aws-samples · mwunderl · Apr 14, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/tuts/115-aws-backup-gs/README.md b/tuts/115-aws-backup-gs/README.md
@@ -0,0 +1,41 @@
+# Backup: Create a vault and backup plan
+
+## Source
+
+https://docs.aws.amazon.com/aws-backup/latest/devguide/getting-started.html
+
+## Use case
+
+- **ID**: backup/getting-started
+- **Level**: beginner
+- **Core actions**: `backup:CreateBackupVault`, `backup:CreateBackupPlan`
+
+## Steps
+
+1. Create a backup vault
+2. Create a backup plan (daily schedule, 30-day retention)
+3. Describe the plan
+4. List backup vaults
+5. List backup plans
+
+## Resources created
+
+| Resource | Type |
+|----------|------|
+| `tut-vault-<random>` | Backup vault |
+| `tut-plan-<random>` | Backup plan |
+
+## Cost
+
+No cost until a backup actually runs. This tutorial creates a plan and vault but does not execute a backup. AWS Backup pricing varies by resource type and storage amount.
+
+## Duration
+
+~6 seconds
+
+## Related docs
+
+- [Getting started with AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/getting-started.html)
+- [Creating a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html)
+- [AWS Backup pricing](https://aws.amazon.com/backup/pricing/)
+- [Supported resources](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#supported-resources)
diff --git a/tuts/115-aws-backup-gs/REVISION-HISTORY.md b/tuts/115-aws-backup-gs/REVISION-HISTORY.md
@@ -0,0 +1,8 @@
+# Revision History: 115-aws-backup-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+
diff --git a/tuts/115-aws-backup-gs/aws-backup-gs.md b/tuts/115-aws-backup-gs/aws-backup-gs.md
@@ -0,0 +1,104 @@
+# Create a backup vault and backup plan with AWS Backup
+
+This tutorial shows you how to create a backup vault, create a backup plan with a daily schedule and 30-day retention, inspect the plan details, and list your vaults and plans.
+
+## Prerequisites
+
+- AWS CLI configured with credentials and a default region
+- Permissions for `backup:CreateBackupVault`, `backup:DeleteBackupVault`, `backup:CreateBackupPlan`, `backup:DeleteBackupPlan`, `backup:GetBackupPlan`, `backup:ListBackupVaults`, `backup:ListBackupPlans`
+
+## Step 1: Create a backup vault
+
+Create a vault to store recovery points.
+
+```bash
+VAULT_NAME="tut-vault-$(openssl rand -hex 4)"
+
+aws backup create-backup-vault --backup-vault-name "$VAULT_NAME" \
+    --query 'BackupVaultArn' --output text
+```
+
+A backup vault is a container for recovery points (backups). Each vault has its own encryption key and access policy. The default vault uses the AWS managed key for Backup.
+
+## Step 2: Create a backup plan
+
+Create a plan with a daily backup rule that targets the vault and retains backups for 30 days.
+
+```bash
+PLAN_NAME="tut-plan-$(openssl rand -hex 4)"
+
+PLAN_RESULT=$(aws backup create-backup-plan --backup-plan "{
+    \"BackupPlanName\":\"$PLAN_NAME\",
+    \"Rules\":[{
+        \"RuleName\":\"DailyBackup\",
+        \"TargetBackupVaultName\":\"$VAULT_NAME\",
+        \"ScheduleExpression\":\"cron(0 12 * * ? *)\",
+        \"StartWindowMinutes\":60,
+        \"CompletionWindowMinutes\":180,
+        \"Lifecycle\":{\"DeleteAfterDays\":30}
+    }]
+}")
+PLAN_ID=$(echo "$PLAN_RESULT" | python3 -c "import sys,json;print(json.load(sys.stdin)['BackupPlanId'])")
+```
+
+`ScheduleExpression` uses a cron expression — this one runs daily at noon UTC. `StartWindowMinutes` is how long Backup waits before canceling a job that hasn't started. `Lifecycle` controls retention.
+
+## Step 3: Describe the plan
+
+View the plan details and rule configuration.
+
+```bash
+aws backup get-backup-plan --backup-plan-id "$PLAN_ID" \
+    --query 'BackupPlan.{Name:BackupPlanName,Rules:Rules[0].{Rule:RuleName,Schedule:ScheduleExpression,Retention:Lifecycle.DeleteAfterDays}}' \
+    --output table
+```
+
+A plan can have multiple rules targeting different vaults or schedules. Each rule can also specify copy actions to replicate backups to another Region.
