Right now, if you use SSL termination - which is convenient to avoid managing the public certs - it means the load balancer sends unencrypted traffic.
Which while protected by the VPC has the stipulation: "However, if you host multiple customer applications in a single account or team, data could be readable by others on the private network. We recommend separating customers by team or using SSL passthrough instead."
A reasonable solution seems to be allowing encryption with a provider cert, that does not need to be signed externally.
I'm not sure the best way to automatically rotate it though.