How to Run OpenClaw on AWS EC2

Intermediate45-60 minutesUpdated 2025-03-01

Running OpenClaw on AWS EC2 gives you cloud-based scalability and reliability. This guide covers launching an EC2 instance, configuring security, installing OpenClaw, and setting up HTTPS for production-ready deployments.

Why This Is Hard to Do Yourself

These are the common pitfalls that trip people up.

Server

Instance Sizing

Choosing the right EC2 instance type balances performance and cost. Undersized instances cause slowdowns; oversized instances waste money.

Shield

Security Groups

Proper firewall rules are critical. Exposing unnecessary ports risks security breaches; overly restrictive rules block legitimate access.

DollarSign

Cost Management

EC2 costs accumulate from compute, storage, and data transfer. Without monitoring, expenses can exceed budget.

HardDrive

Persistence

Instance restarts or terminations can lose data if not using persistent volumes. EBS volumes ensure data survives instance changes.

Step-by-Step Guide

Step 1

Launch EC2 Instance

Create a new EC2 instance with at least 2 vCPUs and 4GB RAM. The t3.medium instance type is recommended for production. Choose Ubuntu 22.04 LTS or Amazon Linux 2023 as the AMI.

# AWS CLI example
aws ec2 run-instances \
  --image-id ami-0c55b159cbfafe1f0 \
  --instance-type t3.medium \
  --key-name my-keypair \
  --security-group-ids sg-0123456789abcdef0 \
  --subnet-id subnet-0bb1c79de3EXAMPLE \
  --block-device-mappings DeviceName=/dev/xvda,Ebs={VolumeSize=20,VolumeType=gp3} \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=openclaw-prod}]'

Step 2

Configure Security Groups

Create a security group allowing SSH (port 22) from your IP, HTTP (port 80), and HTTPS (port 443) from anywhere. Restrict SSH access to your IP for security.

# Create security group
aws ec2 create-security-group \
  --group-name openclaw-sg \
  --description "OpenClaw security group"

# Allow SSH from your IP
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 22 \
  --cidr YOUR_IP/32

# Allow HTTP and HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
  --group-id sg-0123456789abcdef0 \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

Step 3

Install Dependencies

SSH into the instance and install Docker and Docker Compose. These are required to run OpenClaw in containers.

# SSH into instance
ssh -i my-keypair.pem ubuntu@ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com

# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo usermod -aG docker ubuntu

# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Step 4

Install OpenClaw

Clone the OpenClaw repository and start the containers. Use a persistent Docker volume to ensure data survives instance restarts.

# Clone repository
git clone https://github.com/openclaw/openclaw.git
cd openclaw

# Create persistent volume
docker volume create openclaw_data

# Start OpenClaw
docker run -d \
  --name openclaw \
  -p 8080:8080 \
  -v openclaw_data:/data \
  --restart unless-stopped \
  openclaw/openclaw:latest

Step 5

Configure HTTPS with Caddy

Set up Caddy as a reverse proxy to handle HTTPS termination. Caddy automatically obtains and renews Let's Encrypt certificates.

# Install Caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

# Configure Caddyfile
sudo tee /etc/caddy/Caddyfile > /dev/null <<EOF
openclaw.example.com {
    reverse_proxy localhost:8080
}
EOF

# Restart Caddy
sudo systemctl restart caddy

Warning: Replace openclaw.example.com with your actual domain. Ensure DNS points to your EC2 instance's public IP before running Caddy.

Step 6

Set Up Monitoring

Enable CloudWatch monitoring for CPU, memory, and disk usage. Set up alarms to notify you of resource exhaustion or downtime.

# Enable detailed monitoring
aws ec2 monitor-instances --instance-ids i-0123456789abcdef0

# Create CloudWatch alarm for high CPU
aws cloudwatch put-metric-alarm \
  --alarm-name openclaw-high-cpu \
  --alarm-description "Alert if CPU exceeds 80%" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --statistic Average \
  --period 300 \
  --threshold 80 \
  --comparison-operator GreaterThanThreshold \
  --dimensions Name=InstanceId,Value=i-0123456789abcdef0 \
  --evaluation-periods 2 \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:my-sns-topic

Need Help Deploying OpenClaw on AWS?

Our experts can handle AWS infrastructure setup, security hardening, and production deployment. Get professional help with instance sizing, monitoring, and cost optimization.

Browse Setup & Installation experts →

Learn more about our expert service →

Get matched with a specialist who can help.

Frequently Asked Questions

Related Guides

🚀Setup & Installation

How to Run OpenClaw on Google Cloud

Intermediate45-60 minutes

🚀Setup & Installation

How to Configure OpenClaw Gateway with HTTPS

Intermediate30-60 minutes