Disclaimer — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-50No Guardrails With Relevance Grounding FiltersNo guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.MediumFailedCOULD NOT ASSESS: Guardrail Relevance Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
333333333333
777788889999 us-east-1 FS-51No Guardrails — Prompt Attack Filters Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with prompt attack filters.InformationalCOULD NOT ASSESS: Prompt Injection Input Validation CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-52 Bedrock Lambda Functions on Current RuntimesAll 16 Bedrock Lambda function(s) use current runtimes.All 10 Bedrock Lambda function(s) use current runtimes. No action required. Medium Passed
333333333333
777788889999 us-east-1 FS-53 No WAF Web ACLs — Injection Rules Not ApplicableN/A
333333333333
777788889999 us-east-1 FS-54 ADVISORY: Penetration Testing — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-55 No Output Validation Functions FoundFailed
333333333333
777788889999 us-east-1 FS-56 No WAF ACLs — XSS Prevention Not ApplicableN/A
333333333333
777788889999 us-east-1 FS-57 ADVISORY: Output Encoding — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-58 ADVISORY: Output Schema Validation — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-59No Guardrails — Topic Allowlist Not ApplicableNo Bedrock Guardrails configured.Configure guardrails with topic policies to restrict off-topic responses.InformationalCOULD NOT ASSESS: Guardrail Topic Allowlist CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.Low N/A
333333333333
777788889999 us-east-1 FS-60 ADVISORY: Contextual Grounding for Off-Topic PreventionN/A
333333333333
777788889999 us-east-1 FS-61COULD NOT ASSESS: Knowledge Base Sync Schedule CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-FinServSecurityAssessmentFunctio-pwj9by1swQWa/aiml-security-aiml-security-mgmt-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:333333333333:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/ANo Automated KB Sync Schedules DetectedFound 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
333333333333
777788889999 us-east-1 FS-62 ADVISORY: Data Currency Disclaimer — Manual Review RequiredN/A
333333333333
777788889999 us-east-1 FS-63 Foundation Model Lifecycle ManagementPassed
333333333333
777788889999 us-east-1 FS-65 KB Data Source Buckets Missing S3 Event NotificationsFailed
333333333333
777788889999 us-east-1 FS-66 No AgentCore Runtimes FoundN/A
333333333333
777788889999 us-east-1 FS-67 Agent Action-Group Lambdas May Lack Transaction Thresholds The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: - aiml-security-aiml-security-mgmt-FinServAssessment -- resco-aiml-BedrockAssessment -- resco-aiml-AgentCoreAssessment - aiml-security-aiml-security-mgmt-AgentCoreAssessment - aiml-security-aiml-security-mgmt-BedrockAssessment 1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. @@ -16742,8 +38014,8 @@

High

Failed
333333333333
777788889999 us-east-1 FS-68 API Gateway Request Body Size Limits — Not ApplicableN/A
333333333333
777788889999 us-east-1 FS-69 Prompt Input Validation Functions PresentFound 2 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket, resco-aiml-CleanupBucket.Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket. Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection. Medium Passed
333333333333eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
333333333333ap-southeast-2
777788889999us-west-2 FS-00 FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region. No action required unless GenAI workloads are expected in this region. Informational N/A
222222222222us-east-1
777788889999eu-west-1 FS-00 FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region. No action required unless GenAI workloads are expected in this region. Informational N/A
222222222222eu-west-1
777788889999ap-south-1 FS-00 FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region. No action required unless GenAI workloads are expected in this region. Informational N/A
222222222222ap-southeast-2
777788889999sa-east-1 FS-00 FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region. No action required unless GenAI workloads are expected in this region. Informational
HighDirect security riskFailedRemediation needed
MediumDefense-in-depth gapPassedMeets requirements
LowBest practiceN/ANot applicable
InformationalNo action required

