What EC2 instance type should I use for OpenClaw?

A t3.small (2 vCPU, 2 GB RAM) is the minimum viable option at about $15/month. For comfortable headroom, use a t3.medium (2 vCPU, 4 GB RAM) at about $30/month. Both support burstable CPU which suits OpenClaw's intermittent workload pattern.

Can I use the AWS Free Tier for OpenClaw?

The t2.micro (1 vCPU, 1 GB RAM) included in the free tier is too constrained for reliable OpenClaw operation. You can try it with swap, but expect OOM issues under load. A t3.small is the practical minimum.

How do I access OpenClaw without opening ports to the internet?

Two options: SSH tunnel (ssh -N -L) or AWS Systems Manager Session Manager with port forwarding. SSM is the more AWS-native approach and does not require opening port 22 in your security group.

Will my workspace data survive if the instance stops?

Yes, as long as you store workspace data on an EBS volume. EBS volumes persist independently of instance state. Data on instance store volumes is lost when the instance stops — avoid those.

Can I use Fargate or ECS instead of a raw EC2 instance?

OpenClaw Gateway needs persistent filesystem access and long-running SSH-like sessions, which make it a poor fit for Fargate's ephemeral containers. EC2 with Docker gives you the control and persistence OpenClaw requires.

Self-Host OpenClaw on AWS EC2

AWS EC2 gives you granular control over compute, networking, and storage for running OpenClaw Gateway. This guide covers launching an Ubuntu EC2 instance, configuring security groups for zero-trust access, installing Docker, and connecting securely via SSH tunnel or AWS Systems Manager.

Quick path

For experienced AWS users:

Launch Ubuntu 24.04 LTS AMI on a t3.small in your preferred region
Security group: allow SSH (port 22) from your IP only, no other inbound rules
SSH in, run curl -fsSL https://get.docker.com | sh
Create directories and .env: mkdir -p ~/.openclaw/workspace
Create docker-compose.yml with 127.0.0.1:18789 binding and volume mounts
Run docker compose up -d
SSH tunnel: ssh -i key.pem -N -L 18789:127.0.0.1:18789 ubuntu@EC2_IP
Open http://127.0.0.1:18789/

Prerequisites

An AWS account
AWS CLI configured locally (aws configure)
An EC2 key pair created in your target region
Basic understanding of AWS networking concepts

Step 1 — Launch an EC2 Instance

Choose an instance type

Instance	vCPU	RAM	Monthly cost (us-east-1)	Notes
t3.small	2	2 GB	~$15	Minimum viable, add swap
t3.medium	2	4 GB	~$30	Recommended for daily use
t3a.medium	2	4 GB	~$27	AMD variant, slightly cheaper

Costs are approximate for on-demand pricing in us-east-1. Reserved instances or Savings Plans can reduce costs by 30-60%.

Launch via the AWS Console

Go to EC2 > Launch Instance
Name: openclaw-gateway
AMI: Ubuntu 24.04 LTS (search "ubuntu 24.04" in the AMI catalog)
Instance type: t3.small or t3.medium
Key pair: Select your existing key pair or create a new one
Network settings: Create a new security group (details below)
Storage: 20 GB gp3 EBS volume (default is fine; increase if you work with large codebases)
Click Launch Instance

Launch via AWS CLI

aws ec2 run-instances \
  --image-id ami-0c7217cdde317cfec \
  --instance-type t3.small \
  --key-name your-key-pair \
  --security-group-ids sg-xxxxxxxxx \
  --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":20,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=openclaw-gateway}]' \
  --count 1

Replace ami-0c7217cdde317cfec with the current Ubuntu 24.04 AMI ID for your region.

Step 2 — Configure the Security Group

Create a security group that allows only SSH from your IP address:

# Create the security group
SG_ID=$(aws ec2 create-security-group \
  --group-name openclaw-gateway-sg \
  --description "OpenClaw Gateway - SSH only" \
  --query 'GroupId' --output text)

# Allow SSH from your current IP
MY_IP=$(curl -s https://checkip.amazonaws.com)
aws ec2 authorize-security-group-ingress \
  --group-id $SG_ID \
  --protocol tcp \
  --port 22 \
  --cidr "${MY_IP}/32"

Do not open port 18789 in the security group. OpenClaw is accessed through an SSH tunnel or SSM, never directly over the internet.

If using SSM Session Manager (no SSH needed)

You can remove the SSH rule entirely and use SSM for all access. This requires:

An IAM instance profile with the AmazonSSMManagedInstanceCore policy attached
The SSM agent installed on the instance (included by default in Ubuntu 24.04 AMIs)

Step 3 — Connect and Set Up the Server

SSH into the instance:

ssh -i ~/.ssh/your-key.pem ubuntu@EC2_PUBLIC_IP

Update packages:

sudo apt update && sudo apt upgrade -y

Add swap space (recommended for t3.small)

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
sudo sysctl vm.swappiness=10
echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf

Step 4 — Install Docker

curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker ubuntu

Log out and back in for the group change to take effect, then verify:

docker --version
docker compose version

Step 5 — Configure OpenClaw

Create the directory structure:

mkdir -p ~/.openclaw/workspace

Generate secrets:

export GOG_KEYRING_PASSWORD=$(openssl rand -hex 32)
export OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 32)
echo "GOG_KEYRING_PASSWORD=$GOG_KEYRING_PASSWORD"
echo "OPENCLAW_GATEWAY_TOKEN=$OPENCLAW_GATEWAY_TOKEN"

Save these values securely. Consider storing them in AWS Secrets Manager for production use.