+
+## Step 4: List backup vaults
+
+List vaults in your account.
+
+```bash
+aws backup list-backup-vaults \
+    --query 'BackupVaultList[].{Name:BackupVaultName,Created:CreationDate,RecoveryPoints:NumberOfRecoveryPoints}' \
+    --output table
+```
+
+Every account has a `Default` vault created automatically. The tutorial vault will show zero recovery points since no backup has run yet.
+
+## Step 5: List backup plans
+
+List plans in your account.
+
+```bash
+aws backup list-backup-plans \
+    --query 'BackupPlansList[].{Name:BackupPlanName,Id:BackupPlanId,Created:CreationDate}' \
+    --output table
+```
+
+Plans are independent of resource assignments. To actually back up resources, you create a backup selection that assigns resources (by ARN or tag) to a plan.
+
+## Cleanup
+
+Delete the backup plan and vault:
+
+```bash
+aws backup delete-backup-plan --backup-plan-id "$PLAN_ID"
+aws backup delete-backup-vault --backup-vault-name "$VAULT_NAME"
+```
+
+No actual backup ran during this tutorial, so there is no cost. AWS Backup charges only when backups are stored — pricing varies by resource type and storage amount. Deleting the plan stops future scheduled backups, and deleting an empty vault is immediate.
+
+The script automates all steps including cleanup:
+
+```bash
+bash aws-backup-gs.sh
+```
+
+## Related resources
+
+- [Getting started with AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/getting-started.html)
+- [Creating a backup plan](https://docs.aws.amazon.com/aws-backup/latest/devguide/creating-a-backup-plan.html)
+- [AWS Backup pricing](https://aws.amazon.com/backup/pricing/)
+- [Supported resources](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html#supported-resources)
diff --git a/tuts/115-aws-backup-gs/aws-backup-gs.sh b/tuts/115-aws-backup-gs/aws-backup-gs.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+# Tutorial: Create a backup vault and backup plan with AWS Backup
+# Source: https://docs.aws.amazon.com/aws-backup/latest/devguide/getting-started.html
+
+WORK_DIR=$(mktemp -d)
+LOG_FILE="$WORK_DIR/backup-$(date +%Y%m%d-%H%M%S).log"
+exec > >(tee -a "$LOG_FILE") 2>&1
+
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}}
+if [ -z "$REGION" ]; then
+    echo "ERROR: No AWS region configured. Set one with: export AWS_DEFAULT_REGION=us-east-1"
+    exit 1
+fi
+export AWS_DEFAULT_REGION="$REGION"
+echo "Region: $REGION"
+
+RANDOM_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
+VAULT_NAME="tut-vault-${RANDOM_ID}"
+PLAN_NAME="tut-plan-${RANDOM_ID}"
+
+handle_error() { echo "ERROR on line $1"; trap - ERR; cleanup; exit 1; }
+trap 'handle_error $LINENO' ERR
+
+cleanup() {
+    echo ""
+    echo "Cleaning up resources..."
+    [ -n "$PLAN_ID" ] && aws backup delete-backup-plan --backup-plan-id "$PLAN_ID" > /dev/null 2>&1 && \
+        echo "  Deleted backup plan $PLAN_NAME"
+    aws backup delete-backup-vault --backup-vault-name "$VAULT_NAME" 2>/dev/null && \
+        echo "  Deleted vault $VAULT_NAME"
+    rm -rf "$WORK_DIR"
+    echo "Cleanup complete."
