How to Run OpenClaw on AWS Lightsail — Amazon's Simple VPS
AWS Lightsail starts at $5/mo. Already using AWS? Here's how to run OpenClaw without spinning up full EC2 instances.
If you're already in the AWS ecosystem — maybe you're running a SaaS product, a side project, or your company uses AWS for everything — spinning up a dedicated EC2 instance just to host a few Telegram bots feels like overkill. You don't need auto-scaling groups, load balancers, and a PhD in IAM policies to run OpenClaw.
That's where Lightsail comes in. It's Amazon's "just give me a damn VPS" product. Predictable pricing, a simple dashboard, and enough power to run OpenClaw without touching the AWS console's more terrifying corners.
Here's the full walkthrough: from creating a Lightsail instance to having OpenClaw running with SSL, a reverse proxy, and PM2 keeping everything alive. About 20 minutes of actual work.
Why Lightsail Instead of EC2
Let's get this out of the way first because the question always comes up.
EC2 is AWS's full virtual machine product. It's incredibly powerful and incredibly complex. You configure instance types, EBS volumes, security groups, VPCs, elastic IPs, and about forty other things before your server does anything useful. The billing is hourly (or per-second), and if you forget to shut something down, you get a surprise bill.
Lightsail is the simplified version. You pick a plan, you get a box with a fixed monthly price that includes compute, storage, a static IP, and a chunk of data transfer. No surprises. No Byzantine pricing calculator.
For OpenClaw — which is a self-hosted platform for deploying and managing Telegram bots with AI integrations — Lightsail is the right call unless you're running dozens of bots with heavy traffic. It's a lightweight application that doesn't need enterprise infrastructure.
The tradeoff: Lightsail instances cap out at 8 vCPUs and 32GB RAM. If you outgrow that, you migrate to EC2. But you're not going to outgrow that for a long time.
Lightsail Pricing: What You're Actually Paying
One of the best things about Lightsail is that the pricing page doesn't require a spreadsheet to understand. Here's what's available for Linux instances as of late 2026:
| Plan | vCPU | RAM | SSD | Bandwidth | Price/Month |
|---|---|---|---|---|---|
| Nano | 2 | 1 GB | 20 GB | 1 TB | $5 |
| Micro | 2 | 1 GB | 40 GB | 2 TB | $10 |
| Small | 1 | 2 GB | 60 GB | 3 TB | $20 |
| Medium | 2 | 4 GB | 80 GB | 4 TB | $40 |
| Large | 2 | 8 GB | 160 GB | 5 TB | $80 |
| XL | 4 | 16 GB | 320 GB | 6 TB | $160 |
| 2XL | 8 | 32 GB | 640 GB | 7 TB | $320 |
Each plan includes a static IP (free when attached to an instance) and the listed data transfer. Go over the bandwidth cap and you'll pay $0.09/GB, but unless your bots are serving video files to millions of users, you won't hit it.
My recommendation for OpenClaw: Start with the Small plan at $20/month. The 2GB of RAM gives you comfortable headroom for running OpenClaw with a few active bots. The Nano ($5) can technically work for a single lightweight bot, but you'll feel the squeeze fast once you add AI integrations or more than one or two bots.
If you're running heavier workloads — multiple bots with LLM integrations processing lots of messages — bump to the Medium ($40/month) and you'll have plenty of room.
New AWS accounts get the Nano plan free for three months, which is fine for testing but not something I'd run production bots on.
Step 1: Create Your Lightsail Instance
Head to aws.amazon.com/lightsail and sign in with your AWS account. If you don't have one, create it — you'll need a credit card but won't be charged until you actually provision something.
From the Lightsail dashboard:
- Click Create instance
- Region: Pick whatever's closest to your users or your Telegram bot's primary audience. US East (Virginia) is fine as a default.
- Platform: Linux/Unix
- Blueprint: OS Only → Ubuntu 22.04 LTS
- Instance plan: Small ($20/month) or whatever you picked from the table above
- Name your instance: Something useful like
openclaw-production - Click Create instance
It takes about 30 seconds to spin up. Note the public IP address on the instance card — you'll need it.
