GSMA Security Certification

Overview

Amazon Web Services (AWS) EU West (Paris) and US East (Ohio) Regions are certified by the GSM Association (GSMA) under its Security Accreditation Scheme Subscription Management (SAS-SM) with scope Data Center Operations and Management (DCOM). This alignment with GSMA requirements demonstrates our continuous commitment to adhere to the heightened expectations for cloud service providers.

The GSM Association (Global System for Mobile Communications, originally Groupe Spécial Mobile) is an industry organization comprised of 1,200 wireless service providers and related companies (handset manufacturers, software providers, internet service providers) focused on standardization and interoperability. The organization established a Security Accreditation Scheme (SAS) with applicability to universal integrated circuit card production (SAS-UP) and remote subscriber identification module (SIM)/universal integrated circuit card (UICC) provisioning subscription management (SAS-SM).

AWS was evaluated by independent third-party auditors selected by GSMA. EU West (Paris) and US (Ohio) was renewed in October 2023. The SAS-SM audits covered:

Section 1: Policy, Strategy and Documentation
Section 2: Organisation and Responsibility
Section 3: Information
Section 4: Personnel Security
Section 5: Physical Security
Section 10: Computer and Network Management

The below domains were omitted from the review:
Section 6: Certificate and Key Management Result- *Not applicable to Cloud Services Providers and is omitted from this review.
Section 7: Sensitive Process Data Management - *Not applicable to Cloud Services Providers and is omitted from this review.
Section 8: SM-DP, SM-SR, SM-DP+ and SM-DS Service Management - *Not applicable to Cloud Services Providers and is omitted from this review.
Section 9: Logistics and Production Management - *Not applicable to SAS-SM and is omitted from this review.

• What is GSMA?

  The GSM Association (Global System for Mobile Communications, originally Groupe Spécial Mobile) is an industry organization comprised of 1,200 wireless service providers and related companies (handset manufacturers, software providers, internet service providers) focused on standardization and interoperability. The organization established a Security Accreditation Scheme (SAS) with applicability to universal integrated circuit card production (SAS-UP) and remote subscriber identification module (SIM)/universal integrated circuit card (UICC) provisioning subscription management (SAS-SM). Attaining this certification would provide evidence that our information management systems adheres to industry standards.
  

• What kinds of certifications does GSMA offer?

  GSMA offers two options for cloud service providers (CSP) to achieve certification:
  

  1. The CSP may seek to receive standalone SAS certification (with scope limited to DCOM) for its datacenter and be listed on the SAS website, allowing it to offer the SAS-certified services to multiple clients (customers).
  2. The CSP may seek to support the certification of a  single client against the requirements of SAS-SM which rely on its services. In this case, the CSP’s datacenter would not receive its own SAS certificate following successful audit. However, the SAS-SM certificate for the SM service provider site would specify that that the CSP’s datacenter has been audited and adheres to the SAS-SM requirements for the outsourced services.

• What services are covered by the GSMA certification?

  For the list of services covered under the certified region, see the AWS Services in Scope by Compliance Program and choose GSMA.
  

• What does this mean to me as a customer?

  AWS’ customers who provide embedded Universal Integrated Circuit Card (eUICC) for mobile devices can run their remote provisioning applications in the AWS cloud GSMA certified region with confidence in the security of the AWS infrastructure and services.
  

• Where can I get a copy of the GSMA certificate?

  The certificate is available on GSMA and AWS Artifact. AWS Artifact is a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.