Clean Up Expired AWS ACM Certificates with Slack Approval

Automatic Clean Up Expired AWS ACM Certificates with Human Approval > Automate the cleanup of expired AWS ACM certificates with Slack-based approval. This workflow helps maintain a secure and tidy AWS environment by detecting expired SSL certs, sending detailed Slack notifications to admins, and deleting them upon approval, ensuring full visibility and control over certificate lifecycle management. 🧑‍💼 Who’s it for

This workflow is designed for: AWS administrators** who want to keep their environment clean and secure
DevOps teams** managing SSL lifecycle in AWS ACM
IT Admins** needing visibility and control over expired cert removal
Teams that use Slack for collaboration and approvals

⚙️ How it works / What it does

This automated workflow performs the following tasks on a daily schedule: Fetch all ACM certificates in your AWS account. Filter out the expired ones by comparing expiration date and status. Send a Slack approval message with certificate details to the admin team. Wait for approval response directly in Slack (✅ to approve deletion). If approved, it deletes the expired certificate using AWS ACM. Finally, it notifies the IT admin about the action taken.

🔧 How to set up

Create the Workflow Add the nodes as shown: Schedule Trigger AWS - ACM: listCertificates AWS - ACM: describeCertificate (loop per cert) IF Node to filter expired certs Slack - Send & Wait for Reaction AWS - ACM: deleteCertificate Slack - Post Message to notify

Configure Slack Create a Slack Bot Token with: chat:write reactions:read channels:read Connect it in your Slack nodes.

Configure AWS Credentials Use IAM User or Role with: acm:ListCertificates acm:DescribeCertificate acm:DeleteCertificate

Set schedule Daily, Weekly, or custom cron expression.

📋 Requirements

| Component | Description | |------------------|--------------------------------------| | AWS ACM Access | IAM permissions for ACM actions | | Slack Bot Token | With chat:write & reactions:read | | n8n Environment | Self-hosted or n8n Cloud | | Slack Channel | Where approval messages will be sent |

🛠️ How to customize the workflow

🕒 Change waiting time Adjust the wait time before checking Slack reactions in the sendAndWait node (default 1 hour).

👥 Change Slack target Change the Slack channel or tag specific people (<@U123456>).

📓 Add logging Add Google Sheets, Notion, or DynamoDB to log certificate details and approval decisions.

🧪 Add dry-run/test mode Use an IF node before deletion to simulate removal when ENV === dry-run.