Remediation Guidance

High7 daysAddress immediately; block deployment if unresolved
Medium30 daysSchedule in next sprint; may require change window
Low90 daysInclude in backlog; address during regular maintenance

Assessment Notes

Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.
-

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Industry
Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

+

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Agentic AI Security
Agentic AI Security Lens Mapping
Industry
Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Agentic AI Security references the AWS Well-Architected Agentic AI Lens. Controls that cannot be proven using AWS APIs, including semantic human-in-the-loop workflow quality, are not automatically scored. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

@@ -17004,6 +38265,7 @@

By Service

-
Security Checks
53
Evaluated across 3 regions
-
Total Findings
172
Across 3 regions
-
Actionable Findings
37
High, Medium, and Low severity
-
High Severity
3/6
50.0% passed · Immediate action required
-
Medium Severity
9/28
32.1% passed · Should be addressed
-
Low Severity
3/3
100.0% passed · Best practices
+
Security Checks
97
Evaluated across 5 regions
+
Total Findings
462
Across 5 regions
+
Actionable Findings
100
High, Medium, and Low severity
+
High Severity
4/41
9.8% passed · Immediate action required
+
Medium Severity
15/41
36.6% passed · Should be addressed
+
Low Severity
5/18
27.8% passed · Best practices

Priority Recommendations

3
@@ -241,12 +247,18 @@

Security Assessment Overview

Marketplace Subscription Access Check
Bedrock
-
+
1
-
Stale Bedrock Access Check
+
Cross-Account Guardrails Enforcement Check
Bedrock
+
+
1
+
+
AgentCore Service-Linked Role Missing
+
AgentCore
+

Severity Legend

View full methodology
@@ -267,16 +279,16 @@

Security Assessment Overview

All Security Findings
- -
-
+ +
+
-
- - +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2
+ + @@ -285,9 +297,9 @@

Security Assessment Overview

- - - + + + @@ -296,9 +308,9 @@

Security Assessment Overview

- - - + + + @@ -307,9 +319,9 @@

Security Assessment Overview

- - - + + + @@ -318,9 +330,9 @@

Security Assessment Overview

- - - + + + @@ -333,9 +345,9 @@

Security Assessment Overview

- - - + + + @@ -344,20 +356,20 @@

Security Assessment Overview

- - - + + + - - + + - - - + + + @@ -366,9 +378,9 @@

Security Assessment Overview

- - - + + + @@ -377,9 +389,9 @@

Security Assessment Overview

- - - + + + @@ -388,9 +400,9 @@

Security Assessment Overview

- - - + + + @@ -399,366 +411,339 @@

Security Assessment Overview

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - - - - - - - - - - - - + - - - - - - - - - + + + + + + + + + - - - - - - - + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - + + + @@ -767,9 +752,9 @@

