Get Started
Back to Templates

Clean Up Expired AWS ACM Certificates with Slack Approval

Created by

Created by: Trung Tran || trungtran

Trung Tran

Last update

Last update 23 days ago

Categories

Share

Automatic Clean Up Expired AWS ACM Certificates with Human Approval

Automate the cleanup of expired AWS ACM certificates with Slack-based approval. This workflow helps maintain a secure and tidy AWS environment by detecting expired SSL certs, sending detailed Slack notifications to admins, and deleting them upon approval, ensuring full visibility and control over certificate lifecycle management.

🧑‍💼 Who’s it for

This workflow is designed for:

  • AWS administrators who want to keep their environment clean and secure
  • DevOps teams managing SSL lifecycle in AWS ACM
  • IT Admins needing visibility and control over expired cert removal
  • Teams that use Slack for collaboration and approvals

⚙️ How it works / What it does

This automated workflow performs the following tasks on a daily schedule:

  1. Fetch all ACM certificates in your AWS account.
  2. Filter out the expired ones by comparing expiration date and status.
  3. Send a Slack approval message with certificate details to the admin team.
  4. Wait for approval response directly in Slack ( to approve deletion).
  5. If approved, it deletes the expired certificate using AWS ACM.
  6. Finally, it notifies the IT admin about the action taken.

🔧 How to set up

  1. Create the Workflow

    • Add the nodes as shown:
      • Schedule Trigger
      • AWS - ACM: listCertificates
      • AWS - ACM: describeCertificate (loop per cert)
      • IF Node to filter expired certs
      • Slack - Send & Wait for Reaction
      • AWS - ACM: deleteCertificate
      • Slack - Post Message to notify

  2. Configure Slack

    • Create a Slack Bot Token with:
      • chat:write
      • reactions:read
      • channels:read
    • Connect it in your Slack nodes.

  3. Configure AWS Credentials

    • Use IAM User or Role with:
      • acm:ListCertificates
      • acm:DescribeCertificate
      • acm:DeleteCertificate

  4. Set schedule

    • Daily, Weekly, or custom cron expression.

📋 Requirements

Component Description
AWS ACM Access IAM permissions for ACM actions
Slack Bot Token With chat:write & reactions:read
n8n Environment Self-hosted or n8n Cloud
Slack Channel Where approval messages will be sent

🛠️ How to customize the workflow

🕒 Change waiting time

Adjust the wait time before checking Slack reactions in the sendAndWait node (default 1 hour).

👥 Change Slack target

Change the Slack channel or tag specific people (<@U123456>).

📓 Add logging

Add Google Sheets, Notion, or DynamoDB to log certificate details and approval decisions.

🧪 Add dry-run/test mode

Use an IF node before deletion to simulate removal when ENV === dry-run.