Get Started →

    On this page

    How to Deploy OpenClaw on AWS (Lightsail + EC2 Compared)

    You want OpenClaw running on AWS. Maybe your company already lives in the AWS ecosystem. Maybe you want S3 integration for skills. Maybe you just like AWS’s global infrastructure.

    Whatever the reason, you have two paths:

    • AWS Lightsail: Simple, predictable, capped monthly cost
    • AWS EC2: Full control, complex, unpredictable billing

    This guide covers both. We’ll deploy OpenClaw on each, configure security properly, set up IAM roles for skills that need AWS service access, and critically talk about the bandwidth bills that AWS doesn’t warn you about until they arrive.

    The Two AWS Paths: Decision Tree

    Before touching the AWS console, answer one question: Do you need AWS-specific integrations?

    Choose Lightsail If:

    • You just want OpenClaw running in AWS’s network
    • You need predictable monthly costs
    • You’re not using AWS services (S3, DynamoDB, etc.) heavily
    • You want the simplest possible AWS deployment
    • You’re okay with $5–15/mo flat rate

    Lightsail = VPS with an AWS logo. It’s their beginner-friendly offering that competes with DigitalOcean and Linode.

    Choose EC2 If:

    • You need deep AWS integrations (S3, Lambda, SQS, etc.)
    • You want auto-scaling or load balancers
    • You have compliance requirements (specific regions, encryption, audit logs)
    • Your skills pull/push significant data to S3
    • You’re comfortable with AWS’s complexity and billing model

    EC2 = Full AWS power. Also full AWS complexity.

    The Third Option: Neither

    If you don’t need AWS specifically, a generic VPS (DigitalOcean, Linode, Hetzner) is cheaper and simpler. And if you don’t need any infrastructure, PaioClaw exists. But you’re here for AWS, so let’s deploy.

    Path 1: AWS Lightsail (The Simple Route)

    Lightsail is AWS’s answer to “why is everything so complicated?” It’s a VPS service with flat monthly pricing and a streamlined console.

    Step 1: Create a Lightsail Instance

    1. 1.Log into AWS Console → Navigate to Lightsail
    2. 2.Click Create instance
    3. 3.Choose instance location: pick a region close to your users (us-east-1, eu-west-1, etc.)
    4. 4.Select platform: Linux/Unix
    5. 5.Select blueprint: OS Only → Ubuntu 22.04 LTS
    6. 6.Choose instance plan: $5/mo (1 GB RAM), $10/mo (2 GB RAM, recommended), or $20/mo (4 GB RAM)
    7. 7.Name your instance: openclaw-agent
    8. 8.Click Create instance

    Takes 60 seconds to provision.

    Step 2: Configure SSH Access

    Lightsail auto-generates SSH keys. Download the default key from Account page → SSH keys tab. Save it securely on your machine.

    chmod 400 ~/Downloads/LightsailDefaultKey.pem
    ssh -i ~/Downloads/LightsailDefaultKey.pem ubuntu@YOUR_INSTANCE_IP

    Replace YOUR_INSTANCE_IP with the public IP shown in Lightsail dashboard.

    Step 3: Secure Your Instance

    Update packages:

    sudo apt update && sudo apt upgrade -y

    Configure firewall through Lightsail console (Networking tab): SSH (22) allowed by default; add HTTP (80) and HTTPS (443).

    ? Note:Lightsail’s firewall is external to the instance. You don’t need UFW.

    Add fail2ban for brute-force protection:

    sudo apt install fail2ban -y
    sudo systemctl enable fail2ban
    sudo systemctl start fail2ban

    Step 4: Install the OpenClaw Stack

    Install Node.js, Git, and PM2:

    curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
    sudo apt install -y nodejs git
    sudo npm install -g pm2

    Clone OpenClaw and install:

    cd ~
    git clone https://github.com/openclaw/openclaw.git
    cd openclaw
    npm install
    cp .env.example .env
    nano .env

    Set your API keys (OpenAI/Anthropic) and agent name. Save and exit. Then start with PM2:

    pm2 start npm --name "openclaw" -- start
    pm2 startup
    pm2 save

    Step 5: Set Up Domain and SSL

    Install Nginx and configure a reverse proxy:

    sudo apt install nginx -y
    sudo nano /etc/nginx/sites-available/openclaw
    server {
        listen 80;
        server_name openclaw.yourdomain.com;
    
        location / {
            proxy_pass http://localhost:3000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }
    sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
    sudo nginx -t
    sudo systemctl restart nginx
    sudo apt install certbot python3-certbot-nginx -y
    sudo certbot --nginx -d openclaw.yourdomain.com

    Done. OpenClaw is live on Lightsail.

