diff --git a/docs/docs/workflows/define-manifest.md b/docs/docs/workflows/define-manifest.md
index 6905a3ed..6de44c81 100644
--- a/docs/docs/workflows/define-manifest.md
+++ b/docs/docs/workflows/define-manifest.md
@@ -497,3 +497,10 @@ Incoming connections are defined by `Port`. For services used by external client
     }
 }
 ```
+
+:::tip
+
+On startup, a Marble logs its effective TTLS policy.
+This helps to verify that the manifest configuration is applied as intended.
+
+:::
diff --git a/marble/premain/premain.go b/marble/premain/premain.go
index 7ac78eec..ac5aef38 100644
--- a/marble/premain/premain.go
+++ b/marble/premain/premain.go
@@ -11,6 +11,7 @@ import (
 	"context"
 	"crypto/ecdsa"
 	"crypto/x509"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
@@ -191,6 +192,9 @@ func PreMainEx(issuer quote.Issuer, activate ActivateFunc, hostfs, enclavefs afe
 		return err
 	}
 
+	if err := logTTLS(params.Env); err != nil {
+		return err
+	}
 	if err := applyParameters(params, enclavefs); err != nil {
 		return err
 	}
@@ -231,6 +235,41 @@ func activateRPC(req *rpc.ActivationReq, coordAddr string, tlsCredentials creden
 	return activationResp.GetParameters(), nil
 }
 
+func logTTLS(env map[string][]byte) error {
+	ttlsConfigJSON, ok := env[constants.EnvMarbleTTLSConfig]
+	if !ok {
+		log.Println("Not using TTLS")
+		return nil
+	}
+
+	var ttlsConfig map[string]map[string]map[string]map[string]interface{}
+	if err := json.Unmarshal(ttlsConfigJSON, &ttlsConfig); err != nil {
+		return fmt.Errorf("unmarshaling TTLS config: %w", err)
+	}
+	tls := ttlsConfig["tls"]
+	incoming := tls["Incoming"]
+	outgoing := tls["Outgoing"]
+	if len(incoming) == 0 && len(outgoing) == 0 {
+		return errors.New("TTLS config is empty")
+	}
+
+	log.Println("TTLS config")
+	if len(incoming) > 0 {
+		log.Println("  Incoming")
+		for k := range incoming {
+			log.Print("    ", k)
+		}
+	}
+	if len(outgoing) > 0 {
+		log.Println("  Outgoing")
+		for k := range outgoing {
+			log.Print("    ", k)
+		}
+	}
+
+	return nil
+}
+
 func applyParameters(params *rpc.Parameters, fs afero.Fs) error {
 	// Store files in file system
 	log.Println("creating files from manifest")
diff --git a/marble/premain/premain_test.go b/marble/premain/premain_test.go
index dd5fd214..83a425ef 100644
--- a/marble/premain/premain_test.go
+++ b/marble/premain/premain_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/edgelesssys/marblerun/coordinator/quote"
 	"github.com/edgelesssys/marblerun/coordinator/rpc"
+	"github.com/edgelesssys/marblerun/internal/constants"
 	"github.com/edgelesssys/marblerun/marble/config"
 	"github.com/google/uuid"
 	"github.com/spf13/afero"
@@ -143,6 +144,22 @@ func TestPreMain(t *testing.T) {
 		assert.Equal("", os.Getenv("EDG_TEST_1"))
 		assert.Equal("", os.Getenv("EDG_TEST_2"))
 
+		assert.Equal([]string{"not modified"}, os.Args)
+	}
+	{ // fail on empty TTLS config
+		parameters = &rpc.Parameters{
+			Env: map[string][]byte{
+				constants.EnvMarbleTTLSConfig: []byte(`{"tls":{}}`),
+			},
+		}
+		activateError = nil
+
+		os.Args = []string{"not modified"}
+
+		hostfs := afero.NewMemMapFs()
+		enclavefs := afero.NewMemMapFs()
+		require.Error(PreMainEx(issuer, activate, hostfs, enclavefs))
+
 		assert.Equal([]string{"not modified"}, os.Args)
 	}
 }