Create the environment file:

cat > ~/.openclaw/.env << 'EOF'
OPENCLAW_GATEWAY_TOKEN=your_token_here
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789
GOG_KEYRING_PASSWORD=your_keyring_password_here
EOF
chmod 600 ~/.openclaw/.env

Replace the placeholder values with the secrets you generated.

Step 6 — Write the Docker Compose File

# ~/.openclaw/docker-compose.yml
services:
  openclaw-gateway:
    image: ghcr.io/openclaw/gateway:latest
    container_name: openclaw-gateway
    restart: unless-stopped
    env_file:
      - .env
    ports:
      - "127.0.0.1:18789:18789"
    volumes:
      - ./:/home/openclaw/.openclaw
      - ./workspace:/home/openclaw/workspace
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

The logging configuration prevents Docker logs from filling your EBS volume over time.

Step 7 — Start OpenClaw

cd ~/.openclaw
docker compose up -d
docker compose ps
docker compose logs --tail 30

Confirm the gateway is listening on port 18789.

Step 8 — Secure Remote Access

Option A: SSH Tunnel

On your local machine:

ssh -i ~/.ssh/your-key.pem -N -L 18789:127.0.0.1:18789 ubuntu@EC2_PUBLIC_IP

Access at http://127.0.0.1:18789/.

Option B: SSM Session Manager Port Forwarding

If you configured SSM, you can forward the port without SSH:

aws ssm start-session \
  --target i-xxxxxxxxxxxxxxxxx \
  --document-name AWS-StartPortForwardingSession \
  --parameters '{"portNumber":["18789"],"localPortNumber":["18789"]}'

This is the most secure option — it does not require any inbound ports open in the security group, and access is controlled entirely through IAM policies.

IAM Best Practices

Instance profile

Create a minimal IAM role for the EC2 instance. If OpenClaw only needs to run code locally, the instance profile needs no AWS permissions at all. Only add SSM permissions if you want SSM access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:UpdateInstanceInformation",
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel"
      ],
      "Resource": "*"
    }
  ]
}

Access control for SSM

Restrict who can start SSM sessions to the OpenClaw instance:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ssm:StartSession",
      "Resource": "arn:aws:ec2:REGION:ACCOUNT:instance/i-xxxxxxxxxxxxxxxxx"
    }
  ]
}

EBS Volume for Persistence

The root EBS volume persists across instance stops and starts. For additional safety:

Automated snapshots

Enable EBS snapshots via AWS Backup or a simple cron:

# Create a daily snapshot script
cat > /home/ubuntu/snapshot.sh << 'SCRIPT'
#!/bin/bash
INSTANCE_ID=$(ec2metadata --instance-id)
VOLUME_ID=$(aws ec2 describe-instances --instance-ids $INSTANCE_ID \
  --query 'Reservations[0].Instances[0].BlockDeviceMappings[0].Ebs.VolumeId' \
  --output text)
aws ec2 create-snapshot --volume-id $VOLUME_ID \
  --description "openclaw-daily-$(date +%Y%m%d)"
SCRIPT
chmod +x /home/ubuntu/snapshot.sh

Separate data volume (optional)

For larger workspaces, attach a dedicated EBS volume:

# After attaching a new EBS volume in the console
sudo mkfs.ext4 /dev/xvdf
sudo mkdir /data
sudo mount /dev/xvdf /data
echo '/dev/xvdf /data ext4 defaults,nofail 0 2' | sudo tee -a /etc/fstab

Then point OpenClaw's workspace to /data/workspace.

Cost Breakdown

Component	t3.small	t3.medium
EC2 on-demand	$15.18/mo	$30.37/mo
EBS (20 GB gp3)	$1.60/mo	$1.60/mo
Data transfer	~$0.50/mo	~$0.50/mo
Total	~$17/mo	~$32/mo

To reduce costs:

Spot instances: Save 60-70% if you can tolerate interruptions (not recommended for persistent gateway use)
Reserved instances: Save 30-40% with a 1-year commitment
Savings Plans: Flexible commitment pricing across instance families
Scheduled stop/start: If you only use OpenClaw during work hours, stop the instance at night to save ~50%

Security Best Practices

Never expose port 18789 to the internet via security group rules
Rotate the gateway token periodically and update the .env file
Enable CloudTrail to audit API calls and SSM session activity
Use an Elastic IP only if you need a stable public address for SSH; otherwise, use SSM exclusively
Enable automatic security updates:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Troubleshooting

Instance runs out of CPU credits (t3 burstable)

If top shows high CPU and the instance becomes unresponsive, you may have exhausted your CPU credit balance. Check in CloudWatch under CPUCreditBalance. Solutions:

Switch to t3.medium for more baseline performance
Switch to a non-burstable instance like m6i.large for sustained workloads
Enable unlimited mode: aws ec2 modify-instance-credit-specification --instance-credit-specifications InstanceId=i-xxx,CpuCredits=unlimited (charges apply for surplus credits)

Docker daemon won't start

sudo systemctl status docker
sudo journalctl -u docker -e --no-pager

Common cause: insufficient disk space. Check with df -h.

SSM agent not connecting

sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent
sudo snap restart amazon-ssm-agent

Verify the instance has an IAM role with SSM permissions and can reach the SSM endpoints (requires internet access or VPC endpoints).

Cannot connect after instance restart

The public IP changes on stop/start unless you have an Elastic IP. Use aws ec2 describe-instances to get the new IP, or switch to SSM which uses the instance ID instead of IP.

Next Steps

Set up CloudWatch alarms for CPU, memory, and disk usage
Configure VPC Flow Logs for network audit trails
Explore using AWS CDK or CloudFormation to codify the entire stack as infrastructure as code
Consider placing the instance in a private subnet with a NAT gateway for outbound-only internet access