Important: Download your default SSH key from the Lightsail dashboard (Account → SSH Keys) if you haven't already. You'll need this .pem file to connect.
Step 2: SSH In and Set Up the Server
Open your terminal and connect:
chmod 400 ~/Downloads/LightsailDefaultKey-us-east-1.pem
ssh -i ~/Downloads/LightsailDefaultKey-us-east-1.pem ubuntu@YOUR_INSTANCE_IP
Replace the key path and IP with your actual values. You can also use the browser-based SSH client in the Lightsail dashboard by clicking the terminal icon on your instance, but a real terminal is better for copy-pasting commands.
First, update everything:
sudo apt update && sudo apt upgrade -y
Now install the dependencies OpenClaw needs:
sudo apt install curl git ufw nginx certbot python3-certbot-nginx -y
Install Node.js (version 20 or later):
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
Verify everything installed:
node --version # Should show v20.x.x
npm --version # Should show 10.x.x
nginx -v # Should show nginx version
Step 3: Configure the Firewall
Lightsail has its own firewall at the network level (managed in the dashboard), plus you've got ufw on the instance itself. Belt and suspenders. Configure both.
On the instance with ufw:
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Type y when prompted. Don't open port 3000 to the public — you'll access OpenClaw through Nginx's reverse proxy on ports 80/443 instead.
In the Lightsail dashboard:
Go to your instance → Networking tab → IPv4 Firewall. Make sure you have rules for:
- SSH (22)
- HTTP (80)
- HTTPS (443)
Remove any other default rules you don't need.
Step 4: Install OpenClaw
Now the actual deployment. Clone the OpenClaw repository:
cd ~
git clone https://github.com/openclaw/openclaw.git
cd openclaw
Install the dependencies:
npm install
Create your configuration file. OpenClaw uses a .env file for its settings:
cp .env.example .env
nano .env
At minimum, you need to configure:
BOT_TOKEN=your_telegram_bot_token_here
WEBHOOK_URL=https://your-domain.com/webhook
PORT=3000
NODE_ENV=production
We'll come back to the Telegram bot token in a minute. For now, set the port and save the file (Ctrl+X, then Y, then Enter).
If you don't have a domain yet, you can use the Lightsail IP temporarily, but you'll need a domain with HTTPS for Telegram webhooks to work in production. Telegram requires SSL for webhook endpoints — no exceptions.
Step 5: Set Up Nginx as a Reverse Proxy
You don't want to expose Node.js directly to the internet. Nginx sits in front, handles SSL termination, and proxies requests to OpenClaw on localhost:3000.
Create the Nginx configuration:
sudo nano /etc/nginx/sites-available/openclaw
Paste this:
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
Replace your-domain.com with your actual domain. Enable the site:
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx
The nginx -t command tests your config for syntax errors. If it says "ok," you're good.
Step 6: Attach a Static IP and Point Your Domain
In the Lightsail dashboard:
- Go to Networking → Create static IP
- Attach it to your OpenClaw instance
- Note the static IP (it might be the same as your current one, or it might change)
Now go to your domain registrar (Namecheap, Cloudflare, Route 53, wherever) and create an A record:
Type: A
Name: @ (or a subdomain like "bots")
Value: YOUR_STATIC_IP
TTL: 300
Wait for DNS propagation (usually a few minutes, sometimes up to an hour).
Step 7: Set Up SSL with Let's Encrypt
Once your domain points to the server, get a free SSL certificate:
sudo certbot --nginx -d your-domain.com
Certbot will ask for your email and whether to redirect HTTP to HTTPS. Say yes to the redirect. It automatically modifies your Nginx config to handle SSL.
Verify auto-renewal works:
sudo certbot renew --dry-run
You now have HTTPS. Telegram will accept your webhook URL.
Step 8: Connect Telegram
This is where OpenClaw starts doing its thing. First, create a bot if you haven't already:
- Open Telegram and message @BotFather
- Send
/newbot - Follow the prompts — give it a name and username
- BotFather gives you a bot token that looks like
7123456789:AAF1k2j3h4g5f6d7s8a9...
