Skip to main content

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

A full TLS handshake on every API call adds RTTs your p99 cannot afford. This guide walks TLS 1.3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront.

Key Facts

  • A full TLS handshake on every API call adds RTTs your p99 cannot afford
  • This guide walks TLS 1
  • 3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront
  • TLS 1
  • 3 (June 2026) is the default forward path on CloudFront and modern ALB security policies ( )

Entity Definitions

CloudFront
CloudFront is an AWS service discussed in this article.
CloudWatch
CloudWatch is an AWS service discussed in this article.
API Gateway
API Gateway is an AWS service discussed in this article.
compliance
compliance is a cloud computing concept discussed in this article.
Kubernetes
Kubernetes is a development tool discussed in this article.

Related Content

TLS 1.3 Handshake Internals on AWS: ALB, CloudFront, and ACM

Cloud Architecture Palaniappan P 1 min read

Quick summary: A full TLS handshake on every API call adds RTTs your p99 cannot afford. This guide walks TLS 1.3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront.

Key Takeaways

  • A full TLS handshake on every API call adds RTTs your p99 cannot afford
  • This guide walks TLS 1
  • 3 1-RTT resumption, ACM cert rotation, and security policies on ALB and CloudFront
  • TLS 1
  • 3 (June 2026) is the default forward path on CloudFront and modern ALB security policies ( )
TLS 1.3 Handshake Internals on AWS: ALB, CloudFront, and ACM
Table of Contents

TLS 1.3 (June 2026) is the default forward path on CloudFront and modern ALB security policies (ELBSecurityPolicy-TLS13-1-2-...). Handshake cost moved from 2-RTT (TLS 1.2) to 1-RTT for new sessions; 0-RTT exists but is risky for non-idempotent APIs.

Handshake flow (architect view)

  1. ClientHello with key shares
  2. ServerHello + encrypted extensions + cert chain (ACM)
  3. Application data

Session tickets and resumption cut repeat handshake work—ensure clients enable reuse; broken middleboxes that disable tickets show up as p99 spikes after deploy.

AWS mapping

LayerCert sourceKnob
CloudFrontACM us-east-1Security policy, HTTP/3 + TLS 1.3
ALBACM regionalssl_policy, mTLS optional
API GatewayACM / importMinimum TLS 1.2

ACM rotation is automatic for DNS-validated certs—watch CloudWatch DaysToExpiry only for imported certs.

When this advice breaks

  • Legacy IoT clients on TLS 1.0—must use isolated endpoint with older policy (compliance debt).
  • Mutual TLS at scale—consider Verified Access or private CA with device provisioning.

What to do this week

  1. Audit ALB/CloudFront policies—remove TLS 1.0/1.1 unless documented exception.
  2. Measure ssl_handshake_time via CloudFront access logs or ALB target timing.
  3. Enable OCSP stapling (default on CloudFront) and verify chain completeness.

What this guide doesn’t cover

mTLS service mesh—see Kubernetes track service mesh guide.

Share:
PP
Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Related AWS Services

Work with our certified AWS architects to implement the strategies covered in this article.

AWS Architecture Review

Well-Architected Framework review covering reliability, performance, security, and operational excellence.

Learn more

AWS Serverless

Design and build event-driven serverless systems using Lambda, API Gateway, Step Functions, and DynamoDB.

Learn more

AWS Migration

Migrate workloads from on-premises, GCP, Azure, or legacy hosting to AWS with minimal downtime.

Learn more

Recommended Reading

Explore All Articles »