quick and dirty shell script to enumerate all ACM certificates in each region, filter out only automatic renewal eligible certs, then calculate the months/days till they expire. useful for alerting cron jobs. echos could be replaced with curl commands to webhooks, etc.

aws_acm_certificates_expiring_soon.sh

#!/bin/sh
# ___╱╲  _____ ╱╲______ ____╱╲   ___╱╲
# ╲ _  ╲╱  .:╱╱.:╲____╱╱_╲_.  ╲ ╱.╱__ ╲
#  ╲╲  ╱    ╱╱    ___╱╱  .╲╱ _╱╱ ╲  ╱  ╲
#  ╱.: ╲    ╲_.     ╱╱    _. ╲╱ .:╲╱   ╱
# ╱____╱╲  __╲╱__  ╱╱______│ ╱╲_______╱
#        ╲╱      ╲╱        │╱x0^67^iMP!
# https://0w.nz
# https://x-e.ro
# (K)opimi / CC0 public domain

# use epoch timestamps
aws configure set cli_timestamp_format none

# shorthand loop for a smaller list
#for region in us-east-1 us-west-2; do

# list every region
for region in $(aws ec2 describe-regions --region us-east-1 --output text | cut -f4)
	echo
	echo "## $region ##"

	export AWS_REGION=$region
	TMP="$(mktemp)"

	aws acm list-certificates --certificate-statuses "ISSUED" | jq -r '.CertificateSummaryList[] | "\(.CertificateArn)"' > "$TMP"
	while read -r ARN; do
		STATUS=$(aws acm describe-certificate --certificate-arn "$ARN" | jq -r '.Certificate.RenewalEligibility')
		if [ "$STATUS" = "INELIGIBLE" ]; then
			URL=$(aws acm describe-certificate --certificate-arn "$ARN" | jq -r '.Certificate.DomainName ')
			EPOCH=$(aws acm describe-certificate --certificate-arn "$ARN" | jq -r '.Certificate.NotAfter')
			EXP=$(date -r "$EPOCH")

			NOW=$(date -u +%s)
			MONTHS_DIFF=$(((EPOCH-NOW)/2592000))
			if [ "$MONTHS_DIFF" -lt "4" ]; then
				if [ "$MONTHS_DIFF" -gt "0" ]; then
					echo "$URL expires in $MONTHS_DIFF months on $EXP"
				else
					DAYS_DIFF=$(((EPOCH-NOW)/86400))
					echo "$URL expires in $DAYS_DIFF day on $EXP"
				fi
			fi
		fi
	done < "$TMP"
done

fixed bashisms. posix gods look away in shame.