You want OpenClaw running on AWS. Maybe your company already lives in the AWS ecosystem. Maybe you want S3 integration for skills. Maybe you just like AWS’s global infrastructure.
Whatever the reason, you have two paths:
- ●AWS Lightsail: Simple, predictable, capped monthly cost
- ●AWS EC2: Full control, complex, unpredictable billing
This guide covers both. We’ll deploy OpenClaw on each, configure security properly, set up IAM roles for skills that need AWS service access, and critically talk about the bandwidth bills that AWS doesn’t warn you about until they arrive.
The Two AWS Paths: Decision Tree
Before touching the AWS console, answer one question: Do you need AWS-specific integrations?
Choose Lightsail If:
- ●You just want OpenClaw running in AWS’s network
- ●You need predictable monthly costs
- ●You’re not using AWS services (S3, DynamoDB, etc.) heavily
- ●You want the simplest possible AWS deployment
- ●You’re okay with $5–15/mo flat rate
Lightsail = VPS with an AWS logo. It’s their beginner-friendly offering that competes with DigitalOcean and Linode.
Choose EC2 If:
- ●You need deep AWS integrations (S3, Lambda, SQS, etc.)
- ●You want auto-scaling or load balancers
- ●You have compliance requirements (specific regions, encryption, audit logs)
- ●Your skills pull/push significant data to S3
- ●You’re comfortable with AWS’s complexity and billing model
EC2 = Full AWS power. Also full AWS complexity.
The Third Option: Neither
If you don’t need AWS specifically, a generic VPS (DigitalOcean, Linode, Hetzner) is cheaper and simpler. And if you don’t need any infrastructure, PaioClaw exists. But you’re here for AWS, so let’s deploy.
Path 1: AWS Lightsail (The Simple Route)
Lightsail is AWS’s answer to “why is everything so complicated?” It’s a VPS service with flat monthly pricing and a streamlined console.
Step 1: Create a Lightsail Instance
- 1.Log into AWS Console → Navigate to Lightsail
- 2.Click Create instance
- 3.Choose instance location: pick a region close to your users (us-east-1, eu-west-1, etc.)
- 4.Select platform: Linux/Unix
- 5.Select blueprint: OS Only → Ubuntu 22.04 LTS
- 6.Choose instance plan: $5/mo (1 GB RAM), $10/mo (2 GB RAM, recommended), or $20/mo (4 GB RAM)
- 7.Name your instance: openclaw-agent
- 8.Click Create instance
Takes 60 seconds to provision.
Step 2: Configure SSH Access
Lightsail auto-generates SSH keys. Download the default key from Account page → SSH keys tab. Save it securely on your machine.
chmod 400 ~/Downloads/LightsailDefaultKey.pem ssh -i ~/Downloads/LightsailDefaultKey.pem ubuntu@YOUR_INSTANCE_IP
Replace YOUR_INSTANCE_IP with the public IP shown in Lightsail dashboard.
Step 3: Secure Your Instance
Update packages:
sudo apt update && sudo apt upgrade -y
Configure firewall through Lightsail console (Networking tab): SSH (22) allowed by default; add HTTP (80) and HTTPS (443).
Add fail2ban for brute-force protection:
sudo apt install fail2ban -y sudo systemctl enable fail2ban sudo systemctl start fail2ban
Step 4: Install the OpenClaw Stack
Install Node.js, Git, and PM2:
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - sudo apt install -y nodejs git sudo npm install -g pm2
Clone OpenClaw and install:
cd ~ git clone https://github.com/openclaw/openclaw.git cd openclaw npm install cp .env.example .env nano .env
Set your API keys (OpenAI/Anthropic) and agent name. Save and exit. Then start with PM2:
pm2 start npm --name "openclaw" -- start pm2 startup pm2 save
Step 5: Set Up Domain and SSL
Install Nginx and configure a reverse proxy:
sudo apt install nginx -y sudo nano /etc/nginx/sites-available/openclaw
server {
listen 80;
server_name openclaw.yourdomain.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl restart nginx sudo apt install certbot python3-certbot-nginx -y sudo certbot --nginx -d openclaw.yourdomain.com
Done. OpenClaw is live on Lightsail.
Lightsail Bandwidth Limits (The Gotcha)
Lightsail includes data transfer in the monthly price: $5/mo plan = 2 TB/month, $10/mo = 3 TB/month, $20/mo = 4 TB/month. Overage costs $0.09/GB beyond your cap.
PaioClaw’s approach: Bandwidth is unlimited. Skills that scrape heavily don’t trigger surprise bills.
Path 2: AWS EC2 (The Full AWS Experience)
EC2 gives you more control, more integrations, and more complexity. This is for people who need deep AWS coupling.
