How to Deploy OpenClaw on AWS Lightsail: Simplified AWS Guide

AWS is the default choice for infrastructure, but EC2 scares people — and rightfully so. The pricing is unpredictable, the console has hundreds of services, and a misconfigured security group can cost you money you did not budget for. Lightsail is Amazon's answer to this: simplified cloud instances with flat monthly pricing, bundled networking, and a clean management console.

For OpenClaw, Lightsail is the right AWS path. You get AWS reliability and global infrastructure without the operational overhead of managing VPCs, IAM policies, and EBS volumes separately.

Why Choose AWS Lightsail for OpenClaw?

• Predictable pricing: Flat monthly rate. No surprise bandwidth charges, no per-GB storage fees on top. What you see is what you pay.
• AWS infrastructure: Lightsail runs on the same AWS infrastructure as EC2. Same reliability, same global regions, same network backbone.
• Simplified management: One console for instance, firewall, networking, DNS, and snapshots. No jumping between 12 AWS services.
• Free static IPs: Static IPs are free when attached to a running instance. Essential for webhook mode stability.
• Browser SSH: Connect to your instance directly from the Lightsail console — no SSH client needed for quick checks.
• Free trial: The $5/mo plan is free for the first 3 months on new AWS accounts.

Should You Use Lightsail or EC2 for OpenClaw?

Use Lightsail unless you have a specific reason to use EC2. Here is the comparison:

• Lightsail: Fixed monthly price, bundled storage and transfer, simple firewall, snapshots included, browser SSH. Perfect for a single OpenClaw agent.
• EC2: Pay-per-hour, separate charges for EBS, data transfer, elastic IPs (when unattached), security groups require VPC knowledge. Use only if you need auto-scaling groups or need to integrate with other AWS services directly.

For running one or two OpenClaw agents, Lightsail is the correct choice every time.

What Do You Need Before Starting?

• AWS account: Sign up at aws.amazon.com/lightsail. Credit card required for billing even with the free trial.
• SSH key pair: You can generate one in the Lightsail console, or upload your existing public key: ssh-keygen -t ed25519 -C "openclaw-lightsail"
• AI provider API key: Anthropic or OpenAI with billing enabled
• Telegram bot token: From @BotFather
• Your Telegram user ID: From @userinfobot

How Do You Create a Lightsail Instance for OpenClaw?

1. Go to the Lightsail console
2. Click Create instance
3. Select your region — US East (Virginia) for lowest latency to Anthropic and OpenAI APIs
4. Choose Linux/Unix platform
5. Select OS Only > Ubuntu 22.04 LTS
6. Under SSH key pair, either use the default Lightsail key or upload your own (recommended)
7. Choose your plan:
   • $5/mo: 1 vCPU, 1GB RAM, 40GB SSD, 2TB transfer — minimum for OpenClaw
   • $10/mo: 1 vCPU, 2GB RAM, 60GB SSD, 3TB transfer — recommended for production
8. Name your instance (e.g., "openclaw-prod")
9. Click Create instance

The instance launches in about 60 seconds. You will see it in the Lightsail dashboard immediately.

Immediately after creation: Go to Networking and create a Static IP. Attach it to your instance. This prevents the public IP from changing when you stop/start the instance.

How Do You Connect and Set Up the Server?

You can connect via the browser-based SSH in the Lightsail console (click the terminal icon on your instance), or use your local terminal:

ssh -i ~/.ssh/your-lightsail-key ubuntu@YOUR_STATIC_IP

Note: Lightsail Ubuntu instances use ubuntu as the default user, not root. The ubuntu user has sudo access.

# Update the system
sudo apt update && sudo apt upgrade -y

# Create a dedicated OpenClaw user
sudo adduser openclaw
sudo usermod -aG sudo openclaw

# Copy SSH keys to the new user
sudo mkdir -p /home/openclaw/.ssh
sudo cp ~/.ssh/authorized_keys /home/openclaw/.ssh/
sudo chown -R openclaw:openclaw /home/openclaw/.ssh
sudo chmod 700 /home/openclaw/.ssh
sudo chmod 600 /home/openclaw/.ssh/authorized_keys

# Switch to the new user
sudo su - openclaw

Verify SSH access: ssh -i ~/.ssh/your-lightsail-key openclaw@YOUR_STATIC_IP

How Do You Install Node.js on Lightsail?

