Deploy OpenClaw on AWS EC2

1. Overview

Amazon EC2 gives you a virtual server in the cloud with full control. OpenClaw runs on any Linux AMI that supports Node.js 22+; we recommend Ubuntu 22.04 LTS or Amazon Linux 2023. This guide covers:

• Launching an EC2 instance (Ubuntu 22.04, instance type, storage)
• Security group rules: SSH only; do not expose the OpenClaw gateway port to the internet
• Connecting via SSH and installing Node.js 22+ and OpenClaw
• Running OpenClaw as a systemd service for 24/7 operation
• Cost notes: Free Tier (t3.micro) vs production (t3.small and above)
• Common issues and links to troubleshooting and security best practices

2. Prerequisites

• AWS account - Sign up at aws.amazon.com if needed. Free Tier includes 750 hours/month of t2.micro or t3.micro for 12 months (region-dependent).
• SSH key pair - Create or import a key in EC2 for instance access. You will need the private key (.pem) on your local machine.
• LLM API key - At least one: Anthropic Claude, OpenAI, DeepSeek, or Ollama (local).
• Optional: A messaging app account for your first channel - e.g. Telegram, Discord, WhatsApp.

3. Launch an EC2 Instance

3.1 Choose AMI and instance type

• In the AWS Console, go to EC2 → Launch Instance.
• Name: e.g. openclaw.
• AMI: Ubuntu Server 22.04 LTS (recommended). Amazon Linux 2023 also works.
• Instance type:
  • Free Tier / light use: t3.micro or t2.micro (1 vCPU, 1 GB RAM). Adequate for a single user or light automation.
  • Production / multiple channels: t3.small (2 vCPU, 2 GB RAM) or t3.medium (2 vCPU, 4 GB RAM) for smoother performance.
• Key pair: Create a new key pair or select an existing one. Download the .pem file and keep it secure.
• Storage: 8–20 GB gp3 is sufficient for OpenClaw and config.

3.2 Configure security group (critical for security)

Create or select a security group with only the following:

• SSH (port 22): Your IP only, or a narrow range. Do not use 0.0.0.0/0 in production if avoidable.
• Do not open port 1618 (OpenClaw gateway) to the internet. The gateway should bind to 127.0.0.1 on the instance; you access it via SSH port forwarding, Tailscale, or another VPN. See Security Best Practices and Network Isolation.

Launch the instance and note its public IP (or use an Elastic IP for a fixed address).

4. Connect via SSH

From your local machine (replace with your key path and instance IP):

ssh -i /path/to/your-key.pem ubuntu@YOUR_EC2_PUBLIC_IP

For Amazon Linux 2023, the user is typically ec2-user:

ssh -i /path/to/your-key.pem ec2-user@YOUR_EC2_PUBLIC_IP

5. Install Node.js 22+ and OpenClaw

On the EC2 instance (Ubuntu 22.04), install Node.js 22+ if not present, then run the official one-line installer:

# Optional: install Node.js 22 via NodeSource (Ubuntu/Debian)
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs

# Install OpenClaw (installs Node 22 if needed and runs onboarding)
curl -fsSL https://openclaw.ai/install.sh | bash

The script will create ~/.openclaw and may start the onboarding wizard. If not, run:

openclaw setup

Complete the wizard: choose an LLM provider, add your API key, and optionally add your first channel (e.g. Telegram). See the Quick Start Guide and Post-installation setup for details.

6. Run OpenClaw as a systemd service

To keep OpenClaw running after you disconnect and to start it on reboot:

# Install the systemd unit (run as the user that runs OpenClaw)
sudo openclaw service install --systemd

# Enable and start the service
sudo systemctl enable openclaw
sudo systemctl start openclaw

# Check status
sudo systemctl status openclaw
openclaw status

View logs: journalctl -u openclaw -f or openclaw logs. Ensure the gateway is bound to 127.0.0.1 only; see Security Best Practices.

7. Cost and instance sizing

• AWS Free Tier (12 months): 750 hours/month of t2.micro or t3.micro in eligible regions. Good for trying OpenClaw; may be tight for heavy use.
• Paid, low-cost: t3.micro or t3.small in a low-cost region can be roughly ~$8–15/month plus data transfer. See EC2 pricing.
• Elastic IP: Free while attached to a running instance; may incur charge if left attached when the instance is stopped. Useful for a stable IP for SSH or VPN.
• For a cost comparison across providers, see our VPS comparison and cost calculator.

8. Common issues

For more fixes, see the full Troubleshooting Guide.

9. Best practices

• Security: Follow our Security Best Practices. Never expose the OpenClaw gateway port (1618) to the internet; use SSH tunneling, Tailscale, or a VPN for remote access.
• Updates: Regularly update OpenClaw. After upgrading, restart: sudo systemctl restart openclaw.
• Backups: Back up ~/.openclaw (config and credentials). Store backups securely; do not commit credentials to version control.
• Post-install: Run through the Security Checklist after setup.

10. Next steps

• Installation hub - macOS, Windows (WSL2), Linux, Docker, VPS, Raspberry Pi
• Post-installation setup - onboarding, first channel, security
• Connect a channel - Telegram, Discord, WhatsApp, Slack
• ClawHub skills - extend your agent
• Use cases - automation ideas
• Community - Discord, GitHub

Related resources

• Official Documentation
• Video Tutorials
• Configuration Templates
• Configuration file guide
• VPS provider comparison - DigitalOcean, Linode, Hetzner, AWS