Step 1: Launch an EC2 Instance
- 1.AWS Console → EC2 → Launch Instance
- 2.Name: openclaw-production
- 3.AMI: Ubuntu Server 22.04 LTS (free tier eligible)
- 4.Instance type: t3.micro (~$7.50/mo) or t3.small (~$15/mo, recommended)
- 5.Key pair: create new or select existing SSH key
- 6.Network: create security group openclaw-sg with SSH from My IP, HTTP/HTTPS from anywhere
- 7.Storage: 30 GB gp3
- 8.Launch instance
Step 2: Configure Security Group Properly
EC2 Console → Security Groups → openclaw-sg → Edit inbound rules. Allow SSH (22) from your IP only, HTTP (80) and HTTPS (443) from 0.0.0.0/0, and optionally port 3000 from your IP for direct OpenClaw access.
Step 3: Connect and Install OpenClaw
ssh -i your-key.pem ubuntu@YOUR_EC2_PUBLIC_IP
Follow the same installation steps as Lightsail: update packages, install Node.js/Git/PM2, clone OpenClaw, configure .env, start with PM2, set up Nginx + SSL.
Step 4: Create IAM Role for S3 Access
This is where EC2 shines. If your skills need to read/write S3, grant access through IAM roles (no hardcoded credentials).
- 1.IAM Console → Roles → Create role
- 2.Trusted entity type: AWS service; Use case: EC2
- 3.Attach AmazonS3ReadOnlyAccess (read) or AmazonS3FullAccess (write), or a custom scoped policy
- 4.Role name: OpenClawS3Access
- 5.Attach role to instance: EC2 → Instances → Actions → Security → Modify IAM role
Now your skills can access S3 without hardcoded AWS keys. Example skill code:
const { S3Client, GetObjectCommand } = require("@aws-sdk/client-s3");
// No credentials needed — uses instance IAM role automatically
const s3 = new S3Client({ region: "us-east-1" });
async function readFromS3(bucket, key) {
const command = new GetObjectCommand({ Bucket: bucket, Key: key });
const response = await s3.send(command);
// Process data...
}PaioClaw’s equivalent: Managed credential vaults. Add AWS keys once through their UI; skills use them without exposing raw keys.
Step 5: Set Up CloudWatch Logging (Optional)
wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb sudo dpkg -i -E ./amazon-cloudwatch-agent.deb sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
Cost: CloudWatch Logs charges ~$0.50/GB ingested. If OpenClaw is chatty, this adds up.
EC2 vs Lightsail: Feature Comparison
- ●Pricing — Lightsail: flat monthly | EC2: pay-per-use (complex)
- ●Bandwidth — Lightsail: 2-4 TB included | EC2: $0.09/GB
- ●Setup complexity — Lightsail: low | EC2: high
- ●IAM roles — Lightsail: no | EC2: yes
- ●Auto-scaling & Load balancers — Lightsail: no/basic | EC2: full ALB/NLB
- ●VPC integration — Lightsail: limited | EC2: full
- ●Monitoring — Lightsail: basic metrics | EC2: CloudWatch (paid)
When to Use Which
Lightsail: standalone agent, no heavy AWS service usage, predictable budget, simplicity matters.
EC2: skills need S3/Lambda/DynamoDB, enterprise compliance, auto-scaling for traffic spikes, already managing complex AWS infrastructure.
The Hidden AWS Costs (No One Talks About)
Data Transfer Costs
Lightsail: included up to your cap, then $0.09/GB. EC2: outbound internet traffic $0.09/GB (first 1 GB/mo free), inter-region $0.02/GB, inbound is free.
Real scenario: scraper downloads 50 GB/day inbound (free), uploads 10 GB/day to S3 outbound = 300 GB/month × $0.09 = $27/month in bandwidth alone.
EBS Storage Costs
EC2 instances come with EBS volumes: gp3 at $0.08/GB-month. 30 GB = $2.40/mo, 100 GB = $8/mo. This is in addition to instance costs.
Elastic IP Costs
Free while instance is running, $3.60/month if instance is stopped but you keep the IP. Forgot to release one when testing? You’re paying for it.
CloudWatch Costs
- ●Metrics: first 10 custom free, then $0.30/metric/month
- ●Logs: $0.50/GB ingested, $0.03/GB stored
- ●Alarms: $0.10/alarm/month
The Bandwidth Bill Horror Story
Real example: someone deployed OpenClaw with a skill that scraped news sites every hour. Processing errors caused repeated re-fetches; error logs uploaded to S3 hit 500 GB/month outbound. Bandwidth bill: $45 on top of a $15/mo t3.small. Total AWS bill: $60+.
How to Avoid AWS Bill Shock
- 1.Set up billing alerts (AWS Budgets) — alert at 80% of expected monthly cost
- 2.Use AWS Cost Explorer for daily spend breakdown
- 3.Tag resources (Project=OpenClaw) and filter by tag
- 4.Monitor data transfer with CloudWatch NetworkOut alarm (>100 GB/day)
- 5.Use S3 Intelligent-Tiering for skills that store data
Security Configuration Deep Dive
Security Group Rules (Detailed)
Inbound: SSH 22 from your IP only, HTTP 80 and HTTPS 443 from 0.0.0.0/0. Outbound: all traffic to 0.0.0.0/0 — OpenClaw needs internet access for LLM APIs, GitHub, and connected services.
