Get Started
Back to Templates

Clean Up Expired AWS ACM Certificates with Slack Approval

Created by

Created by: Trung Tran || trungtran

Trung Tran

Last update

Last update 2 days ago

Categories

Share

Automatic Clean Up Expired AWS ACM Certificates with Human Approval

Automate the cleanup of expired AWS ACM certificates with Slack-based approval. This workflow helps maintain a secure and tidy AWS environment by detecting expired SSL certs, sending detailed Slack notifications to admins, and deleting them upon approval, ensuring full visibility and control over certificate lifecycle management.

🧑‍💼 Who’s it for

This workflow is designed for:

  • AWS administrators who want to keep their environment clean and secure
  • DevOps teams managing SSL lifecycle in AWS ACM
  • IT Admins needing visibility and control over expired cert removal
  • Teams that use Slack for collaboration and approvals

⚙️ How it works / What it does

This automated workflow performs the following tasks on a daily schedule:

  1. Fetch all ACM certificates in your AWS account.
  2. Filter out the expired ones by comparing expiration date and status.
  3. Send a Slack approval message with certificate details to the admin team.
  4. Wait for approval response directly in Slack ( to approve deletion).
  5. If approved, it deletes the expired certificate using AWS ACM.
  6. Finally, it notifies the IT admin about the action taken.

🔧 How to set up

  1. Create the Workflow

    • Add the nodes as shown:
      • Schedule Trigger
      • AWS - ACM: listCertificates
      • AWS - ACM: describeCertificate (loop per cert)
      • IF Node to filter expired certs
      • Slack - Send & Wait for Reaction
      • AWS - ACM: deleteCertificate
      • Slack - Post Message to notify

  2. Configure Slack

    • Create a Slack Bot Token with:
      • chat:write
      • reactions:read
      • channels:read
    • Connect it in your Slack nodes.

  3. Configure AWS Credentials

    • Use IAM User or Role with:
      • acm:ListCertificates
      • acm:DescribeCertificate
      • acm:DeleteCertificate

  4. Set schedule

    • Daily, Weekly, or custom cron expression.

📋 Requirements

Component Description
AWS ACM Access IAM permissions for ACM actions
Slack Bot Token With chat:write & reactions:read
n8n Environment Self-hosted or n8n Cloud
Slack Channel Where approval messages will be sent

🛠️ How to customize the workflow

🕒 Change waiting time

Adjust the wait time before checking Slack reactions in the sendAndWait node (default 1 hour).

👥 Change Slack target

Change the Slack channel or tag specific people (<@U123456>).

📓 Add logging

Add Google Sheets, Notion, or DynamoDB to log certificate details and approval decisions.

🧪 Add dry-run/test mode

Use an IF node before deletion to simulate removal when ENV === dry-run.