Security Assessment Overview

- - - + + + @@ -778,9 +763,9 @@

Security Assessment Overview

- - - + + + @@ -789,9 +774,9 @@

Security Assessment Overview

- - - + + + @@ -800,9 +785,9 @@

Security Assessment Overview

- - - + + + @@ -815,9 +800,9 @@

Security Assessment Overview

- - - + + + @@ -826,20 +811,20 @@

Security Assessment Overview

- - - + + + - - + + - - - + + + @@ -848,9 +833,9 @@

Security Assessment Overview

- - - + + + @@ -859,9 +844,9 @@

Security Assessment Overview

- - - + + + @@ -870,9 +855,9 @@

Security Assessment Overview

- - - + + + @@ -881,1338 +866,1316 @@

Security Assessment Overview

- - - - - - - - - + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - - - - - - - - - - - - - + + - - - - - + + + + + - - - - - - - - - - - - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + - + - - - - - - - - + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - + + + - - - + + + - - - - - - - - - - + + + + + + + + + + - - + + - - - - - - + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1 BR-02 Amazon Bedrock private connectivity check No regional Bedrock resources found to assess private connectivity Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-04 Bedrock Model Invocation Logging Check No regional Bedrock resources found to monitor with invocation logging Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-05 Bedrock Guardrails Check No regional Bedrock resources found to protect with guardrails Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-06 Bedrock CloudTrail Logging Check No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-07 Bedrock Prompt Management Check Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses. Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-08 Bedrock Agent IAM Roles Check No Bedrock agents found in the account Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-09 Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.No Knowledge Bases found in the accountNo action required Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-10 Bedrock Guardrail IAM Enforcement Check No guardrails configured - IAM enforcement check not applicable Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-11 Bedrock Custom Model Encryption Check No custom/fine-tuned models found in the account Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-12 Bedrock Invocation Log Encryption Check Model invocation logging to S3 is not configured Informational N/A
111111111111ap-southeast-2
123456789012ap-south-1 BR-13 Bedrock Flows Guardrails Check No Bedrock Flows found in the account Informational N/A
111111111111eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111111111111eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformational
123456789012ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMedium N/A
111111111111eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformational
123456789012ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
123456789012ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action requiredInformationalN/A
111111111111eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates Informational N/A
111111111111eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformational
123456789012ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMedium N/A
111111111111eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
123456789012ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption InformationalHigh N/A
111111111111eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformational
123456789012ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHigh N/A
111111111111eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account
123456789012ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotas No action required Informational N/A
111111111111eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformational
123456789012ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
111111111111eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformational
123456789012ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMedium N/A
111111111111GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
123456789012ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
123456789012ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses HighFailedN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
123456789012ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics HighFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonQInvestigationRole-DefaultInvestigationGroup-ma74at' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'aws-elasticbeanstalk-ec2-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
123456789012ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'Nova-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ScoutSuiteRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'SecurityHubGenAISummary-IAMRolefnCreateSummary-ulVA50wgXCG3' last accessed Bedrock on 2024-09-06You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
111111111111us-east-1
123456789012eu-west-1 BR-02 Amazon Bedrock private connectivity check No regional Bedrock resources found to assess private connectivity Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-04 Bedrock Model Invocation Logging Check No regional Bedrock resources found to monitor with invocation logging Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-05 Bedrock Guardrails Check No regional Bedrock resources found to protect with guardrails Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-06 Bedrock CloudTrail Logging Check No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-07 Bedrock Prompt Management Check Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses. Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-08 Bedrock Agent IAM Roles Check No Bedrock agents found in the account Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-09 Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.No Knowledge Bases found in the accountNo action required Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-10 Bedrock Guardrail IAM Enforcement Check No guardrails configured - IAM enforcement check not applicable Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-11 Bedrock Custom Model Encryption Check No custom/fine-tuned models found in the account Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-12 Bedrock Invocation Log Encryption Check Model invocation logging to S3 is not configured Informational N/A
111111111111us-east-1
123456789012eu-west-1 BR-13 Bedrock Flows Guardrails Check No Bedrock Flows found in the account Informational N/A
111111111111ap-southeast-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformational
123456789012eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMedium N/A
111111111111ap-southeast-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111111111111ap-southeast-2SM-03Data Protection CheckNo SageMaker resources found to check for data protection
123456789012eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
111111111111ap-southeast-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required
123456789012eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment MediumPassed
111111111111ap-southeast-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformational N/A
111111111111ap-southeast-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformational
123456789012eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHigh N/A
111111111111ap-southeast-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformational
123456789012eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHigh N/A
111111111111ap-southeast-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
123456789012eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action required Informational N/A
111111111111ap-southeast-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformational
123456789012eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
111111111111ap-southeast-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformational
123456789012eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMedium N/A
111111111111ap-southeast-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformational
123456789012eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
111111111111ap-southeast-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformational
123456789012eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHigh N/A
111111111111ap-southeast-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformational
123456789012eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMedium N/A
111111111111ap-southeast-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformational
123456789012eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHigh N/A
111111111111ap-southeast-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformational
123456789012eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLow N/A
111111111111ap-southeast-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformational
123456789012eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.Low N/A
111111111111ap-southeast-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformational
123456789012eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMedium N/A
111111111111ap-southeast-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions found
123456789012eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarms No action required Informational N/A
111111111111ap-southeast-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
123456789012eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111ap-southeast-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
123456789012eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111ap-southeast-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
123456789012eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111ap-southeast-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
123456789012eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111ap-southeast-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
123456789012eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111ap-southeast-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
123456789012eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111ap-southeast-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111111111111ap-southeast-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111111111111ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
123456789012eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111
123456789012 eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredAG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111111111111
123456789012 eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredAG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111111111111
123456789012 eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentAG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111
123456789012 eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionAG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111
123456789012 eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentAG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111
123456789012 eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionAG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
