Secure tunneling concepts - AWS IoT Core

Secure tunneling concepts

Client access token (CAT)

A pair of tokens generated by secure tunneling when a new tunnel is created. The CAT is used by the source and destination devices to connect to the Secure Tunneling service.

Destination application

The application that runs on the destination device. For example, the destination application can be an SSH daemon for establishing an SSH session using secure tunneling.

Destination device

The remote device you want to access.

Device agent

An IoT application that connects to the AWS IoT device gateway and listens for new tunnel notifications over MQTT.

Local proxy

A software proxy that runs on the source and destination devices and relays a data stream between the Secure Tunneling service and the device application. The local proxy can be run in source mode or destination mode. For more information, see Local proxy.

Source device

The device an operator uses to initiate a session to the destination device, usually a laptop or desktop computer.


A logical pathway through AWS IoT that enables bidirectional communication between a source device and destination device.