+}
+
+# Step 1: Create a backup vault
+echo "Step 1: Creating backup vault: $VAULT_NAME"
+aws backup create-backup-vault --backup-vault-name "$VAULT_NAME" \
+    --query 'BackupVaultArn' --output text
+echo "  Vault created"
+
+# Step 2: Create a backup plan
+echo "Step 2: Creating backup plan: $PLAN_NAME"
+PLAN_RESULT=$(aws backup create-backup-plan --backup-plan "{
+    \"BackupPlanName\":\"$PLAN_NAME\",
+    \"Rules\":[{
+        \"RuleName\":\"DailyBackup\",
+        \"TargetBackupVaultName\":\"$VAULT_NAME\",
+        \"ScheduleExpression\":\"cron(0 12 * * ? *)\",
+        \"StartWindowMinutes\":60,
+        \"CompletionWindowMinutes\":180,
+        \"Lifecycle\":{\"DeleteAfterDays\":30}
+    }]
+}")
+PLAN_ID=$(echo "$PLAN_RESULT" | python3 -c "import sys,json;print(json.load(sys.stdin)['BackupPlanId'])")
+echo "  Plan ID: $PLAN_ID"
+
+# Step 3: Describe the plan
+echo "Step 3: Backup plan details"
+aws backup get-backup-plan --backup-plan-id "$PLAN_ID" \
+    --query 'BackupPlan.{Name:BackupPlanName,Rules:Rules[0].{Rule:RuleName,Schedule:ScheduleExpression,Retention:Lifecycle.DeleteAfterDays}}' --output table
+
+# Step 4: List backup vaults
+echo "Step 4: Listing backup vaults"
+aws backup list-backup-vaults \
+    --query 'BackupVaultList[?starts_with(BackupVaultName, `tut-`)].{Name:BackupVaultName,Created:CreationDate,RecoveryPoints:NumberOfRecoveryPoints}' --output table
+
+# Step 5: List backup plans
+echo "Step 5: Listing backup plans"
+aws backup list-backup-plans \
+    --query 'BackupPlansList[?starts_with(BackupPlanName, `tut-`)].{Name:BackupPlanName,Id:BackupPlanId,Created:CreationDate}' --output table
+
+echo ""
+echo "Tutorial complete."
+echo "Note: No actual backup was started — the plan runs on a daily schedule."
+echo "Do you want to clean up all resources? (y/n): "
+read -r CHOICE
+if [[ "$CHOICE" =~ ^[Yy]$ ]]; then
+    cleanup
+else
+    echo "Manual cleanup:"
+    echo "  aws backup delete-backup-plan --backup-plan-id $PLAN_ID"
+    echo "  aws backup delete-backup-vault --backup-vault-name $VAULT_NAME"
+fi
diff --git a/tuts/121-aws-organizations-gs/README.md b/tuts/121-aws-organizations-gs/README.md
@@ -0,0 +1,29 @@
+# Aws Organizations Gs
+
+A read-only script that queries Organizations resources and displays information.
+
+## Running
+
+```bash
+bash aws-organizations-gs.sh
+```
+
+## What it does
+
+1. Describing organization
+2. Listing accounts
+3. Listing organizational units
+4. Listing policies
+
+## Resources created
+
+None — this script is read-only.
+
+## Cost
+
+No cost. This script only reads existing resources.
+
+## Related docs
+
+- [AWS CLI organizations reference](https://docs.aws.amazon.com/cli/latest/reference/organizations/index.html)
+
diff --git a/tuts/121-aws-organizations-gs/REVISION-HISTORY.md b/tuts/121-aws-organizations-gs/REVISION-HISTORY.md
@@ -0,0 +1,8 @@
+# Revision History: 121-aws-organizations-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+
diff --git a/tuts/121-aws-organizations-gs/aws-organizations-gs.md b/tuts/121-aws-organizations-gs/aws-organizations-gs.md
@@ -0,0 +1,23 @@
+# Aws Organizations Gs
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Describing organization
+
+The script handles this step automatically. See `aws-organizations-gs.sh` for the exact CLI commands.
+
+## Step 2: Listing accounts
+
+The script handles this step automatically. See `aws-organizations-gs.sh` for the exact CLI commands.
+
+## Step 3: Listing organizational units
+
+The script handles this step automatically. See `aws-organizations-gs.sh` for the exact CLI commands.
+
+## Step 4: Listing policies
+
+The script handles this step automatically. See `aws-organizations-gs.sh` for the exact CLI commands.
