AWS Certificate Manager
Identity & SecurityConnect AI agents to AWS Certificate Manager. Agents request and describe SSL/TLS certificates, retrieve DNS validation records, export PEM bodies, tag and renew certificates, and inventory posture across a region.
What This Integration Enables
Agents provision certificates for new domains and retrieve the DNS CNAME records needed to validate them, audit and inventory certificates across a region filtered by status, export an issued certificate's PEM body and chain for installation on servers outside AWS, tag certificates for cost allocation and access control, and trigger managed renewal of eligible AWS Private CA certificates. Public certificates renew automatically through ACM's managed renewal as long as their validation records stay in place, so the connector's renewal action applies to eligible private certificates. Because ACM is regional and certificate ARNs are region-specific, the flow works within the configured region, and certificates used with CloudFront are requested in us-east-1. The connector covers the ACM surface; the surrounding flow decides which renewals run on their own and which validation steps wait for a person to touch DNS.
Without FlowRunner
With FlowRunner
Use Case Scenarios
Provision and validate a certificate for a new domain
A new-domain event starts the flow. The agent calls Request Certificate with DNS validation, then Describe Certificate to read back the CNAME record ACM expects. It routes that record to the DNS owner and waits. Once the record resolves and ACM moves the certificate to ISSUED, the agent proceeds to attach it downstream. The DNS-validated certificate then renews automatically for as long as the record remains in place, so this handoff happens once, not every year.
Certificate posture audit across a region
On a schedule, the agent calls List Certificates and filters by status to find certificates that are pending validation, nearing expiry, or already expired. It compiles the findings and alerts the owners of certificates that need attention. The team gets a standing view of certificate health instead of discovering a lapse when a service starts failing TLS handshakes.
Export a certificate for a non-AWS server
When a service outside AWS needs the certificate, the agent calls Get Certificate to retrieve the PEM body and chain, then hands it to the deployment step that installs it on the target server. The export becomes a documented flow step with an audit trail rather than a manual copy out of the console.
Human-in-Loop Highlight
Completing DNS validation is the step that needs a human, because adding a CNAME record touches a DNS zone that an agent should not edit on a guess. The agent does everything up to that line: it requests the certificate, reads the exact CNAME record from Describe Certificate, and packages it. Then it pauses and asks the DNS owner through their channel: "Certificate for [domain] is pending validation. Add CNAME record [name] with value [value] to the [zone] DNS zone to issue it. Approve to proceed, or reassign?" The owner makes the change and the flow resumes when ACM reports ISSUED. The agent drives the lifecycle; the person owns the change to the zone.
Agent Capabilities
10 actionsProvisioning and Validation
4- Request Certificate Requests a public or private certificate using DNS or email validation. The first step in standing up TLS for a new domain.
- Describe Certificate Returns a certificate's status and the DNS validation CNAME records that must be added to issue it.
- Resend Validation Email Resends the domain validation email for an email-validated certificate when the original is lost.
- Get Certificate Retrieves an issued certificate's PEM body and chain for installation on non-AWS servers.
Inventory and Lifecycle
3- List Certificates Inventories certificates across a region, filtered by status such as issued, pending, or expired. Powers posture audits.
- Renew Certificate Triggers managed renewal of eligible AWS Private CA certificates.
- Delete Certificate Deletes a certificate. It must be detached from any AWS resource first.
Tagging
3- Add Tags To Certificate Tags a certificate for cost allocation and access control.
- List Tags For Certificate Lists the tags applied to a certificate.
- Remove Tags From Certificate Removes tags from a certificate.
Start building with AWS Certificate Manager
$100 in credits. No card required. Connect in minutes.