123456789012sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action required Informational N/A
111111111111eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
123456789012sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action required Informational N/A
111111111111eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances found
123456789012sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails No action required Informational N/A
111111111111eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found
123456789012sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage No action required Informational N/A
111111111111eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
123456789012sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates Informational N/A
111111111111eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
123456789012sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account No action required Informational N/A
111111111111eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found
123456789012sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the account No action required Informational N/A
111111111111eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
123456789012sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies Informational N/A
111111111111eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores found
123456789012sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account No action required Informational N/A
111111111111eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
123456789012sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption Informational N/A
111111111111eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs found
123456789012sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account No action required Informational N/A
111111111111eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformational
123456789012sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMedium N/A
111111111111eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformational
123456789012sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs found
123456789012sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
111111111111eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs found
123456789012sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotas No action required Informational N/A
111111111111eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.Informational
123456789012sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
111111111111eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action required
123456789012sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responses MediumPassedN/A
111111111111eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action required
123456789012sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations LowPassedN/A
111111111111eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.Informational
123456789012sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHigh N/A
111111111111GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action required
123456789012sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics HighPassedN/A
111111111111us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformational
123456789012sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLow N/A
111111111111us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action required
123456789012sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumPassedN/A
111111111111us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protection
123456789012sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarms No action required Informational N/A
111111111111us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
123456789012sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
123456789012sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
123456789012sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
123456789012sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
123456789012sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
123456789012sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required
123456789012sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required
123456789012sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
123456789012sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
123456789012sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
123456789012sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
123456789012sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111
123456789012GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012 us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundBR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivity No action required Informational N/A
111111111111
123456789012 us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessBR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation logging No action required Informational N/A
111111111111
123456789012 us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundBR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails No action required Informational N/A
111111111111
123456789012 us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundBR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage No action required Informational N/A
111111111111
123456789012 us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredBR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates Informational N/A
111111111111
123456789012 us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundBR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account No action required Informational N/A
111111111111
123456789012 us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundBR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the account No action required Informational N/A
111111111111
123456789012 us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredBR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies Informational N/A
111111111111
123456789012 us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundBR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the account No action required Informational N/A
111111111111
123456789012 us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption Informational N/A
111111111111
123456789012 us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the account No action requiredMediumPassedInformationalN/A
111111111111us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012GlobalBR-15Cross-Account Guardrails Enforcement CheckBedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.HighFailed
111111111111
123456789012 us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalBR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMedium N/A
111111111111ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformational
123456789012us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources found
123456789012us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
111111111111ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformational
123456789012us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMedium N/A
111111111111ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformational
123456789012us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHigh N/A
111111111111ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformational
123456789012us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHigh N/A
111111111111ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources found
123456789012us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotas No action required Informational N/A
111111111111ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformational
123456789012us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
111111111111ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformational
123456789012us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMedium N/A
111111111111ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformational
123456789012us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
111111111111ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformational
123456789012us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHigh N/A
111111111111eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111111111111eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111111111111eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformational
123456789012us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMedium N/A
111111111111eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformational
123456789012us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHigh N/A
111111111111eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformational
123456789012us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLow N/A
111111111111eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformational
123456789012us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformational
123456789012us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMedium N/A
111111111111eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies
123456789012us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarms No action required Informational N/A
111111111111eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
123456789012us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required
123456789012us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111
123456789012 GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.Use IAM and organization controls to require approved guardrails for model and agent invocations where supported. HighPassed
111111111111GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMedium Failed
111111111111GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
111111111111
123456789012 us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredAG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111
123456789012 us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredAG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111
123456789012 us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredAG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111
123456789012 us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredAG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111
123456789012 us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredAG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111
123456789012 us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredAG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111
123456789012 us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredAG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111
123456789012 us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredAG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111
123456789012 us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredAG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111
123456789012 us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredAG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111
123456789012 us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111111111111ap-southeast-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
- -
-
Risk Distribution
-