+
diff --git a/tuts/121-aws-organizations-gs/aws-organizations-gs.sh b/tuts/121-aws-organizations-gs/aws-organizations-gs.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/orgs-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}
+[ -z "$REGION" ] && echo "ERROR: No region" && exit 1
+export AWS_DEFAULT_REGION="$REGION"
+echo "Region: $REGION"
+echo "Step 1: Describing organization"
+aws organizations describe-organization --query 'Organization.{Id:Id,MasterAccount:MasterAccountId,FeatureSet:FeatureSet}' --output table 2>/dev/null || echo "  No organization found (this account may not be part of an organization)"
+echo "Step 2: Listing accounts"
+aws organizations list-accounts --query 'Accounts[:5].{Id:Id,Name:Name,Status:Status,Email:Email}' --output table 2>/dev/null || echo "  Cannot list accounts (requires management account access)"
+echo "Step 3: Listing organizational units"
+ROOT_ID=$(aws organizations list-roots --query 'Roots[0].Id' --output text 2>/dev/null)
+[ -n "$ROOT_ID" ] && [ "$ROOT_ID" != "None" ] && aws organizations list-organizational-units-for-parent --parent-id "$ROOT_ID" --query 'OrganizationalUnits[].{Id:Id,Name:Name}' --output table 2>/dev/null || echo "  No OUs found"
+echo "Step 4: Listing policies"
+aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query 'Policies[].{Id:Id,Name:Name,Type:Type}' --output table 2>/dev/null || echo "  Cannot list policies"
+echo ""
+echo "Tutorial complete. No resources were created — this tutorial is read-only."
+rm -rf "$WORK_DIR"
diff --git a/tuts/122-aws-health-gs/README.md b/tuts/122-aws-health-gs/README.md
@@ -0,0 +1,28 @@
+# Aws Health Gs
+
+A read-only script that queries Health resources and displays information.
+
+## Running
+
+```bash
+bash aws-health-gs.sh
+```
+
+## What it does
+
+1. Describing events (last 7 days)
+2. Describing event types
+3. Describing affected entities
+
+## Resources created
+
+None — this script is read-only.
+
+## Cost
+
+No cost. This script only reads existing resources.
+
+## Related docs
+
+- [AWS CLI health reference](https://docs.aws.amazon.com/cli/latest/reference/health/index.html)
+
diff --git a/tuts/122-aws-health-gs/REVISION-HISTORY.md b/tuts/122-aws-health-gs/REVISION-HISTORY.md
@@ -0,0 +1,8 @@
+# Revision History: 122-aws-health-gs
+
+## Shell (CLI script)
+
+### 2026-04-14 v1 published
+- Type: functional
+- Initial version
+
diff --git a/tuts/122-aws-health-gs/aws-health-gs.md b/tuts/122-aws-health-gs/aws-health-gs.md
@@ -0,0 +1,19 @@
+# Aws Health Gs
+
+## Prerequisites
+
+1. AWS CLI installed and configured (`aws configure`)
+2. Appropriate IAM permissions for the AWS services used
+
+## Step 1: Describing events (last 7 days)
+
+The script handles this step automatically. See `aws-health-gs.sh` for the exact CLI commands.
+
+## Step 2: Describing event types
+
+The script handles this step automatically. See `aws-health-gs.sh` for the exact CLI commands.
+
+## Step 3: Describing affected entities
+
+The script handles this step automatically. See `aws-health-gs.sh` for the exact CLI commands.
+
diff --git a/tuts/122-aws-health-gs/aws-health-gs.sh b/tuts/122-aws-health-gs/aws-health-gs.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+WORK_DIR=$(mktemp -d)
+exec > >(tee -a "$WORK_DIR/health-$(date +%Y%m%d-%H%M%S).log") 2>&1
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null))}
+[ -z "$REGION" ] && echo "ERROR: No region" && exit 1
+export AWS_DEFAULT_REGION=us-east-1
+echo "Region: us-east-1 (Health API is global)"
+echo "Step 1: Describing events (last 7 days)"
+aws health describe-events --filter '{"startTimes":[{"from":"'$(date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ)'"}]}' --query 'events[:5].{Service:service,Type:eventTypeCode,Status:statusCode,Region:region}' --output table 2>/dev/null || echo "  No recent events (or Health API requires Business/Enterprise support)"
+echo "Step 2: Describing event types"
+aws health describe-event-types --filter '{"services":["EC2"]}' --query 'eventTypes[:5].{Code:code,Service:service,Category:category}' --output table 2>/dev/null || echo "  Cannot describe event types"
+echo "Step 3: Describing affected entities"
+aws health describe-affected-entities --filter '{"eventArns":["arn:aws:health:us-east-1::event/EC2/example"]}' 2>/dev/null || echo "  No affected entities (expected with no active events)"
+echo ""
+echo "Tutorial complete. No resources were created — Health API is read-only."
+echo "Note: Full Health API access requires Business or Enterprise Support plan."
+rm -rf "$WORK_DIR"