    Lightsail Bandwidth Limits (The Gotcha)

    Lightsail includes data transfer in the monthly price: $5/mo plan = 2 TB/month, $10/mo = 3 TB/month, $20/mo = 4 TB/month. Overage costs $0.09/GB beyond your cap.

    ? Tip:Real-world scenario: 100 GB/day of scraping = 3 TB/month. On the $5/mo plan that’s 1 TB overage = $90 in surprise bandwidth. Your $5/mo server just cost $95 that month.

    PaioClaw’s approach: Bandwidth is unlimited. Skills that scrape heavily don’t trigger surprise bills.

    Path 2: AWS EC2 (The Full AWS Experience)

    EC2 gives you more control, more integrations, and more complexity. This is for people who need deep AWS coupling.

    Step 1: Launch an EC2 Instance

    1. 1.AWS Console → EC2 → Launch Instance
    2. 2.Name: openclaw-production
    3. 3.AMI: Ubuntu Server 22.04 LTS (free tier eligible)
    4. 4.Instance type: t3.micro (~$7.50/mo) or t3.small (~$15/mo, recommended)
    5. 5.Key pair: create new or select existing SSH key
    6. 6.Network: create security group openclaw-sg with SSH from My IP, HTTP/HTTPS from anywhere
    7. 7.Storage: 30 GB gp3
    8. 8.Launch instance

    Step 2: Configure Security Group Properly

    EC2 Console → Security Groups → openclaw-sg → Edit inbound rules. Allow SSH (22) from your IP only, HTTP (80) and HTTPS (443) from 0.0.0.0/0, and optionally port 3000 from your IP for direct OpenClaw access.

    ? Note:Don’t allow SSH from 0.0.0.0/0 (anywhere). That’s how servers get compromised in hours.

    Step 3: Connect and Install OpenClaw

    ssh -i your-key.pem ubuntu@YOUR_EC2_PUBLIC_IP

    Follow the same installation steps as Lightsail: update packages, install Node.js/Git/PM2, clone OpenClaw, configure .env, start with PM2, set up Nginx + SSL.

    Step 4: Create IAM Role for S3 Access

    This is where EC2 shines. If your skills need to read/write S3, grant access through IAM roles (no hardcoded credentials).

    1. 1.IAM Console → Roles → Create role
    2. 2.Trusted entity type: AWS service; Use case: EC2
    3. 3.Attach AmazonS3ReadOnlyAccess (read) or AmazonS3FullAccess (write), or a custom scoped policy
    4. 4.Role name: OpenClawS3Access
    5. 5.Attach role to instance: EC2 → Instances → Actions → Security → Modify IAM role

    Now your skills can access S3 without hardcoded AWS keys. Example skill code:

    const { S3Client, GetObjectCommand } = require("@aws-sdk/client-s3");
    
    // No credentials needed — uses instance IAM role automatically
    const s3 = new S3Client({ region: "us-east-1" });
    
    async function readFromS3(bucket, key) {
      const command = new GetObjectCommand({ Bucket: bucket, Key: key });
      const response = await s3.send(command);
      // Process data...
    }

    PaioClaw’s equivalent: Managed credential vaults. Add AWS keys once through their UI; skills use them without exposing raw keys.

    Step 5: Set Up CloudWatch Logging (Optional)

    wget https://s3.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
    sudo dpkg -i -E ./amazon-cloudwatch-agent.deb
    sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

    Cost: CloudWatch Logs charges ~$0.50/GB ingested. If OpenClaw is chatty, this adds up.

    EC2 vs Lightsail: Feature Comparison

    • Pricing — Lightsail: flat monthly | EC2: pay-per-use (complex)
    • Bandwidth — Lightsail: 2-4 TB included | EC2: $0.09/GB
    • Setup complexity — Lightsail: low | EC2: high
    • IAM roles — Lightsail: no | EC2: yes
    • Auto-scaling & Load balancers — Lightsail: no/basic | EC2: full ALB/NLB
    • VPC integration — Lightsail: limited | EC2: full
    • Monitoring — Lightsail: basic metrics | EC2: CloudWatch (paid)

    When to Use Which

    Lightsail: standalone agent, no heavy AWS service usage, predictable budget, simplicity matters.

