- A t3.medium (2 vCPU / 4 GB RAM) handles most OpenClaw production workloads without OOM crashes
- Always use an Elastic IP — EC2 public IPs rotate on every stop/start and will break your webhook URLs
- A systemd service unit is the correct way to run OpenClaw persistently — not tmux, screen, or nohup
- Security group rules should keep OpenClaw's admin port off the public internet entirely
- Use a separate EBS volume for OpenClaw data so you can snapshot agent state independently of the OS
Ninety-three percent of the OpenClaw community survey respondents who reported stable 30-day uptime were running on a dedicated cloud instance — not shared hosting, not a containerised side-car, not someone's dev laptop. EC2 is the most common choice. Here's why, and exactly how to do it right.
Why EC2 for OpenClaw
EC2 gives you a full Linux environment, predictable networking, and the ability to choose exactly how much compute you're paying for. OpenClaw needs persistent disk state, a stable IP for webhooks, and enough RAM to handle concurrent agent sessions without swapping. Managed app platforms abstract away control you actually need here.
The other reason EC2 wins: the AWS ecosystem. You can attach an Elastic IP in seconds, sit behind an Application Load Balancer when you need HTTPS termination, and use IAM roles to give OpenClaw access to S3 for agent memory — all without leaving the same console.
Sound familiar? Most people start on a VPS and hit the same ceiling around 3–4 concurrent agents. EC2 lets you resize without reprovisioning.
Instance and Region Selection
Pick your region first. Choose the AWS region closest to your users or the services your agents call. Latency to external APIs adds up fast when agents make 10–20 API calls per conversation turn.
For instance type, here's the decision matrix:
| Instance | vCPU / RAM | Use Case | Monthly (est.) |
|---|---|---|---|
t3.small |
2 / 2 GB | Dev/testing only | ~$15 |
| t3.medium | 2 / 4 GB | Standard production | ~$30 |
t3.large |
2 / 8 GB | High-traffic or multi-agent | ~$60 |
c6i.xlarge |
4 / 8 GB | CPU-bound workloads | ~$122 |
Start with t3.medium. You can resize to t3.large with a stop/start — no reprovisioning, no data loss.
If you're committing to OpenClaw long-term, a 1-year Compute Savings Plan cuts your EC2 bill by 30–40%. Apply it after you've run on On-Demand for a month and confirmed your instance size is right.
Launch and Initial Configuration
Launch an Ubuntu 24.04 LTS AMI (search for "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04" in the AMI catalog). Ubuntu 24.04 ships with systemd, Python 3.12, and a kernel new enough to avoid the glibc issues that bit OpenClaw users on older Debian images.
Before you configure anything, go to EC2 → Elastic IPs → Allocate Elastic IP Address, then Associate it with your new instance. Do this now, before you set up any webhooks or DNS records.
Create a 20 GB gp3 EBS volume in the same AZ as your instance. Attach it as /dev/sdf, format it with ext4, and mount it at /opt/openclaw-data. This keeps agent memory, logs, and config separate from the OS volume.
SSH in and run sudo apt update && sudo apt upgrade -y before installing anything. A fresh EC2 instance often has several hundred pending updates that can affect package resolution.
We'll get to the OpenClaw install in a moment — but first you need to understand why the volume setup matters.
Here's where most people stop: they install OpenClaw straight onto the root volume, everything works, and then six months later they want to take a snapshot of their agent's conversation history. On a combined OS+data volume, that snapshot includes gigabytes of OS you don't need. A separate data volume snapshots in seconds and costs a fraction of the price.
Install OpenClaw on EC2
OpenClaw's installer handles all dependencies on Ubuntu 24.04. Run the following as your non-root user (the installer will sudo as needed):
# Update and install prerequisites
sudo apt update && sudo apt install -y curl git unzip
# Download and run the OpenClaw installer
curl -fsSL https://get.openclaw.io/install.sh | bash
# Verify the install
openclaw --version
# Initialise OpenClaw with your data directory
openclaw init --data-dir /opt/openclaw-data
# Set your model API key
openclaw config set model.provider openai
openclaw config set model.api_key "${OPENAI_API_KEY}"
# Test the connection
openclaw doctorThe openclaw doctor command checks every dependency, network connection, and permission. Fix any red items it reports before proceeding.
The config set command above accepts environment variables. Set OPENAI_API_KEY in your shell session first, then run the command. This keeps your key out of ~/.bash_history. Better yet, use AWS Secrets Manager and the openclaw-aws-secrets integration.
Systemd Service Setup
This is the step that separates stable production deployments from "I'll just leave it in tmux." Systemd manages OpenClaw as a proper service: starts on boot, restarts on crash, logs to journald.