IAM Role Best Practices
Principle of least privilege: don’t use AmazonS3FullAccess if skills only read. Create custom policies scoped to specific buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-openclaw-data/*",
"arn:aws:s3:::my-openclaw-data"
]
}
]
}If a skill gets compromised, it can’t trash your entire S3 account.
VPC Configuration (Advanced)
For production, create a dedicated VPC (10.0.0.0/16) with public subnet (10.0.1.0/24), Internet Gateway, and updated route table. Isolates OpenClaw from other AWS resources and supports future expansion (private subnets for databases).
Performance Tuning for AWS
Instance Sizing Guidelines
- ●t3.micro (1 GB RAM): testing, light usage (<100 requests/day)
- ●t3.small (2 GB RAM): personal use, moderate workloads
- ●t3.medium (4 GB RAM): production use, team agents
Rule of thumb: start small, monitor CloudWatch memory metrics, upgrade if >80% used consistently.
Swap Space (EC2 Only)
sudo fallocate -l 2G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Prevents OOM crashes on smaller instances.
EBS Optimization
For I/O-heavy skills, enable EBS optimization (default on t3.medium+) and use gp3 volumes instead of gp2 — same price, better baseline performance, configurable IOPS.
Monitoring and Alerts (AWS-Specific)
CloudWatch Alarms You Should Set
1. High CPU usage:
aws cloudwatch put-metric-alarm --alarm-name openclaw-high-cpu --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanThreshold --evaluation-periods 2
2. Data transfer spike (10 GB/hour threshold):
aws cloudwatch put-metric-alarm --alarm-name openclaw-bandwidth-spike --metric-name NetworkOut --namespace AWS/EC2 --statistic Sum --period 3600 --threshold 10737418240 --comparison-operator GreaterThanThreshold
3. Instance status check failure: built-in alarm in EC2 console → Monitoring tab → Create alarm.
Backup Strategy for AWS
Lightsail Snapshots
Manual: Lightsail console → Your instance → Snapshots tab → Create snapshot. Cost: $0.05/GB-month (only for changed data). Automated snapshots keep 7 days of daily snapshots, free for first 20 GB.
EC2 EBS Snapshots
aws ec2 create-snapshot --volume-id vol-xxxxxxxxx --description "OpenClaw backup $(date +%Y%m%d)"
Or use AWS Backup with daily/weekly schedules and retention policies. Cost: $0.05/GB-month (incremental).
The Cost Reality Check
Lightsail ($10/mo plan) — 6 months
- ●Instance: $10/mo × 6 = $60
- ●Snapshots (avg 20 GB): $1/mo × 6 = $6
- ●Domain prorated: $6
- ●Subtotal: $72
- ●Bandwidth overages (1 TB × 6 months): $540
- ●Time: 9 hours × $50/hour = $450
- ●Grand total: $522 (no overage) or $1,062 (with overage)
EC2 (t3.small) — 6 months
- ●Instance: $15/mo × 6 = $90
- ●EBS storage (30 GB): $14.40
- ●Data transfer (500 GB/mo): $270
- ●CloudWatch logs: $15
- ●Snapshots: $6
- ●Subtotal: $395.40
- ●Time: 9 hours × $50/hour = $450
- ●Grand total: $845.40
PaioClaw Managed Service
- ●Direct cost: Starts FREE
- ●Setup: 5 minutes = $0
- ●Maintenance: 0 hours = $0
The reality: PaioClaw costs 1/4 to 1/8 of DIY AWS when you factor in time.
When AWS Makes Sense vs When It Doesn’t
AWS is the right choice if:
- ●You’re already deep in the AWS ecosystem
- ●Skills need S3, Lambda, DynamoDB, or other AWS services
- ●You have enterprise compliance (HIPAA, SOC2) requiring AWS
- ●Your company has AWS credits or enterprise agreements
- ●You’re a developer who enjoys infrastructure
AWS is overkill if:
- ●You just want an AI agent (no specific AWS requirements)
- ●You’re budget-conscious (hidden costs add up)
- ●You don’t want to manage infrastructure
- ●You’re running simple personal workflows
- ●Bandwidth costs make you nervous
The PaioClaw Alternative
PaioClaw runs on cloud infrastructure but abstracts all of this: no security group configuration, no IAM role management, no bandwidth surprise bills, no instance sizing decisions, no CloudWatch log costs, no EBS snapshot scheduling. Cloud hosting without the AWS complexity tax.
The Bottom Line
You can absolutely run OpenClaw on AWS. We just showed you how — both the simple way (Lightsail) and the complex way (EC2). But ask yourself: Do you need AWS? Or do you just need OpenClaw in the cloud?
The math is harsh:
- ●Lightsail: $10/mo + 1 hr/month maintenance = $60/mo (time-valued)
- ●EC2: $15–30/mo + unpredictable bandwidth bills + 1–2 hr/month = $80–150/mo
- ●PaioClaw: Starts Free, $15/mo + 0 maintenance = $15/mo
AWS makes sense in specific contexts. For everyone else, it’s expensive cosplay as a cloud architect. Choose accordingly.