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
node --version
npm --version

How Do You Install OpenClaw on Lightsail?

npm install -g openclaw
openclaw --version
openclaw onboard

The onboarding wizard handles AI provider selection, API key entry, Telegram bot setup, and access restriction. After onboarding:

openclaw status
openclaw channels status

How Do You Run OpenClaw 24/7 on Lightsail?

sudo nano /etc/systemd/system/openclaw.service

[Unit]
Description=OpenClaw AI Agent
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw
ExecStart=/usr/bin/openclaw
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw

How Do You Configure Lightsail Networking for OpenClaw?

Lightsail has a built-in firewall per instance, managed from the console.

1. In the Lightsail console, click your instance
2. Go to the Networking tab
3. Under IPv4 Firewall, you will see SSH (22) already allowed by default
4. If using webhook mode, click Add rule: HTTPS (443)
5. Remove any rules you do not need (Lightsail adds HTTP 80 by default — remove it unless you specifically need it)

Also configure the IPv6 firewall if IPv6 is enabled — same rules apply.

Add UFW on the host as well:

sudo ufw allow ssh
sudo ufw allow 443/tcp
sudo ufw enable

How Do You Harden OpenClaw on Lightsail?

Disable password authentication:

sudo nano /etc/ssh/sshd_config

PasswordAuthentication no

Note: On Lightsail, root login is already disabled by default — the ubuntu user uses sudo. Just make sure password auth is off.

sudo systemctl restart sshd

Install fail2ban:

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Enable automatic security updates:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Keep OpenClaw updated:

npm update -g openclaw
sudo systemctl restart openclaw

For the complete security workflow, see the OpenClaw Security Hardening Checklist.

What Does It Cost to Run OpenClaw on AWS Lightsail?

• Lightsail $10/mo plan: 1 vCPU, 2GB RAM, 60GB SSD, 3TB transfer (recommended)
• Static IP: Free when attached to running instance
• Automatic snapshots: $1.00/mo (optional — see backup section)
• Anthropic API (Claude Sonnet): $5-30/mo depending on usage
• Domain (optional): ~$10-15/year (Lightsail includes DNS management)

Total for production OpenClaw on Lightsail: $15-40/mo

The $5/mo plan is free for 3 months on new AWS accounts, making Lightsail the cheapest way to test OpenClaw in a real production environment before committing to a provider.

How Do You Back Up OpenClaw on Lightsail?

Automatic snapshots:

Enable automatic snapshots in the instance settings. Lightsail takes daily snapshots and retains the 7 most recent. Cost is $1.00/mo for the $5 plan, $1.50/mo for the $10 plan (based on storage size).

Manual snapshots:

Create manual snapshots before any major update from the Snapshots tab. These persist until you delete them. Cost is $0.05/GB/mo.

Application-level backups:

mkdir -p ~/backups

crontab -e
# Add:
0 2 * * * tar -czvf /home/openclaw/backups/openclaw-$(date +\%Y\%m\%d).tar.gz /home/openclaw/.openclaw
0 3 * * * find /home/openclaw/backups -name "openclaw-*.tar.gz" -mtime +30 -delete

How Do You Upgrade a Lightsail OpenClaw Instance?

Lightsail does not support in-place resizing. To upgrade:

1. Create a snapshot of your current instance
2. Click Create new instance from the snapshot
3. Choose a larger plan size
4. Detach the static IP from the old instance
5. Attach the static IP to the new instance
6. Verify OpenClaw is running: sudo systemctl status openclaw
7. Delete the old instance once confirmed

The entire process takes 5-10 minutes and your OpenClaw configuration, memory, and systemd service carry over intact.

What Does a Production-Ready Lightsail Deployment Look Like?

• $10/mo or higher plan with Ubuntu 22.04 LTS
• Static IP attached to the instance
• Dedicated non-root user running the OpenClaw process
• systemd service with Restart=always and RestartSec=10
• Lightsail firewall with only SSH and HTTPS (if webhooks) allowed
• Default HTTP rule removed
• UFW enabled as host-level firewall
• fail2ban active on SSH
• Password auth disabled
• Telegram bot restricted to your user ID
• Automatic snapshots enabled
• Daily cron backup of ~/.openclaw

Don't want to do this yourself? Remote OpenClaw handles the entire deployment — server setup, OpenClaw installation, Telegram or WhatsApp connection, and hardening baseline — so you skip straight to using your agent. See the plans and book a call.