AWS lightsail documentation change
Summary
Added extensive documentation about OpenClaw security features including MOTD service, automatic token rotation, AllowedOrigin configuration, IAM role details, sandbox permissions, and version differences.
Security assessment
The changes add comprehensive documentation about security features (automatic token rotation, origin detection, certificate management, IAM role permissions, sandbox isolation) but do not indicate a specific security vulnerability was fixed. The documentation explains existing security mechanisms and best practices.
Diff
diff --git a/lightsail/latest/userguide/amazon-lightsail-quick-start-guide-openclaw.md b/lightsail/latest/userguide/amazon-lightsail-quick-start-guide-openclaw.md index 5c924236e..673e62927 100644 --- a//lightsail/latest/userguide/amazon-lightsail-quick-start-guide-openclaw.md +++ b//lightsail/latest/userguide/amazon-lightsail-quick-start-guide-openclaw.md @@ -67,0 +68,8 @@ The default public IP address for your OpenClaw instance changes if you stop and +###### Did you know? + +The Message of the Day (MOTD) service running on your OpenClaw instance manages several automated configuration tasks, including origin detection, certificate management, and token rotation. You can check your MOTD version by connecting to your instance via SSH. + +Your OpenClaw instance automatically configures the gateway to accept connections from the instance’s IP address. MOTD version 2.0.0 includes an automatic origin detection feature that runs during instance startup and configures the allowed origin to be the instance's current IP address. When you attach a static IP address to your instance, the system automatically updates the allowed origin to use the static IP address instead. + + + @@ -70 +78 @@ The default public IP address for your OpenClaw instance changes if you stop and - + @@ -78 +86 @@ The default public IP address for your OpenClaw instance changes if you stop and - + @@ -105 +113 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it - +###### What does the setup script do? @@ -107 +115 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it - 3. Paste the copied script into the CloudShell terminal and press **Enter**. +The setup script performs the following actions: creates an IAM role specifically for your OpenClaw instance, attaches a policy granting access to Amazon Bedrock APIs, attaches a policy granting AWS Marketplace permissions (required for third-party models), and configures the instance profile to use this role. You can review the IAM policy details in the [IAM console](https://console.aws.amazon.com/iam/) after running the script. The IAM role will be named `LightsailRoleFor-[your-instance-id]`. @@ -109 +117 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it - 4. Wait for the script to complete. When you see **Done** in the output, the permissions have been applied successfully. + @@ -110,0 +119 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it + 3. Paste the copied command into the CloudShell terminal and press **Enter**. @@ -111,0 +121 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it + 4. Wait for the script to complete. When you see **Done** in the output, the permissions have been applied successfully. @@ -114 +123,0 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it -###### Tip @@ -116 +124,0 @@ Your Lightsail OpenClaw instance is configured to use Amazon Bedrock to power it -The script creates an IAM role and attaches a policy that grants your OpenClaw instance access to Amazon Bedrock API. You can view and customize this IAM policy at any time in the [IAM console](https://console.aws.amazon.com/iam/). @@ -158 +166 @@ You can extend OpenClaw to work with messaging apps like Telegram and WhatsApp, - + @@ -295 +303 @@ For more information, see [Access Amazon Bedrock foundation models](https://docs -**How does HTTPS work?** +**How does HTTPS work with my OpenClaw instance?** @@ -301 +309,3 @@ Your OpenClaw instance comes with a built-in HTTPS endpoint secured by a Let's E -Your OpenClaw instance includes a built-in certificate management daemon (`lightsail-manage-certd`) that monitors your instance's IP address. If the IP address changes — for example, when you attach or detach a static IP — the daemon automatically detects the change and issues a new Let's Encrypt certificate for the new IP address. No manual action is required. +Your OpenClaw instance includes a built-in certificate management daemon (`lightsail-manage-certd`) that monitors your instance's IP address. If the IP address changes — for example, when you attach or detach a static IP — the daemon automatically detects the change and issues a new Let's Encrypt certificate for the new IP address. No manual action is required for your SSL certificate. + +Note: The gateway access token will remain the same, but you will need to re-pair your browsers again by following the steps in **Step 2: Pair your browser with OpenClaw** @@ -312,0 +323,11 @@ To manage the gateway after installing a plugin or updating a configuration, SSH + * Stop the OpenClaw gateway service: `openclaw gateway stop` + + * Start the OpenClaw gateway service: `openclaw gateway start` + + * Check the current status of the service: `openclaw gateway status` + + + + +**Note:** If you are using MOTD 1.0.0 (OpenClaw 2026.2.17), use the following commands instead: + @@ -326 +347,5 @@ If the token is ever exposed — for example, leaked in logs, accidentally share -**How do I rotate my gateway token?** +**Is my gateway token automatically rotated?