FlowRunner
Pricing
Theme

AWS Certificate Manager

Identity & Security

Connect AI agents to AWS Certificate Manager. Agents request and describe SSL/TLS certificates, retrieve DNS validation records, export PEM bodies, tag and renew certificates, and inventory posture across a region.

10 actions available
Scheduled posture check runs against a region's certificate inventory
Agent calls List Certificates and filters for pending or near-expiry certificates
For a new domain, Request Certificate with DNS validation
Describe Certificate returns the CNAME record needed to validate
Agent confirms the certificate reaches ISSUED once the record resolves
DNS and ops team receives the CNAME record and validation status
Owner approves adding the CNAME record to the DNS zone to complete validation

What This Integration Enables

Agents provision certificates for new domains and retrieve the DNS CNAME records needed to validate them, audit and inventory certificates across a region filtered by status, export an issued certificate's PEM body and chain for installation on servers outside AWS, tag certificates for cost allocation and access control, and trigger managed renewal of eligible AWS Private CA certificates. Public certificates renew automatically through ACM's managed renewal as long as their validation records stay in place, so the connector's renewal action applies to eligible private certificates. Because ACM is regional and certificate ARNs are region-specific, the flow works within the configured region, and certificates used with CloudFront are requested in us-east-1. The connector covers the ACM surface; the surrounding flow decides which renewals run on their own and which validation steps wait for a person to touch DNS.

Without FlowRunner

Expiry surprises A certificate lapses because nobody was tracking its renewal window across accounts and regions
Manual validation handoff The CNAME record for a new certificate is copied by hand into a ticket for the DNS team
No certificate inventory Certificates live in the console per region with no consolidated view of status

With FlowRunner

Scheduled posture checks List Certificates surfaces pending and near-expiry certificates on a routine
Validation records in flow Describe Certificate reads the exact CNAME record and routes it to the DNS owner
Region-wide inventory Certificates are enumerated and filtered by status as a workflow step

Use Case Scenarios

Provision and validate a certificate for a new domain

A new-domain event starts the flow. The agent calls Request Certificate with DNS validation, then Describe Certificate to read back the CNAME record ACM expects. It routes that record to the DNS owner and waits. Once the record resolves and ACM moves the certificate to ISSUED, the agent proceeds to attach it downstream. The DNS-validated certificate then renews automatically for as long as the record remains in place, so this handoff happens once, not every year.

Certificate posture audit across a region

On a schedule, the agent calls List Certificates and filters by status to find certificates that are pending validation, nearing expiry, or already expired. It compiles the findings and alerts the owners of certificates that need attention. The team gets a standing view of certificate health instead of discovering a lapse when a service starts failing TLS handshakes.

Export a certificate for a non-AWS server

When a service outside AWS needs the certificate, the agent calls Get Certificate to retrieve the PEM body and chain, then hands it to the deployment step that installs it on the target server. The export becomes a documented flow step with an audit trail rather than a manual copy out of the console.

Human-in-Loop Highlight

Completing DNS validation is the step that needs a human, because adding a CNAME record touches a DNS zone that an agent should not edit on a guess. The agent does everything up to that line: it requests the certificate, reads the exact CNAME record from Describe Certificate, and packages it. Then it pauses and asks the DNS owner through their channel: "Certificate for [domain] is pending validation. Add CNAME record [name] with value [value] to the [zone] DNS zone to issue it. Approve to proceed, or reassign?" The owner makes the change and the flow resumes when ACM reports ISSUED. The agent drives the lifecycle; the person owns the change to the zone.

Agent processes routinely
Detects exception requiring judgment
Clear match Continues automatically
Ambiguous Routes to human via preferred channel
Human decides
Agent resumes with decision

Agent Capabilities

10 actions

Provisioning and Validation

4
  • Request Certificate Requests a public or private certificate using DNS or email validation. The first step in standing up TLS for a new domain.
  • Describe Certificate Returns a certificate's status and the DNS validation CNAME records that must be added to issue it.
  • Resend Validation Email Resends the domain validation email for an email-validated certificate when the original is lost.
  • Get Certificate Retrieves an issued certificate's PEM body and chain for installation on non-AWS servers.

Inventory and Lifecycle

3
  • List Certificates Inventories certificates across a region, filtered by status such as issued, pending, or expired. Powers posture audits.
  • Renew Certificate Triggers managed renewal of eligible AWS Private CA certificates.
  • Delete Certificate Deletes a certificate. It must be detached from any AWS resource first.

Tagging

3
  • Add Tags To Certificate Tags a certificate for cost allocation and access control.
  • List Tags For Certificate Lists the tags applied to a certificate.
  • Remove Tags From Certificate Removes tags from a certificate.

Start building with AWS Certificate Manager

$100 in credits. No card required. Connect in minutes.