Copy that token and add it to your OpenClaw .env file:
nano ~/openclaw/.env
Update the configuration:
BOT_TOKEN=7123456789:AAF1k2j3h4g5f6d7s8a9
WEBHOOK_URL=https://your-domain.com/webhook
PORT=3000
NODE_ENV=production
Now register the webhook with Telegram's API:
curl -F "url=https://your-domain.com/webhook" \
https://api.telegram.org/bot7123456789:AAF1k2j3h4g5f6d7s8a9/setWebhook
You should get a response like:
{"ok":true,"result":true,"description":"Webhook was set"}
If you're running multiple bots (one of OpenClaw's strengths), you'll configure additional tokens in OpenClaw's config. Each bot gets its own webhook path, so you might set them up as:
https://your-domain.com/webhook/bot1
https://your-domain.com/webhook/bot2
Check OpenClaw's documentation for the exact multi-bot configuration format — it varies by version, but generally it's an array of bot configurations in the main config file.
Step 9: Run OpenClaw with PM2
Don't run OpenClaw with npm start in a terminal session. When you close the SSH connection, the process dies. Use PM2, a production process manager for Node.js:
sudo npm install -g pm2
Start OpenClaw:
cd ~/openclaw
pm2 start npm --name "openclaw" -- start
Or if OpenClaw has an ecosystem.config.js file:
pm2 start ecosystem.config.js
Set PM2 to start on boot:
pm2 startup
It'll print a command — copy and run it (it starts with sudo env PATH=...). Then save the current process list:
pm2 save
Now OpenClaw survives reboots, crashes, and SSH disconnects. Check its status anytime:
pm2 status
pm2 logs openclaw
pm2 monit
Step 10: Test Everything
Go to Telegram, find your bot, and send /start. If OpenClaw is configured correctly, you'll get a response. If not, debug:
# Check if OpenClaw is running
pm2 status
# Check the logs
pm2 logs openclaw --lines 50
# Check if Nginx is proxying correctly
curl -I https://your-domain.com
# Verify the webhook is registered
curl https://api.telegram.org/bot$YOUR_BOT_TOKEN/getWebhookInfo
The getWebhookInfo response should show your URL, no errors, and a pending_update_count that isn't growing indefinitely.
Keeping It Running: Monitoring and Maintenance
Once OpenClaw is live, there are a few ongoing things to handle:
Monitor CPU usage in the Lightsail dashboard. If you're consistently above 80%, upgrade your instance. Lightsail makes this easy — take a snapshot, create a new larger instance from it, attach your static IP to the new one, delete the old one. About 10 minutes of work.
Enable automatic snapshots for backups. In the Lightsail dashboard, go to your instance → Snapshots → Enable automatic snapshots. It costs $0.05/GB/month — cheap insurance against disaster.
Keep the system updated:
sudo apt update && sudo apt upgrade -y
Run this weekly or set up unattended upgrades:
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
Watch your data transfer. The Small plan includes 3TB/month of outbound data. Your Lightsail dashboard shows usage. Unless your bots are sending massive files to huge audiences, you'll never touch this limit.
Renew your Telegram bot tokens if compromised. Message BotFather with /revoke and update your .env file and PM2.
When to Outgrow Lightsail
Lightsail is the right choice for most OpenClaw deployments. But there are signals that it's time to move on:
- You're maxing out the 2XL instance (8 vCPU, 32GB RAM) and need more
- You need auto-scaling for variable traffic
- You want to run OpenClaw in containers (ECS/EKS)
- You need multiple instances behind a load balancer with health checks
At that point, you migrate to EC2. But honestly, a $40/month Lightsail Medium instance running OpenClaw can handle a surprising number of bots. Don't over-engineer it until you have to.
What to Do Next
Your OpenClaw instance is live on Lightsail. From here, the interesting work begins — configuring your bots, adding AI integrations, and building out the automations that make OpenClaw worth running in the first place.
If you're looking for pre-built bots, templates, or OpenClaw extensions, check the Claw Mart marketplace for listings that plug directly into your deployment. No point building everything from scratch when someone else has already done the work.
The whole setup — from creating a Lightsail instance to a running, SSL-secured, auto-restarting OpenClaw deployment — takes about 20 minutes. And your monthly bill is a predictable $20. That's hard to argue with.