OpenClaw AWS Deployment: The Step-by-Step EC2 Agent Setup

Deploying OpenClaw on AWS takes about 45 minutes when you know the sequence. Skip one step — leave port 8080 exposed, skip the Elastic IP, forget the IAM role — and you spend the next two hours debugging something that should have taken two minutes. Here's the full sequence, in order, with the exact commands.

Instance Selection: Why t3.small Is the Minimum

OpenClaw's gateway process runs Node.js and maintains persistent WebSocket connections to every registered agent. Under a typical setup with three to five agents, memory usage sits between 300MB and 600MB. Add conversation memory loading, webhook processing, and the occasional LLM response buffering, and you can push past 1GB on a busy system.

The t3.micro (1GB RAM) free tier instance runs OpenClaw in development. It will not run it reliably in production. The process will be killed by the Linux OOM killer within hours of real traffic. The t3.small (2GB RAM) is the practical minimum. If you run more than five agents or expect sustained concurrent usage, go directly to t3.medium (4GB RAM).

The burstable T-series CPU profile matches OpenClaw well. Agent processing is bursty — idle most of the time, then briefly CPU-intensive when a message arrives, an LLM responds, and the gateway routes the output. You accumulate CPU credits during quiet periods and spend them during bursts. This is more cost-effective than a fixed-performance M-series instance at the same price point.

For AMI selection, use the official Ubuntu 22.04 LTS (Jammy) AMI from Canonical. Search for it in the EC2 launch wizard under "Ubuntu" and select the 64-bit (x86) version. Avoid using a community AMI — the official Canonical images are kept patched and are the standard baseline for production workloads.

Ubuntu 22.04 Initial Setup

After your instance launches and you can SSH in, run the following to update the system and install the OpenClaw runtime dependencies.

# Update system packages
sudo apt update && sudo apt upgrade -y

# Install Node.js 20.x via NodeSource
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs

# Verify
node --version   # Should output v20.x.x
npm --version

# Install build tools (needed for some npm dependencies)
sudo apt install -y build-essential git

# Create a dedicated user for OpenClaw (no root)
sudo useradd -m -s /bin/bash openclaw
sudo mkdir -p /opt/openclaw
sudo chown openclaw:openclaw /opt/openclaw

Switch to the openclaw user and install the OpenClaw gateway. Keep the process isolated from root — if the gateway is ever compromised, the blast radius is limited to the openclaw user's permissions.

sudo -u openclaw -s
cd /opt/openclaw
npm install -g openclaw
openclaw init

The openclaw init command generates your gateway.yaml in the current directory. Edit it to set your gateway token, allowed origins, and any provider API keys before starting the service.

Security Group Configuration

Security groups are where most AWS deployments go wrong. The mistake is exposing port 8080 (the OpenClaw gateway) directly to the public internet. Anyone who finds it can probe your API, attempt to enumerate your agents, or hammer your LLM quota.

The correct architecture is: ALB in a public subnet → EC2 in a private subnet (or with restricted security group). Create two security groups:

ALB security group (alb-sg):

• Inbound: port 443 from 0.0.0.0/0 (HTTPS from internet)
• Inbound: port 80 from 0.0.0.0/0 (HTTP redirect to HTTPS)
• Outbound: all traffic

EC2 security group (openclaw-sg):

• Inbound: port 22 from your-ip/32 (SSH — your IP only)
• Inbound: port 8080 from alb-sg (only the ALB can reach the gateway)
• Outbound: all traffic (for LLM API calls and package downloads)

Elastic IP and IAM Role Setup

An Elastic IP (EIP) is a static public IP address that stays assigned to your account until you release it. Without one, every time your EC2 instance stops and starts — during maintenance, instance replacement, or an accidental shutdown — AWS assigns a new public IP. Your DNS records point to the old one, your agents fail to connect, and you spend time debugging what is actually a trivial fix.

Allocate the EIP from the EC2 console under "Elastic IPs," then associate it with your running instance. This takes two minutes and eliminates an entire class of future problems.

