The tech industry has spent years talking about cloud resilience: multi-availability zones, geographic redundancy, disaster recovery plans designed for earthquakes, power failures, and floods. Nobody seriously planned for drones. Before dawn on March 1, 2026, Iran changed that conversation permanently. Iranian Shahed drones struck two Amazon Web Services data centers in the United Arab Emirates and damaged a third in Bahrain, taking critical cloud infrastructure offline in the middle of an active war. It was the first confirmed military attack on a hyperscale cloud provider in history, and it was not the last.

By the time the fires were out and the damage assessments were complete, banking apps had crashed, payment platforms had gone dark, and Amazon had taken the unprecedented step of waiving an entire month of cloud charges for affected customers. The attack has since been followed by additional drone strikes, an Iranian threat list naming 18 major American tech companies as military targets, and a growing realization across the industry that the cloud, for all its abstractions, has a physical address, and that address can be hit by a weapon.

Why Iran Targeted Amazon: The Military-Cloud Overlap

To understand why AWS data centers became Iranian military targets, you need to understand how deeply commercial cloud infrastructure has been woven into modern military operations. The Pentagon's Joint Warfighting Cloud Capability and Joint All-Domain Command and Control networks do not run on classified government-only hardware in sealed bunkers. They run on the same commercial cloud infrastructure that serves banks, ride-hailing apps, and streaming services.

Multiple news organizations reported in the context of the US-Israel strikes on Iran that the US military used Anthropic's Claude AI model: which runs on AWS: for intelligence analysis, target identification, and battle simulations. Iran's Fars News Agency cited this directly, claiming the Bahrain facility had been deliberately targeted "to identify the role of these centers in supporting the enemy's military and intelligence activities." Iran's IRGC explicitly framed the AWS facilities as legitimate military infrastructure, not civilian targets, precisely because of this dual-use reality.

Amazon declined to comment on the IRGC's claims, and it remains publicly unconfirmed whether the specific facilities struck hosted US military workloads. Researchers at Just Security noted on March 12, 2026 that US law requires cloud providers to store government and military data within the US or on Department of Defense bases, raising questions about whether any classified data was actually present. But whether the specific data centers hit served military purposes or not, the message from Iran was unambiguous: in the compute era, cloud infrastructure is enemy infrastructure.

The Attacks: A Full Timeline

The events did not begin or end on March 1. Over a period of roughly five weeks, Iranian forces conducted a sustained campaign against data center infrastructure across the Gulf, escalating in scope and in explicit threat-making.

What the Drones Actually Hit: The Physical Damage

AWS operates its Middle East infrastructure across two regions: ME-CENTRAL-1 in the UAE, and ME-SOUTH-1 in Bahrain. Each region is designed with at least three physically separate availability zones (AZs), spread across different locations within the country. The design is built to ensure that a failure in one AZ: whether from a power outage, a natural disaster, or any other localized event, does not take the entire region offline.

The March 1 attack broke that model in a way its architects had never anticipated. AWS confirmed in its service health communications:

"In the ME-CENTRAL-1 (UAE) Region, two of our three Availability Zones (mec1-az2 and mec1-az3) remain significantly impaired. The third Availability Zone (mec1-az1) continues to operate normally, though some services have experienced indirect impact due to dependencies on the affected zones." Amazon Web Services Service Health Dashboard

The physical damage to the affected facilities included:

• Structural damage to building infrastructure from direct drone impacts
• Disrupted power delivery to server clusters, requiring external power restoration and facility assessment
• Fire outbreaks requiring civil defense response, with suppression activities causing additional water damage to hardware
• Cooling and power systems requiring repair before servers could safely be brought back online
• AWS estimated recovery time of "at least a day" for initial restoration, with some impairment continuing through late March according to the AWS status page

The multi-AZ resilience model had been stress-tested against natural disasters, power grid failures, and physical infrastructure faults. It had never been tested against a military adversary simultaneously targeting multiple AZs within the same region. In the Gulf, drones struck multiple availability zones at once because the conflict zone covered the entire geographic area that those zones were spread across. A popular assumption among cloud architects, that it would take a meteor strike to knock out an entire AWS region, was tested in the worst possible way.

Services That Went Down: Banking, Payments, Transport

The outage hit a cross-section of the Middle East's digital economy. AWS confirmed that the following core services experienced "elevated error rates and degraded availability" across the affected regions:

• Amazon EC2 (virtual compute)
• Amazon S3 (object storage)
• Amazon DynamoDB (managed database)
• AWS Lambda (serverless computing)
• Amazon Kinesis (data streaming)
• Amazon CloudWatch (monitoring)
• Amazon RDS (relational database service)
• AWS Management Console and CLI

The downstream impact on end users and businesses was immediate and widespread. The most directly affected services reported publicly included:

• Careem: The UAE-based ride-hailing and delivery super-app experienced service failures, disrupting millions of daily users across the region
• Emirates NBD: One of the UAE's largest banks reported banking platform and mobile app outages, leaving customers unable to access accounts or process transactions
• Abu Dhabi Commercial Bank: Reported operational disruptions to its digital banking services
• First Abu Dhabi Bank: Experienced service impact from the AWS outage
• Alaan and Hubpay: UAE-based business payment platforms went offline, disrupting corporate expense management and B2B transactions
• Snowflake: The data cloud company reported impact to its Gulf-region deployments
• SadaPay: Pakistan's digital payments app went entirely offline; its entire application backbone ran on the affected AWS Bahrain facility

The impact extended well beyond the Gulf. Many companies operating globally had workloads routed through Middle East AWS regions without being fully aware of it: standard cloud routing behavior that becomes a critical liability when a region is in an active conflict zone. Business exposure ran far wider than most affected companies realized.