# Create the service unit file
sudo tee /etc/systemd/system/openclaw.service <<'EOF'
[Unit]
Description=OpenClaw AI Agent Service
After=network.target
Wants=network-online.target
[Service]
Type=simple
User=ubuntu
Group=ubuntu
WorkingDirectory=/opt/openclaw-data
ExecStart=/usr/local/bin/openclaw serve --config /opt/openclaw-data/config.yaml
Restart=on-failure
RestartSec=5s
StandardOutput=journal
StandardError=journal
SyslogIdentifier=openclaw
Environment="HOME=/home/ubuntu"
EnvironmentFile=-/opt/openclaw-data/.env
[Install]
WantedBy=multi-user.target
EOF
# Reload systemd and enable the service
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
# Confirm it's running
sudo systemctl status openclawThe EnvironmentFile line loads secrets from /opt/openclaw-data/.env — create that file with your API keys and set its permissions to 600. Never put secrets directly in the service unit file, which is world-readable on most systems.
As of early 2025, the Restart=on-failure policy with a 5-second delay is the recommended approach for OpenClaw. Restart=always can cause rapid restart loops if OpenClaw exits due to an invalid config — on-failure only restarts on non-zero exit codes.
Security Groups and Networking
Your security group is your firewall. Get this wrong and you're either locked out or exposed.
Minimum inbound rules:
- SSH (TCP 22) — source: your IP address only, not 0.0.0.0/0
- HTTPS (TCP 443) — source: 0.0.0.0/0 only if you're receiving webhooks
Outbound rules (all traffic to 0.0.0.0/0 is fine for outbound). OpenClaw needs to reach model provider APIs on port 443.
Never open these ports publicly: OpenClaw's admin UI (default 3000), any database port, or any port that doesn't need to be externally accessible.
For webhook-based integrations (Telegram, Discord, Slack), put an Application Load Balancer in front of your EC2 instance. The ALB handles HTTPS termination and you keep EC2's security group locked down to only the ALB's security group as an inbound source.
Common Mistakes
These are the problems we see consistently across new EC2 deployments:
- Skipping the Elastic IP — the instance gets a new public IP after every stop/start, breaking all webhooks. Allocate the EIP on day one.
- Running as root — OpenClaw doesn't need root. Create a dedicated system user and run the service under it. If the process is ever compromised, blast radius is limited to that user's permissions.
- Storing secrets in config.yaml under version control — use the EnvironmentFile pattern shown above and keep secrets in /opt/openclaw-data/.env with mode 600.
- Undersized instance — a t3.micro will handle 1–2 agents in testing but OOM-crashes under real load. Start with t3.medium and adjust.
- No CloudWatch monitoring — install the CloudWatch agent and set an alarm on memory utilisation above 85%. EC2's default metrics don't include memory, which is where OpenClaw problems show up first.
Frequently Asked Questions
Which EC2 instance type is best for OpenClaw?
A t3.medium (2 vCPU, 4 GB RAM) handles most OpenClaw deployments comfortably. If you're running large models locally alongside OpenClaw, step up to a t3.large or c6i.xlarge. The t3.micro is too constrained and causes OOM crashes under load.
Does OpenClaw work on AWS Free Tier?
A t2.micro or t3.micro qualifies for Free Tier but will struggle. OpenClaw's base process needs at least 512 MB RAM plus headroom for model API responses. Free Tier is fine for testing, not for any production or regular-use setup.
How do I keep OpenClaw running after SSH disconnect?
Use the systemd service unit shown in this guide. It starts OpenClaw on boot, restarts on crash with a 5-second delay, and logs everything to journald. Never rely on a tmux or screen session for anything running continuously.
What security group rules does OpenClaw need on EC2?
Inbound: SSH (22) from your IP only, HTTPS (443) from 0.0.0.0/0 if you're exposing a webhook. Outbound: 443 to 0.0.0.0/0 for model API calls. Never open OpenClaw's admin port to the public internet.
Should I use an Elastic IP for my OpenClaw EC2 instance?
Yes, allocate an Elastic IP and associate it before you configure webhooks or DNS. EC2 public IPs change on every stop/start. An Elastic IP stays fixed, so your webhook URLs and DNS records stay valid after reboots or instance stops.
How do I update OpenClaw on EC2 without downtime?
Pull the new version, run the update script, then do a systemctl reload openclaw instead of restart. Reload triggers a graceful shutdown that finishes in-flight requests before the new binary takes over. Full downtime is typically under 2 seconds.
What storage volume should I attach to my EC2 instance?
The default 8 GB gp3 root volume is enough for OpenClaw itself. Attach a separate gp3 EBS volume for logs and persistent data — 20 GB is plenty to start. Separate volumes let you snapshot agent data independently of the OS.
Can I use EC2 Spot Instances for OpenClaw?
Spot Instances cut costs by 60–90% but can be interrupted with 2 minutes notice. They work for stateless or batch agent workloads. For always-on conversational agents or webhook receivers, use On-Demand or Reserved Instances instead.
J. Donovan has deployed OpenClaw across AWS, GCP, and bare metal. He's run production agent workloads on EC2 since OpenClaw v1.1, and has personally debugged the security group misconfigurations, OOM crashes, and missing Elastic IP stories that inform every recommendation in this guide.