    EC2: skills need S3/Lambda/DynamoDB, enterprise compliance, auto-scaling for traffic spikes, already managing complex AWS infrastructure.

    The Hidden AWS Costs (No One Talks About)

    Data Transfer Costs

    Lightsail: included up to your cap, then $0.09/GB. EC2: outbound internet traffic $0.09/GB (first 1 GB/mo free), inter-region $0.02/GB, inbound is free.

    Real scenario: scraper downloads 50 GB/day inbound (free), uploads 10 GB/day to S3 outbound = 300 GB/month × $0.09 = $27/month in bandwidth alone.

    EBS Storage Costs

    EC2 instances come with EBS volumes: gp3 at $0.08/GB-month. 30 GB = $2.40/mo, 100 GB = $8/mo. This is in addition to instance costs.

    Elastic IP Costs

    Free while instance is running, $3.60/month if instance is stopped but you keep the IP. Forgot to release one when testing? You’re paying for it.

    CloudWatch Costs

    • Metrics: first 10 custom free, then $0.30/metric/month
    • Logs: $0.50/GB ingested, $0.03/GB stored
    • Alarms: $0.10/alarm/month

    The Bandwidth Bill Horror Story

    Real example: someone deployed OpenClaw with a skill that scraped news sites every hour. Processing errors caused repeated re-fetches; error logs uploaded to S3 hit 500 GB/month outbound. Bandwidth bill: $45 on top of a $15/mo t3.small. Total AWS bill: $60+.

    ? Tip:PaioClaw doesn’t have this problem. Managed infrastructure absorbs bandwidth costs. You pay for the service tier, not per-gigabyte.

    How to Avoid AWS Bill Shock

    1. 1.Set up billing alerts (AWS Budgets) — alert at 80% of expected monthly cost
    2. 2.Use AWS Cost Explorer for daily spend breakdown
    3. 3.Tag resources (Project=OpenClaw) and filter by tag
    4. 4.Monitor data transfer with CloudWatch NetworkOut alarm (>100 GB/day)
    5. 5.Use S3 Intelligent-Tiering for skills that store data

    Security Configuration Deep Dive

    Security Group Rules (Detailed)

    Inbound: SSH 22 from your IP only, HTTP 80 and HTTPS 443 from 0.0.0.0/0. Outbound: all traffic to 0.0.0.0/0 — OpenClaw needs internet access for LLM APIs, GitHub, and connected services.

    ? Note:Common mistake: restricting outbound traffic. Don’t lock down outbound unless you have specific compliance requirements.

    IAM Role Best Practices

    Principle of least privilege: don’t use AmazonS3FullAccess if skills only read. Create custom policies scoped to specific buckets:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::my-openclaw-data/*",
            "arn:aws:s3:::my-openclaw-data"
          ]
        }
      ]
    }

    If a skill gets compromised, it can’t trash your entire S3 account.

    VPC Configuration (Advanced)

    For production, create a dedicated VPC (10.0.0.0/16) with public subnet (10.0.1.0/24), Internet Gateway, and updated route table. Isolates OpenClaw from other AWS resources and supports future expansion (private subnets for databases).

    Performance Tuning for AWS

    Instance Sizing Guidelines

    • t3.micro (1 GB RAM): testing, light usage (<100 requests/day)
    • t3.small (2 GB RAM): personal use, moderate workloads
    • t3.medium (4 GB RAM): production use, team agents

    Rule of thumb: start small, monitor CloudWatch memory metrics, upgrade if >80% used consistently.

    Swap Space (EC2 Only)

    sudo fallocate -l 2G /swapfile
    sudo chmod 600 /swapfile
    sudo mkswap /swapfile
    sudo swapon /swapfile
    echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

    Prevents OOM crashes on smaller instances.

    EBS Optimization

    For I/O-heavy skills, enable EBS optimization (default on t3.medium+) and use gp3 volumes instead of gp2 — same price, better baseline performance, configurable IOPS.

