Deploy OpenClaw on AWS

Enterprise-grade deployment on EC2 or ECS/Fargate

Choose Your AWS Deployment Method

EC2 (Recommended)

Full control • Easy setup • Best for most use cases

Lambda

Serverless • Pay per use • Event-driven workloads

ECS/Fargate

Containerized • Auto-scaling • Production-ready

Deploy on AWS EC2

1

Launch EC2 Instance

Create a new EC2 instance:

  • • AMI: Ubuntu Server 22.04 LTS
  • • Instance Type: t3.micro (free tier) or t3.small
  • • Storage: 20GB gp3
  • • Security Group: Allow SSH (22). (Recommended: keep the Gateway private and access it via SSH tunnel or Tailscale.)
2

Connect to EC2 Instance

SSH into your instance:

chmod 400 your-key.pem
ssh -i your-key.pem ubuntu@YOUR_EC2_PUBLIC_IP
3

Install Dependencies

Update system and install Node.js: 

sudo apt update && sudo apt upgrade -y
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
node --version
4

Install and Configure OpenClaw

Install OpenClaw and run the setup wizard: 

npm install -g openclaw@latest
openclaw onboard --install-daemon
openclaw gateway status

AWS Lambda (Not Recommended)

OpenClaw’s Gateway is a long-running process with persistent state (credentials, sessions, config). AWS Lambda is request-based and not a good fit for running the Gateway. Prefer EC2 or ECS/Fargate (container).

Deploy on AWS ECS/Fargate

Create Dockerfile

FROM node:22-alpine

WORKDIR /app

RUN npm install -g openclaw@latest

# Persist this via EFS/EBS (mount to /data in ECS)
ENV OPENCLAW_STATE_DIR=/data/.openclaw

# Required for non-loopback binds: set OPENCLAW_GATEWAY_TOKEN via ECS env/secrets
EXPOSE 3000

# ECS/LB health checks typically expect a non-loopback bind + stable port
CMD ["openclaw", "gateway", "run", "--bind", "lan", "--port", "3000", "--auth", "token", "--allow-unconfigured"]

Build and Push to ECR

# Build Docker image
docker build -t openclaw .

# Tag and push to ECR
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin YOUR_ACCOUNT.dkr.ecr.us-east-1.amazonaws.com
docker tag openclaw:latest YOUR_ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/openclaw:latest
docker push YOUR_ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/openclaw:latest

Create ECS Task Definition

Use AWS Console or CLI to create an ECS task definition with:

  • • Launch Type: Fargate
  • • CPU: 0.5 vCPU (start here; scale as needed)
  • • Memory: 2 GB (recommended)
  • • Container Image: Your ECR image URI

AWS Security Best Practices

Use IAM Roles

Assign IAM roles to EC2 instances or ECS tasks instead of using access keys. This provides temporary credentials and better security.

Store Secrets in AWS Secrets Manager

Store API keys and tokens securely: 

aws secretsmanager create-secret \
  --name openclaw/bot-token \
  --secret-string "YOUR_BOT_TOKEN"

Enable CloudWatch Logging

Monitor your application with CloudWatch: 

# Install CloudWatch agent on EC2
sudo apt install amazon-cloudwatch-agent
# Configure log groups and metrics

Use VPC and Security Groups

Deploy in a private subnet with NAT gateway for outbound traffic. Restrict inbound access using security groups.

AWS security groups flow diagram

Cost Optimization Tips

Use Spot Instances

Save up to 90% by using EC2 Spot Instances for non-critical workloads. Configure auto-scaling to handle interruptions.

Right-Size Your Instances

Start with t3.micro and monitor usage. Use AWS Compute Optimizer recommendations to adjust instance types.

Use Reserved Instances

Commit to 1 or 3 years for up to 72% savings on predictable workloads. Consider Savings Plans for flexibility.

Enable Auto-Scaling

Scale down during low-traffic periods. Set up CloudWatch alarms to trigger scaling based on CPU or memory usage.

Next Steps

Your OpenClaw instance is now running on AWS with enterprise-grade reliability

Configuration Generator Browse Guides Troubleshooting