Skip to main content
CloudFormation is Lowkey’s default deploy method. When you run the installer and pick “CloudFormation CLI” (or use -y without --method), install.sh calls aws cloudformation create-stack with the right parameters derived from your pack and profile choices. The template lives at deploy/cloudformation/template.yaml in the Lowkey repository.

What the stack creates

One CloudFormation stack creates all of the following:
  • VPC, public subnet, internet gateway, and route table — a fresh network by default; reusable if you pass ExistingVpcId
  • Security group — egress-all; inbound SSH disabled by default
  • IAM role and instance profile — scoped to your chosen profile
  • EC2 instance — ARM64 Graviton, sized per profile
  • SSM session preferences — for secure shell access without open ports
  • Security service subscriptions (optional) — Security Hub, GuardDuty, Inspector, Access Analyzer, Config recorder
The simplest path is to let the installer handle everything: 
curl -sfL install.lowkey.run | bash
Or in non-interactive mode: 
curl -sfL install.lowkey.run | bash -s -- -y \
  --pack openclaw --profile builder
The installer computes all ~17 CloudFormation parameters from your choices and calls aws cloudformation create-stack for you.

Deploying the template manually

If you prefer to deploy directly, clone the repo and run aws cloudformation create-stack yourself: 
git clone https://github.com/inceptionstack/lowkey.git
cd lowkey

aws cloudformation create-stack \
  --stack-name my-openclaw \
  --template-body file://deploy/cloudformation/template.yaml \
  --capabilities CAPABILITY_NAMED_IAM \
  --region us-east-1 \
  --parameters \
    ParameterKey=PackName,ParameterValue=openclaw \
    ParameterKey=ProfileName,ParameterValue=builder \
    ParameterKey=EnvironmentName,ParameterValue=my-openclaw \
    ParameterKey=InstanceType,ParameterValue=t4g.xlarge \
    ParameterKey=DefaultModel,ParameterValue=us.anthropic.claude-opus-4-6-v1 \
    ParameterKey=LokiWatermark,ParameterValue=my-openclaw \
    ParameterKey=EnableSecurityHub,ParameterValue=true \
    ParameterKey=EnableGuardDuty,ParameterValue=true \
    ParameterKey=EnableInspector,ParameterValue=true \
    ParameterKey=EnableAccessAnalyzer,ParameterValue=true \
    ParameterKey=EnableConfigRecorder,ParameterValue=true
Running the installer is almost always easier — it computes and validates all parameters for you.

Key template parameters

You rarely set these by hand. The installer computes them from your pack, profile, and flags. This table is the reference if you deploy the template directly or need to understand what was set.
ParameterExample valueDescription
PackNameopenclawWhich agent pack to install
ProfileNamebuilderIAM permission profile
EnvironmentNameopenclaw-1-4521Name prefix for every resource in the stack
InstanceTypet4g.xlargeEC2 instance type (must be ARM64)
DefaultModelus.anthropic.claude-opus-4-6-v1Default AI model ID for the pack
ModelModebedrockModel access mode: bedrock, litellm, or api-key
BedrockRegionus-east-1Bedrock region (can differ from deploy region)
LokiWatermarkopenclaw-1-4521Tag applied to every resource for easy cleanup
EnableSecurityHubtrueEnable AWS Security Hub
EnableGuardDutytrueEnable Amazon GuardDuty
EnableInspectortrueEnable Amazon Inspector
EnableAccessAnalyzertrueEnable IAM Access Analyzer
EnableConfigRecordertrueEnable AWS Config recorder
ExistingVpcIdvpc-0abc123Reuse an existing VPC instead of creating one
ExistingSubnetIdsubnet-0def456Public subnet in the existing VPC (required with ExistingVpcId)
SSHAllowedCidr127.0.0.1/32CIDR allowed to SSH. Default disables SSH entirely — use SSM instead
KiroFromSecret/lowkey/kiro-api-keySecrets Manager id or ARN for the Kiro API key (kiro-cli pack only)
LiteLLMApiKeyNoEcho: true — only used when ModelMode=litellm
ProviderApiKeyNoEcho: true — only used when ModelMode=api-key
RepoBranchmainGit branch of the Lowkey repo to clone on the instance
LiteLLMApiKey and ProviderApiKey are NoEcho: true, so they won’t appear in describe-stacks output or the console. They still pass through UserData in Base64-encoded form, which is queryable via describe-instance-attribute. For production secrets, use the --kiro-from-secret / Secrets Manager pattern — only the secret reference flows through deploy state. See Managing secrets with AWS Secrets Manager.

Watching deploy progress

The installer streams stack events to your terminal. If you deployed manually, watch events with: 
aws cloudformation describe-stack-events \
  --stack-name my-openclaw \
  --query 'StackEvents[?ResourceStatus==`CREATE_IN_PROGRESS` || ResourceStatus==`CREATE_FAILED`]'
The bootstrap script also publishes progress to SSM Parameter Store as it runs: 
# Current step name
aws ssm get-parameter --name /loki/setup-step --query Parameter.Value --output text

# Overall status: IN_PROGRESS | COMPLETE | FAILED
aws ssm get-parameter --name /loki/setup-status --query Parameter.Value --output text

Finding your instance ID after deploy

Once the stack reaches CREATE_COMPLETE, retrieve the instance ID from the stack Outputs: 
aws cloudformation describe-stacks \
  --stack-name my-openclaw \
  --query 'Stacks[0].Outputs[?OutputKey==`InstanceId`].OutputValue' \
  --output text
Then connect via SSM: 
aws ssm start-session --target <instance-id> --region us-east-1

Updating the stack

To change parameters after initial deploy — for example to upgrade the instance type — run update-stack: 
aws cloudformation update-stack \
  --stack-name my-openclaw \
  --template-body file://deploy/cloudformation/template.yaml \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters \
    ParameterKey=InstanceType,ParameterValue=t4g.2xlarge \
    ParameterKey=PackName,UsePreviousValue=true \
    ParameterKey=ProfileName,UsePreviousValue=true \
    ...

Tear-down

Delete the stack to remove every resource it created — VPC, EC2, IAM role, security services, and all: 
aws cloudformation delete-stack --stack-name my-openclaw
If you reused an existing VPC by passing ExistingVpcId, that VPC is not deleted when the stack is removed. You brought it, so you keep it.
Security service subscriptions (GuardDuty, Security Hub, Inspector) may persist briefly after stack deletion — AWS detaches them asynchronously.