Pass Rate by Severity

-
-
HIGH
50.0%
3 of 6 checks passed
-
MEDIUM
32.1%
9 of 28 checks passed
-
LOW
100.0%
3 of 3 checks passed
-
Overall
40.5%
15 of 37 actionable checks
-
- -

Risk by Region

-
ap-southeast-2
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
-

Findings by Service

-
-
Bedrock
54
20 Failed · 1 Passed
-
SageMaker
82
0 Failed · 13 Passed
-
AgentCore
33
2 Failed · 1 Passed
-
Financial Services Risk
3
0 Failed · 0 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
- -
-
-
- -
-
- - + + + @@ -2221,9 +2184,9 @@

Informational

- - - + + + @@ -2232,9 +2195,9 @@

Informational

- - - + + + @@ -2243,9 +2206,9 @@

Informational

- - - + + + @@ -2254,9 +2217,9 @@

Informational

- - - + + + @@ -2269,9 +2232,9 @@

Informational

- - - + + + @@ -2280,20 +2243,20 @@

Informational

- - - + + + - - + + - - - + + + @@ -2302,9 +2265,9 @@

Informational

- - - + + + @@ -2313,9 +2276,9 @@

Informational

- - - + + + @@ -2324,9 +2287,9 @@

Informational

- - - + + + @@ -2335,502 +2298,339 @@

Informational

- - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - + + + + + + + + + + + + + + + + + - + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - + + + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - + + + + + + + + - + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2
123456789012us-west-2 BR-02 Amazon Bedrock private connectivity check No regional Bedrock resources found to assess private connectivityN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-04 Bedrock Model Invocation Logging Check No regional Bedrock resources found to monitor with invocation loggingN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-05 Bedrock Guardrails Check No regional Bedrock resources found to protect with guardrailsN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-06 Bedrock CloudTrail Logging Check No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-07 Bedrock Prompt Management Check Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.N/A
111111111111ap-southeast-2
123456789012us-west-2 BR-08 Bedrock Agent IAM Roles Check No Bedrock agents found in the accountN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-09 Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.No Knowledge Bases found in the accountNo action required Informational N/A
111111111111ap-southeast-2
123456789012us-west-2 BR-10 Bedrock Guardrail IAM Enforcement Check No guardrails configured - IAM enforcement check not applicableN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-11 Bedrock Custom Model Encryption Check No custom/fine-tuned models found in the accountN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-12 Bedrock Invocation Log Encryption Check Model invocation logging to S3 is not configuredN/A
111111111111ap-southeast-2
123456789012us-west-2 BR-13 Bedrock Flows Guardrails Check No Bedrock Flows found in the accountN/A
111111111111eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformational
123456789012us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMedium N/A
111111111111eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformational
123456789012us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHigh N/A
111111111111eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrails
123456789012us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobs No action required Informational N/A
111111111111eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformational
123456789012us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMedium N/A
111111111111eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformational
123456789012us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHigh N/A
111111111111eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the account
123456789012us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotas No action required Informational N/A
111111111111eu-west-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.Informational
123456789012us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHigh N/A
111111111111eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformational
123456789012us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMedium N/A
111111111111eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformational
123456789012us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLow N/A
111111111111eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformational
123456789012us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHigh N/A
111111111111eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformational
123456789012us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMedium N/A
111111111111GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
123456789012us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics HighFailedN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111111111111GlobalBR-03Marketplace Subscription Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
123456789012us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys HighFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AIMLSecurityMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AmazonQInvestigationRole-DefaultInvestigationGroup-ma74at' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'aws-elasticbeanstalk-ec2-role' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AwsSecurityAudit' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForAuditManager' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'AWSServiceRoleForSupport' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSecAuditRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'CloudSeerTrustedServiceRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'InternalAuditInternal' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'Nova-DO-NOT-DELETE' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ReSCOAIMLMemberRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
123456789012us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output MediumFailedN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'ScoutSuiteRole' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'SecurityHubGenAISummary-IAMRolefnCreateSummary-ulVA50wgXCG3' last accessed Bedrock on 2024-09-06You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111GlobalBR-14Stale Bedrock Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' last accessed Bedrock on neverYou can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.MediumFailed
123456789012us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111111111111us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action required
123456789012us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action required
123456789012us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action required
123456789012us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action required
123456789012us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templates
123456789012us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action required
123456789012us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111us-east-1BR-09Bedrock Knowledge Base Encryption CheckUnable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases actionVerify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
123456789012us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policies
123456789012us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action required
123456789012us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
123456789012us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action required
123456789012us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
-
-
-
Amazon SageMaker Findings
-
-
- -
-
-
- -
-
- - + + + + @@ -2839,9 +2639,9 @@

