---
title: TLS 1.3 Handshake Internals on AWS: ALB, CloudFront, and ACM
description: A full TLS handshake on every API call adds RTTs your p99 cannot afford. This guide walks TLS 1.3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront.
url: https://www.factualminds.com/blog/tls-13-handshake-internals-aws-alb-cloudfront-acm/
datePublished: 2026-06-12T00:00:00.000Z
dateModified: 2026-06-12T00:00:00.000Z
author: Palaniappan P
category: Cloud Architecture
tags: engineering-guide, security, networking, aws, cloudfront
---

# TLS 1.3 Handshake Internals on AWS: ALB, CloudFront, and ACM

> A full TLS handshake on every API call adds RTTs your p99 cannot afford. This guide walks TLS 1.3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront.

**TLS 1.3 (June 2026)** is the default forward path on **CloudFront** and modern **ALB security policies** (`ELBSecurityPolicy-TLS13-1-2-...`). Handshake cost moved from 2-RTT (TLS 1.2) to **1-RTT** for new sessions; **0-RTT** exists but is risky for non-idempotent APIs.

## Handshake flow (architect view)

1. ClientHello with key shares
2. ServerHello + encrypted extensions + cert chain (ACM)
3. Application data

**Session tickets** and resumption cut repeat handshake work—ensure clients enable reuse; broken middleboxes that disable tickets show up as p99 spikes after deploy.

## AWS mapping

| Layer       | Cert source   | Knob                              |
| ----------- | ------------- | --------------------------------- |
| CloudFront  | ACM us-east-1 | Security policy, HTTP/3 + TLS 1.3 |
| ALB         | ACM regional  | `ssl_policy`, mTLS optional       |
| API Gateway | ACM / import  | Minimum TLS 1.2                   |

**ACM rotation** is automatic for DNS-validated certs—watch CloudWatch `DaysToExpiry` only for imported certs.

## When this advice breaks

- **Legacy IoT clients** on TLS 1.0—must use isolated endpoint with older policy (compliance debt).
- **Mutual TLS at scale**—consider Verified Access or private CA with device provisioning.

## What to do this week

1. Audit ALB/CloudFront policies—remove TLS 1.0/1.1 unless documented exception.
2. Measure `ssl_handshake_time` via CloudFront access logs or ALB target timing.
3. Enable OCSP stapling (default on CloudFront) and verify chain completeness.

## What this guide doesn't cover

mTLS service mesh—see Kubernetes track service mesh guide.

---

*Source: https://www.factualminds.com/blog/tls-13-handshake-internals-aws-alb-cloudfront-acm/*