    Monitoring and Alerts (AWS-Specific)

    CloudWatch Alarms You Should Set

    1. High CPU usage:

    aws cloudwatch put-metric-alarm 
      --alarm-name openclaw-high-cpu 
      --metric-name CPUUtilization 
      --namespace AWS/EC2 
      --statistic Average 
      --period 300 
      --threshold 80 
      --comparison-operator GreaterThanThreshold 
      --evaluation-periods 2

    2. Data transfer spike (10 GB/hour threshold):

    aws cloudwatch put-metric-alarm 
      --alarm-name openclaw-bandwidth-spike 
      --metric-name NetworkOut 
      --namespace AWS/EC2 
      --statistic Sum 
      --period 3600 
      --threshold 10737418240 
      --comparison-operator GreaterThanThreshold

    3. Instance status check failure: built-in alarm in EC2 console → Monitoring tab → Create alarm.

    Backup Strategy for AWS

    Lightsail Snapshots

    Manual: Lightsail console → Your instance → Snapshots tab → Create snapshot. Cost: $0.05/GB-month (only for changed data). Automated snapshots keep 7 days of daily snapshots, free for first 20 GB.

    EC2 EBS Snapshots

    aws ec2 create-snapshot 
      --volume-id vol-xxxxxxxxx 
      --description "OpenClaw backup $(date +%Y%m%d)"

    Or use AWS Backup with daily/weekly schedules and retention policies. Cost: $0.05/GB-month (incremental).

    ? Note:PaioClaw includes automated backups with point-in-time restore. No manual snapshot management.

    The Cost Reality Check

    Lightsail ($10/mo plan) — 6 months

    • Instance: $10/mo × 6 = $60
    • Snapshots (avg 20 GB): $1/mo × 6 = $6
    • Domain prorated: $6
    • Subtotal: $72
    • Bandwidth overages (1 TB × 6 months): $540
    • Time: 9 hours × $50/hour = $450
    • Grand total: $522 (no overage) or $1,062 (with overage)

    EC2 (t3.small) — 6 months

    • Instance: $15/mo × 6 = $90
    • EBS storage (30 GB): $14.40
    • Data transfer (500 GB/mo): $270
    • CloudWatch logs: $15
    • Snapshots: $6
    • Subtotal: $395.40
    • Time: 9 hours × $50/hour = $450
    • Grand total: $845.40

    PaioClaw Managed Service

    • Direct cost: Starts FREE
    • Setup: 5 minutes = $0
    • Maintenance: 0 hours = $0

    The reality: PaioClaw costs 1/4 to 1/8 of DIY AWS when you factor in time.

    When AWS Makes Sense vs When It Doesn’t

    AWS is the right choice if:

    • You’re already deep in the AWS ecosystem
    • Skills need S3, Lambda, DynamoDB, or other AWS services
    • You have enterprise compliance (HIPAA, SOC2) requiring AWS
    • Your company has AWS credits or enterprise agreements
    • You’re a developer who enjoys infrastructure

    AWS is overkill if:

    • You just want an AI agent (no specific AWS requirements)
    • You’re budget-conscious (hidden costs add up)
    • You don’t want to manage infrastructure
    • You’re running simple personal workflows
    • Bandwidth costs make you nervous

    The PaioClaw Alternative

    PaioClaw runs on cloud infrastructure but abstracts all of this: no security group configuration, no IAM role management, no bandwidth surprise bills, no instance sizing decisions, no CloudWatch log costs, no EBS snapshot scheduling. Cloud hosting without the AWS complexity tax.

    The Bottom Line

    You can absolutely run OpenClaw on AWS. We just showed you how — both the simple way (Lightsail) and the complex way (EC2). But ask yourself: Do you need AWS? Or do you just need OpenClaw in the cloud?

    The math is harsh:

    • Lightsail: $10/mo + 1 hr/month maintenance = $60/mo (time-valued)
    • EC2: $15–30/mo + unpredictable bandwidth bills + 1–2 hr/month = $80–150/mo
    • PaioClaw: Starts Free, $15/mo + 0 maintenance = $15/mo

    AWS makes sense in specific contexts. For everyone else, it’s expensive cosplay as a cloud architect. Choose accordingly.

    ? Tip:Skip the AWS billing labyrinth. PaioClaw gives you cloud-hosted OpenClaw with predictable pricing, zero bandwidth surprises, automatic updates, and professional support. No security groups to configure, no IAM roles to debug.

    Join Our Community

    Connect with other PaioClaw users, share tips, and stay up to date.