Informational

- - - + + + @@ -2850,9 +2650,9 @@

Medium

- - - + + + @@ -2861,9 +2661,9 @@

Informational

- - - + + + @@ -2872,9 +2672,9 @@

Medium

- - - + + + @@ -2883,9 +2683,9 @@

Informational

- - - + + + @@ -2894,1219 +2694,7806 @@

Informational

- - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2
123456789012ap-south-1 SM-01 SageMaker Internet Access Check No SageMaker notebook instances or domains found to checkN/A
111111111111ap-southeast-2
123456789012ap-south-1 SM-02 SageMaker SSO Configuration Check No SageMaker domains found, or all domains use SSO with IAM Identity Center configuredPassed
111111111111ap-southeast-2
123456789012ap-south-1 SM-03 Data Protection Check No SageMaker resources found to check for data protectionN/A
111111111111ap-southeast-2
123456789012ap-south-1 SM-04 GuardDuty Enabled Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.Passed
111111111111ap-southeast-2
123456789012ap-south-1 SM-05 SageMaker Model Registry Issue No model package groups foundN/A
111111111111ap-southeast-2
123456789012ap-south-1 SM-05 SageMaker Feature Store Issue No feature groups foundN/A
111111111111ap-southeast-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
123456789012ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
123456789012us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
123456789012ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
123456789012eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
123456789012sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredHighPassed
123456789012GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
123456789012GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
123456789012us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighPassed
123456789012GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
123456789012us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
123456789012us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
123456789012us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
+
+
+
Risk Distribution
+

Pass Rate by Severity

+
+
HIGH
9.8%
4 of 41 checks passed
+
MEDIUM
36.6%
15 of 41 checks passed
+
LOW
27.8%
5 of 18 checks passed
+
Overall
24.0%
24 of 100 actionable checks
+
+ +

Risk by Region

+
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
us-west-2
0
0 High · 0 Med · 0 Low
+

