Attestation Proxy Architecture

The Attestation Proxy is a service that establishes a secure, attested mTLS (mutual TLS) tunnel between the enclave and external services, such as a Key Management Service (KMS). This ensures that only verified and attested enclaves can access these external services.

The following diagram presents an overview of the Attestation Proxy.

The enclave periodically sends its attestation document to the Attestation Proxy for verification. Once the enclave is successfully attested, the proxy adds it to a whitelist of approved enclaves.

When an application running inside the enclave needs to connect to an external service, it first establishes an mTLS connection with the Attestation Proxy. The proxy verifies the enclave's attestation status by checking if it is part of the approved enclave set.

After the attested mTLS tunnel is established, the application inside the enclave can securely communicate with external services through the tunnel.

The following diagram explains the flow of the requests for establishing the attested mTLS tunnel.