Automatic Clean Up Expired AWS ACM Certificates with Human Approval

Automate the cleanup of expired AWS ACM certificates with Slack-based approval. This workflow helps maintain a secure and tidy AWS environment by detecting expired SSL certs, sending detailed Slack notifications to admins, and deleting them upon approval, ensuring full visibility and control over certificate lifecycle management.

🧑‍💼 Who’s it for

This workflow is designed for:

• AWS administrators who want to keep their environment clean and secure
• DevOps teams managing SSL lifecycle in AWS ACM
• IT Admins needing visibility and control over expired cert removal
• Teams that use Slack for collaboration and approvals

⚙️ How it works / What it does

This automated workflow performs the following tasks on a daily schedule :

1. Fetch all ACM certificates in your AWS account.
2. Filter out the expired ones by comparing expiration date and status.
3. Send a Slack approval message with certificate details to the admin team.
4. Wait for approval response directly in Slack (✅ to approve deletion).
5. If approved, it deletes the expired certificate using AWS ACM.
6. Finally, it notifies the IT admin about the action taken.

🔧 How to set up

1. Create the Workflow

   • Add the nodes as shown:
     • Schedule Trigger
     • AWS - ACM: listCertificates
     • AWS - ACM: describeCertificate (loop per cert)
     • IF Node to filter expired certs
     • Slack - Send & Wait for Reaction
     • AWS - ACM: deleteCertificate
     • Slack - Post Message to notify

2. Configure Slack

   • Create a Slack Bot Token with:
     • chat:write
     • reactions:read
     • channels:read
   • Connect it in your Slack nodes.

3. Configure AWS Credentials

   • Use IAM User or Role with:
     • acm:ListCertificates
     • acm:DescribeCertificate
     • acm:DeleteCertificate

4. Set schedule

   • Daily, Weekly, or custom cron expression.

📋 Requirements

🛠️ How to customize the workflow

🕒 Change waiting time

Adjust the wait time before checking Slack reactions in the sendAndWait node (default 1 hour).

👥 Change Slack target

Change the Slack channel or tag specific people (<@U123456>).

📓 Add logging

Add Google Sheets, Notion, or DynamoDB to log certificate details and approval decisions.

🧪 Add dry-run/test mode

Use an IF node before deletion to simulate removal when ENV === dry-run.