Findings by Assessment Area

+
+
Bedrock
145
4 Failed · 1 Passed
+
SageMaker
136
0 Failed · 21 Passed
+
AgentCore
53
1 Failed · 1 Passed
+
Agentic AI Security
123
1 Failed · 1 Passed
+
Financial Services Risk
5
0 Failed · 0 Passed
+
+
+
+
Amazon Bedrock Findings
+
+
+ +
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
123456789012ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
123456789012eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
123456789012sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
123456789012us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012us-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012GlobalBR-15Cross-Account Guardrails Enforcement CheckBedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.HighFailed
123456789012us-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templatesInformationalN/A
123456789012us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
+
+
+
Amazon SageMaker Findings
+
+
+ +
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
123456789012us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
+
+
+
Amazon Bedrock AgentCore Findings
+
+
+ +
+
+
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredHighPassed
123456789012GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
123456789012GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
123456789012us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required Informational N/A
111111111111ap-southeast-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection
123456789012us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required Informational N/A
111111111111ap-southeast-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules
123456789012us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required Informational N/A
111111111111ap-southeast-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows
123456789012us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required Informational N/A
111111111111ap-southeast-2SM-09SageMaker Notebook Root Access CheckNo notebook instances found
123456789012us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources found No action required Informational N/A
111111111111ap-southeast-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances found
123456789012us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources found No action required Informational N/A
111111111111ap-southeast-2SM-11SageMaker Model Network Isolation CheckNo models found
123456789012us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policies No action required Informational N/A
111111111111ap-southeast-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints found
123456789012us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines found No action required Informational N/A
111111111111ap-southeast-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules found
123456789012us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways found No action requiredInformationalN/A
+
+
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
+ + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - - - + + + + + - + - - + + - - - - - + + + + + - - - - - - - - - - - - - + + - - - - - + + + + + - - + + - - - - - - - + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - - + + + + + + - - - - - - - - - - - - + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111ap-southeast-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
123456789012ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111ap-southeast-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
123456789012ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111ap-southeast-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
123456789012ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111ap-southeast-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
123456789012ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111ap-southeast-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
123456789012ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111ap-southeast-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
123456789012ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111ap-southeast-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
123456789012ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111ap-southeast-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
123456789012ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111ap-southeast-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
123456789012ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111ap-southeast-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
111111111111ap-southeast-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
111111111111ap-southeast-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
123456789012ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111
123456789012 eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredAG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111
123456789012 eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassedAG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
111111111111
123456789012 eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredAG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111
123456789012 eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassedAG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
111111111111
123456789012 eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentAG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111
123456789012 eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionAG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111
123456789012 eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentAG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111
123456789012 eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionAG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111
123456789012 eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesAG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111
123456789012 eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsAG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111
123456789012 eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredAG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111
123456789012 eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredAG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111
123456789012 eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredAG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
123456789012sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
123456789012sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
123456789012sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
123456789012sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
123456789012sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
123456789012sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
123456789012sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
123456789012sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
123456789012sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
123456789012sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
123456789012sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
123456789012sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
123456789012sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111111111111eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
111111111111eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
123456789012us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111
123456789012 GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.Use IAM and organization controls to require approved guardrails for model and agent invocations where supported. HighPassedFailed
111111111111
123456789012 us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredAG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111111111111
123456789012 us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredAG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111
123456789012 us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassedAG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
111111111111
123456789012 us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentAG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111
123456789012 us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionAG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111
123456789012 us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentAG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111
123456789012 us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionAG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111
123456789012 us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesAG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111
123456789012 us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsAG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111
123456789012 us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredAG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111
123456789012 us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredAG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. Informational N/A
111111111111us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action required
123456789012us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. Informational N/A
111111111111us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required
123456789012us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. Informational N/A
111111111111us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required
123456789012us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. Informational N/A
111111111111us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required
123456789012us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. Informational N/A
111111111111us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required
123456789012us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. Informational N/A
111111111111us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required
123456789012us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. Informational N/A
111111111111us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required
123456789012us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. Informational N/A
111111111111us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required
123456789012us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. Informational N/A
111111111111us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required
123456789012us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. Informational N/A
111111111111us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required
123456789012us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. Informational N/A
111111111111us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required
123456789012us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. Informational N/A
111111111111us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.
123456789012us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. Informational N/A
111111111111us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
111111111111us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.
123456789012ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action requiredLowPassed
111111111111us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. Informational N/A
-
-
-
Amazon Bedrock AgentCore Findings
-
-
- -
-
-
- -
-
- - - - - + + + + + + + - + - - - - - - + + + + + + - + - - - - - - + + + + + + - + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - - - - - - - + + + + + + + + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - + + + + + + - - - + + + - - - - - - - - - - + + + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + - - + + - - - + + + - + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - - - + + + + + - - + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + - + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111ap-southeast-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources found
123456789012ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2AC-04AgentCore Observability CheckNo AgentCore resources found
123456789012ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2AC-05AgentCore Encryption CheckNo AgentCore resources found
123456789012ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
111111111111ap-southeast-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
123456789012ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
111111111111ap-southeast-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
123456789012ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
111111111111ap-southeast-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
123456789012ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
111111111111ap-southeast-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
123456789012ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
111111111111ap-southeast-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
123456789012ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
111111111111ap-southeast-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
123456789012ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. Informational N/A
111111111111ap-southeast-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required
123456789012ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. Informational N/A
111111111111
123456789012 eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundAG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundAG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundAG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationAG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredAG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
111111111111
123456789012 eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredAG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
111111111111
123456789012 eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredAG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
111111111111
123456789012 eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredAG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
111111111111
123456789012 eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredAG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
111111111111
123456789012 eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundAG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
111111111111GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access found
123456789012sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action requiredHighPassedInformationalN/A
111111111111GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'Review and remove unused AgentCore permissions following least privilege principleMediumFailed
123456789012sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
111111111111GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
123456789012sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
111111111111
123456789012sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012 us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundAG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundAG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundAG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways found No action required Informational N/A
111111111111
123456789012 us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationAG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways found No action requiredInformationalN/A
123456789012GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighPassed
123456789012GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access. Informational N/A
111111111111
123456789012 us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredAG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. Informational N/A
111111111111
123456789012 us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredAG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. Informational N/A
111111111111
123456789012 us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredAG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. Informational N/A
111111111111
123456789012 us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredAG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. Informational N/A
111111111111
123456789012 us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredAG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. Informational N/A
111111111111
123456789012 us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundAG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways found No action required Informational N/A
-
-
Financial Services GenAI Risk Findings
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).
- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111111111111
123456789012us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
123456789012us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
123456789012us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
123456789012us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
123456789012us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
123456789012us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
123456789012us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
+
Financial Services GenAI Risk Findings
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).
+ @@ -4116,8 +10503,19 @@

