If compliance requires a customer to use SSL/TLS for all communications, would it not be acceptable to offload SSL termination of the ELB and then configure the ELB routing and target to be HTTPS/443. I believe this would encrypt all communication and still allow use of ELB? Granted it would mean using multiple certificate, one for the ELB and one for each target.
You’re right, you could do Client -TLS-> ELB and ELB -TLS->EC2 so that you can ensure SSL in Transit. But in most of the regulatory compliance rules this is not allowed, because you still have the SSL termination in between, which means the data is decrypted at rest (on the ELB) to get encrypted with EC2’s certificate. So the compliance rules enforce to have End-2-end encryption from Client to the EC2 instance itself, where the actual request is processed.