Encryption of plain text after decryption in ALB during SSL termination

Hello.

How about setting a certificate on the EC2 instance that is the target of the ALB so that the ALB and EC2 instances can communicate via HTTPS?
ALB does not validate certificates.
Therefore, it is possible to create and configure a self-signed certificate on EC2.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version

When a target group is configured with the HTTPS protocol or uses HTTPS health checks, if any HTTPS listener is using a TLS 1.3 security policy, the ELBSecurityPolicy-TLS13-1-0-2021-06 security policy will be used for target connections. Otherwise, the ELBSecurityPolicy-2016-08 security policy is used. The load balancer establishes TLS connections with the targets using certificates that you install on the targets. The load balancer does not validate these certificates. Therefore, you can use self-signed certificates or certificates that have expired. Because the load balancer, and its targets are in a virtual private cloud (VPC), traffic between the load balancer and the targets is authenticated at the packet level, so it is not at risk of man-in-the-middle attacks or spoofing even if the certificates on the targets are not valid. Traffic that leaves AWS will not have these same protections, and additional steps may be needed to secure traffic further.