Great.

If your DNS is on Route 53, just point an A record to your load balancer (via alias), e. g. keycloak.mydomain.com or whatever fits your usecase.

In your load balancer you should remove the rule you already configured for Keycloak (which probably is for a HTTP listener on port 80). Replace that with a redirect to HTTPS by creating a rule stating that keycloak.mydomain.com (if that had been your domain) should redirect to HTTPS on port 443 with "Original host, path, query" selected and a 301 redirect for instance.

Then create a HTTPS listener on port 443 if you haven't already. Create a rule stating that keycloak.mydomain.com is forwarding to your Keycloak target group (no need to switch ports inside target group).

At last you have to add your certififcate. Just click "View/edit certificates" under SSL Certificate in the HTTPS listener record in the Listeners tab in EC2 Load Balancers and add your certificate from ACM. Then you should be good to go.