I'm hosting an app on Elastic Beanstalk for my org, and I want to be able to use a subdomain of our org domain for the app. The app needs SSL as well. My (probably faulty) understanding of EB is that an app must be only a single instance (no load balancer?) to be able to expose an IP, is that correct? And a CNAME record can't be used with HTTPS? Are there other options I'm not aware of?
Thanks
Not quite right. For SSL/HTTPS its better to have load balancer. Once you have your own domain, then you can get free valid public SSL certificate from AWS ACM and associate it with the LB as explained in AWS docs.
In your company, you have to create CNAME (or equivalent) record from your subdomain to EB's default domain given by AWS. The SSL cert from AWS ACM must be issued to your own domain (subdomain), not the EB default domain.