as you can see there, it's mentioned that the Application Load Balancer (ALB) will import the Certificate Revocation List (CRL) from S3 once and perform all CRL checks locally. This means:

• No repeated fetching from S3: The ALB doesn’t continuously retrieve the CRL from S3, avoiding repeated latency and associated S3 access costs.

• No latency impact during client authentication: Since the ALB performs CRL checks locally, there is no added latency during the mTLS handshake process.

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-mtls-for-application-load-balancer/