Deploy openclaw.ai on AWS EC2

Intermediate ⏱ 35 minutes 📅 Updated Feb 2026

Deploy on Amazon's industry-leading cloud with EC2. Free tier eligible for new accounts!

🆓

AWS Free Tier

New AWS accounts get 750 hours/month of t2.micro or t3.micro instances free for 12 months — enough to run openclaw.ai 24/7 at no cost.

📋 Prerequisites

1

Launch an EC2 Instance

Open the EC2 Console and launch a new instance:

  1. Click Launch Instance
  2. Name your instance (e.g., openclaw-server)
  3. Under Application and OS Images, select Ubuntu Server 22.04 LTS (64-bit x86)
  4. Under Instance type, choose t3.micro (free tier eligible, 1 GB RAM) or t3.small (2 GB RAM) for better performance
  5. Under Key pair, select an existing key or click Create new key pair — download and save the .pem file securely
  6. Under Network settings, allow SSH traffic from My IP
  7. Set Storage to at least 20 GiB gp3
  8. Click Launch Instance
ℹī¸

Key Pair Security

Store your .pem file in a safe location and set its permissions with chmod 400 your-key.pem. You'll need this file every time you SSH into the instance.

2

Connect via SSH

Once the instance state shows Running, connect using your key pair:

bash
# Set key permissions (first time only)
chmod 400 your-key.pem

# Connect to your EC2 instance
# Ubuntu AMIs use 'ubuntu' as the default user
ssh -i your-key.pem ubuntu@your-ec2-public-ip

You can find the public IP in the EC2 Console under Instance Details → Public IPv4 address.

3

System Update & Dependencies

Update the package index and upgrade all installed packages:

bash
sudo apt update && sudo apt upgrade -y
4

Install Node.js 22

openclaw.ai requires Node.js 22 or higher. Install it from the official NodeSource repository:

bash
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
node --version  # Should show v22.x.x
5

Install openclaw.ai

Run the official one-line installer:

bash
curl -fsSL https://openclaw.ai/install.sh | bash
6

Run Onboarding

Launch the interactive onboarding wizard. The --install-daemon flag automatically configures openclaw.ai to run as a background service:

bash
openclaw onboard --install-daemon

The wizard will walk you through:

  • Authentication setup (API keys for your LLM provider)
  • Gateway configuration (port, allowed origins)
  • Optional channel setup (Slack, Discord, etc.)
7

Verify Installation

Confirm everything is running correctly:

bash
# Check system configuration
openclaw doctor

# Verify the gateway is healthy
openclaw health

# Open the web dashboard
openclaw dashboard
# Dashboard available at http://your-ec2-public-ip:18789
8

Configure Security Group

AWS Security Groups act as virtual firewalls. Add an inbound rule to allow access to the openclaw.ai dashboard:

  1. In the EC2 Console, select your instance
  2. Click the Security tab → click the Security Group link
  3. Click Edit inbound rules → Add rule
  4. Configure the new rule:
text
Type             Protocol   Port Range   Source
Custom TCP       TCP        18789        My IP
  1. Click Save rules
⚠ī¸

Security Warning

Always set Source to My IP instead of Anywhere (0.0.0.0/0). This restricts dashboard access to your current IP address only.

9

Keep Running with systemd

The --install-daemon flag from Step 6 already set up a systemd user service. To check its status:

bash
# Check gateway status via openclaw CLI
openclaw gateway status

# Or check directly via systemd
systemctl --user status openclaw-gateway

# View live logs
journalctl --user -u openclaw-gateway -f

The service will automatically restart on failure and start on boot.

💡

Elastic IP

EC2 public IPs change on instance restart. Allocate an Elastic IP in the EC2 Console and associate it with your instance for a permanent address.

🔧 Troubleshooting

Ensure you're using the correct key file and username. Ubuntu AMIs use ubuntu, not root:

bash
# Correct command for Ubuntu AMI
ssh -i your-key.pem ubuntu@your-ec2-ip

# Ensure key permissions are correct
chmod 400 your-key.pem

Check all three layers: the gateway process, the OS firewall, and the AWS Security Group:

bash
# Is the gateway listening?
ss -tlnp | grep 18789

# Check OS-level firewall
sudo ufw status

# Verify Security Group from the CLI
aws ec2 describe-security-groups \
  --group-ids sg-your-group-id \
  --query "SecurityGroups[*].IpPermissions"

EC2 instances lose their public IP when stopped and restarted. To get a static IP:

  1. Go to EC2 Console → Elastic IPs → Allocate Elastic IP address
  2. Select the new IP → Actions → Associate Elastic IP address
  3. Choose your instance and confirm

Elastic IPs are free while associated with a running instance.