[rmrfstar]

I think they mean that AWS acts as a proxy and only terminates the outer layer.

Wouldn't it be pretty easy to fingerprint a TLS session that always starts with another TLS handshake?

[red0point]

Well not easily, because once the outer TLS has been set up, you can‘t see the contents of the second TLS handshake. You could maybe deduce it via packet sizes and timings, but certainly not pretty easily.