Informational

- - + + + + + + + + + + + + + @@ -4127,12 +10525,23 @@

Informational

- - - + + + + + + + + + + + + + + - + @@ -4143,7 +10552,7 @@

Severity Levels & Status Values

Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012 us-east-1 FS-00 FinServ Regional Scope Not ApplicableN/A
111111111111
123456789012us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012 eu-west-1 FS-00 FinServ Regional Scope Not ApplicableN/A
111111111111ap-southeast-2
123456789012ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012sa-east-1 FS-00 FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region. No action required unless GenAI workloads are expected in this region. Informational
HighDirect security riskFailedRemediation needed
MediumDefense-in-depth gapPassedMeets requirements
LowBest practiceN/ANot applicable
InformationalNo action required

Remediation Guidance

High7 daysAddress immediately; block deployment if unresolved
Medium30 daysSchedule in next sprint; may require change window
Low90 daysInclude in backlog; address during regular maintenance

Assessment Notes

Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.
-

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Industry
Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

+

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Agentic AI Security
Agentic AI Security Lens Mapping
Industry
Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Agentic AI Security references the AWS Well-Architected Agentic AI Lens. Controls that cannot be proven using AWS APIs, including semantic human-in-the-loop workflow quality, are not automatically scored. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

@@ -4323,10 +10732,11 @@