For S3 access, create an IAM role with a policy that grants the minimum necessary permissions. Attach this role to your EC2 instance at launch (or via the console on a running instance).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-openclaw-bucket",
        "arn:aws:s3:::your-openclaw-bucket/*"
      ]
    }
  ]
}

OpenClaw running on your EC2 instance inherits these credentials automatically via the instance metadata service (IMDS). No access keys, no secrets to manage, no rotation headache. This is the correct pattern for any AWS service accessing other AWS services.

Systemd Service Configuration

A systemd service ensures OpenClaw starts automatically on boot and restarts after crashes. Create the unit file as root.

sudo nano /etc/systemd/system/openclaw.service

[Unit]
Description=OpenClaw AI Agent Gateway
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/opt/openclaw
ExecStart=/usr/bin/openclaw start --config /opt/openclaw/gateway.yaml
Restart=always
RestartSec=10
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=openclaw
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw

Check logs with sudo journalctl -u openclaw -f. You should see the gateway start message and the listening port within a few seconds.

Route 53 Domain and SSL via ACM + ALB

Point your domain to AWS by creating an A record in Route 53 that points to your ALB's DNS name. Use an alias record (not a CNAME) for the apex domain — AWS alias records are free and resolve at the DNS layer.

For SSL, request a certificate in AWS Certificate Manager (ACM) in the same region as your ALB. Choose DNS validation — ACM will give you a CNAME record to add to Route 53, and if you're using Route 53 for your domain, ACM can create it automatically. Validation takes two to five minutes.

In your ALB configuration:

1. Create an HTTPS listener on port 443, attach the ACM certificate
2. Create an HTTP listener on port 80, with a redirect rule to HTTPS
3. Create a target group pointing to your EC2 instance on port 8080
4. Set the health check path to /api/v1/health

As of early 2025, ACM certificates auto-renew without any action on your part as long as the DNS validation record stays in place. This is the correct long-term SSL setup for any production OpenClaw deployment on AWS.

Common Mistakes

• Using t3.micro in production — the OOM killer will terminate your gateway under real load. Budget the extra $10/month for t3.small.
• Skipping the ALB and exposing 8080 directly — this is both a security risk and means no managed SSL.
• Not allocating an Elastic IP — your DNS breaks every time the instance restarts.
• Storing AWS credentials in gateway.yaml — use an IAM instance role. Environment variables in the systemd unit are also acceptable for non-AWS secrets like LLM API keys.
• Not configuring the ALB health check path — the default / health check will fail if OpenClaw returns a non-200 on the root path. Set it to /api/v1/health.

Frequently Asked Questions

What EC2 instance type should I use for OpenClaw?

Start with t3.small (2 vCPU, 2GB RAM) for production. t3.micro works for testing but will be killed under real agent load. For five or more concurrent agents or heavy LLM usage, use t3.medium. Burstable T-series instances match OpenClaw's uneven CPU profile well.

Which ports does OpenClaw need open in my security group?

Port 22 (SSH, your IP only), port 8080 (gateway, restricted to your ALB security group), and port 443 (HTTPS via ALB). Never expose port 8080 directly to the public internet — always route through the Application Load Balancer.

Do I need an Elastic IP for my OpenClaw EC2 instance?

Yes. Without one, your instance's public IP changes every stop/start, breaking DNS records and firewall rules. Allocate an Elastic IP immediately after launch and associate it with your instance. It costs nothing while attached to a running instance.

How do I give OpenClaw access to S3 without hardcoding credentials?

Attach an IAM role with an S3 policy to your EC2 instance. OpenClaw automatically inherits credentials via the instance metadata service. No access keys needed, no credentials to rotate or accidentally commit to version control.

How do I run OpenClaw as a systemd service on EC2?

Create a unit file at /etc/systemd/system/openclaw.service with Restart=always and WantedBy=multi-user.target. Run systemctl enable openclaw && systemctl start openclaw. OpenClaw survives reboots and auto-restarts on crashes.

Can I use AWS Certificate Manager for SSL with OpenClaw?

Yes — ACM certificates attach to the Application Load Balancer, not EC2 directly. The ALB terminates SSL and forwards HTTP to port 8080. Request a certificate in ACM, validate via Route 53 DNS, attach to your ALB HTTPS listener. Auto-renews indefinitely.