** + +Yes. It is automatically rotated at 3:00 UTC every day. This rotation will require you to re-pair your browser with your OpenClaw instance. + +**How do I manually rotate my gateway token?** @@ -338 +363 @@ To rotate your gateway token: - * Re-pair your browsers using the new token by following the steps in Step 2: Pair your browser with OpenClaw. + * Re-pair your browsers again using the new token by following the steps in **Step 2: Pair your browser with OpenClaw.** @@ -346,0 +372,17 @@ After rotating your token, check that all trusted devices have been re-paired be +**How does automatic token rotation work?** + +MOTD 2.0.0 includes automatic token rotation that enhances security by rotating your gateway access token every day. + +**Important implications:** + + * When the token is automatically rotated, all paired browsers and devices will be disconnected. + + * You will need to re-pair your browser again by following the steps in Step 2: Pair your browser with OpenClaw. + + + + +If you don't want the token to be rotated, you can disable it in the MOTD by changing the security settings. + + + @@ -373,0 +416,168 @@ Rotating a messaging credential does not affect your gateway token or other conn +**What does the`setup-lightsail-openclaw-bedrock-role.sh` script do?** + +It creates an IAM role that permits only your OpenClaw instance to use foundational models available via Amazon Bedrock and the AWS Marketplace. + +**How do I restore an OpenClaw instance from a snapshot?** + + * Create a new instance from an existing OpenClaw snapshot. For more information, see [Creating an instance from a snapshot](./lightsail-how-to-create-instance-from-snapshot.html). + + * SSH into your new OpenClaw instance from the Lightsail console + + * Run the following command to get the instance ID for your Lightsail instance, e.g. `i-1234567890abcdef1`: + + TOKEN=`curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -w "\n" -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/instance-id + + * Run the following command to get the IAM role associated with the instance: + + grep 'role_arn' /home/ubuntu/.aws/config | head -1 | awk '{print $3}' + + * Find the role you retrieved in the previous step on the [IAM console](https://console.aws.amazon.com/iam/), e.g. `LightsailRoleFor-i-0d15d5483571b95bb` + + * Select `Trust relationships` + + * Select `Edit trust policy` + + * Update the trust policy with the ARN of the instance ID retrieved earlier, e.g. `"arn:aws:sts::0123456789012:assumed-role/AmazonLightsailInstance/i-1234567890abcdef1"`. + + * Select `Update policy` + + + + +**How do I configure AllowedOrigin for my OpenClaw instance?** + +AllowedOrigin is a security setting that controls which web addresses (origins) are permitted to connect to your OpenClaw gateway. This prevents unauthorized websites from accessing your instance and protects against cross-origin security issues. + +**MOTD 2.0.0 (OpenClaw 2026.3.2 and later):** AllowedOrigin is automatically managed by the MOTD service. When your instance starts or when the IP address changes, the service automatically detects the correct origin, and updates the configuration. No manual action is required. + +**MOTD 1.0.0 (OpenClaw 2026.2.17):** You need to manually configure AllowedOrigin if you are accessing OpenClaw from a specific domain. SSH into your instance and edit the OpenClaw configuration file by following below instructions to add your allowed origins. + + * SSH into your OpenClaw instance from the Lightsail console + + * Open the configuration file: `~/.openclaw/openclaw.json` + + * Add or modify the AllowedOrigin setting: + + { + "gateway": { + "controlUi": { + "allowedOrigins": [ + "https://<your-domain.com>" + ] + } + } + } + + * Restart the OpenClaw gateway service: `sudo systemctl restart openclaw-gateway` + + + + +**How do I update OpenClaw to the latest version?** + +To update your OpenClaw gateway to the latest version: + + * SSH into your OpenClaw instance + + * Run the update command: `sudo openclaw update` + + + + +**Important notes:** + + * The OpenClaw blueprint installs the gateway globally on the instance, which is why sudo privileges are required + + * After the update command completes, it will attempt to start the gateway as the root user, but this will fail because the gateway must run as the `ubuntu` user + + * You must manually restart the gateway after updating: `openclaw gateway restart` + + * The "Update" button in the OpenClaw control UI dashboard will not work because it doesn't have `sudo` privileges + + + + +**What happens to device pairing when I attach a static IP address?** + +When you attach a static IP address to your OpenClaw instance, the instance's IP address changes. This has important implications for device pairing: + + * All previously paired browsers and devices will be disconnected + + * The gateway token remains valid, but the connection endpoint has changed + + * You must explicitly pair all browsers and devices again after attaching the static IP + + + + +**To re-pair your devices:** + + * SSH into your instance (the SSH connection will work with the new static IP) + + * Follow the pairing steps in Step 2 to reconnect each browser + + * For messaging channels (Telegram, WhatsApp), you may also need to re-approve pairing + + + + +**How do I grant sandbox permissions for enabling tools?** + +By default, OpenClaw runs tools and plugins in isolated Docker container environments (sandboxes) to protect your instance from potentially harmful operations. This isolation restricts what tools can access, including system commands, file system access, network connections, and host system resources. +