Amazon's Unprecedented Response: Waiving an Entire Month of Charges

Amazon's financial response to the crisis set a precedent that has no direct parallel in AWS history. The company sent emails to customers using the affected regions confirming a full billing waiver:

"AWS is waiving all usage-related charges in the ME-CENTRAL-1 Region for March 2026. This waiver applies automatically to your account(s), and no action is required from you. You will not see any March 2026 usage for the ME-CENTRAL-1 Region in your Cost and Usage Report or Cost Explorer once processing is complete." Amazon Web Services customer email, reported by The Register

AWS cloud expert and blogger Cory Quinn, who first reported the email, noted that while AWS sometimes applies credits related to SLA violations, waiving charges for an entire month across an entire region appears to be entirely unprecedented. The move carries a secondary implication that Quinn also flagged: wiping March usage data from Cost and Usage Reports removes records that many enterprises use not just for billing, but for compliance documentation, security forensics, and regulatory audit trails. AWS later clarified that the underlying data had not been deleted and remains available to customers on request.

Amazon also instructed all corporate employees in the Middle East to work remotely and follow local government guidelines amid escalating regional instability.

Iran's Target List: 18 American Tech Giants Now in the Crosshairs

The most significant escalation came on March 31, 2026, when Iran's IRGC published an official statement designating 18 major American technology companies as valid military objectives. The full list named:

• Microsoft
• Google
• Apple
• Meta
• Oracle
• Intel
• HP
• IBM
• Cisco
• Dell
• Palantir
• Nvidia
• JPMorgan
• Tesla
• GE
• Spire Solutions
• G42 (UAE-based AI company)
• Amazon

The IRGC simultaneously warned employees at these companies to evacuate their Middle East workplaces. Iranian state media claimed that Oracle's data center in Dubai was struck on April 2. Oracle and Microsoft have not confirmed any hits. Microsoft officially denied experiencing outages. But the designation of these companies as military targets represents a formal shift in Iranian war doctrine: US commercial tech infrastructure in the Gulf is now, by Iran's definition, enemy territory territory.

Amazon's stock rose approximately 3% following the initial attacks, a counterintuitive market reaction that financial analysts attributed to a straightforward logic: the physical vulnerability will force enterprises to abandon single-region deployments and build multi-region cloud architectures, effectively increasing cloud revenues for major providers across the board.

The Multi-AZ Model Has a War Problem

The attacks exposed a fundamental flaw in how cloud resilience has been designed and marketed. AWS defines a region as a minimum of three isolated, physically separate AZs within a geographic area. The AZs are separated by enough distance that a natural disaster affecting one is statistically unlikely to affect another, while remaining close enough (within 100 kilometers) to keep inter-zone latency low.

The model was designed for natural disasters: power outages, lightning strikes, tornadoes, earthquakes, floods. It was never designed for military conflict, where the relevant threat radius is the entire geographic area covered by a war, not the footprint of a single storm or tremor. When drones can hit multiple AZs within the same region in a single coordinated attack, the entire architecture of multi-AZ redundancy collapses simultaneously.

Paul Barrett, head of disaster recovery at Pay10 Global in Dubai, documented another painful edge case in the aftermath: data residency compliance. AWS instructed affected customers to migrate workloads to other regions. But for regulated entities in the UAE and Bahrain, moving data to servers outside national borders may violate data sovereignty laws, even in an emergency. The choice between keeping services online and remaining legally compliant became a real dilemma for banks and government agencies during the outage.

The Bigger Picture: How the Conflict Threatens Global Data Infrastructure

The AWS strikes are not occurring in isolation. They are part of a broader geopolitical context that puts multiple critical data infrastructure chokepoints under simultaneous threat.

Seventeen submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. Iran's closure of the Strait of Hormuz and renewed Houthi threats in the Red Sea mean that both major data chokepoints: the Gulf cloud regions and the Red Sea cable routes, are simultaneously in active conflict zones. Doug Madory, director of internet analysis at Kentik, put it plainly: "Closing both choke points simultaneously would be a globally disruptive event. I'm not aware of that ever happening."

The strikes also land at a particularly fraught moment for the Gulf's AI infrastructure ambitions. During his tour of the region in May 2025, President Trump generated more than $2 trillion in investment pledges for Gulf AI infrastructure, including the planned Stargate UAE campus in Abu Dhabi: what would be the largest AI facility outside the United States. The conflict is directly threatening the realization of those investments.

As Fortune noted, the Pentagon's reliance on commercial cloud infrastructure for military AI creates a feedback loop that may be impossible to fully untangle: "The boundary between commercial cloud computing and military operations has largely vanished." If AWS data centers in the Gulf are running Anthropic's Claude for military intelligence functions, and Iran targets them for that reason, then the commercial data center has become a military asset regardless of whether Amazon intended it to be.

What the Attacks Mean for Cloud Architecture and Data Center Security

The industry response to the strikes has been rapid and is reshaping how enterprises and cloud providers think about resilience. Several shifts are already underway or being actively debated:

• Multi-region is now mandatory, not optional: IDC research projects that cloud providers in the Middle East will commit to multi-region deployments as a baseline requirement. Single-region architectures that were previously acceptable risk profiles are now considered inadequate for regulated industries and critical services.
• Physical hardening is being reconsidered: Chris McGuire, former technology policy advisor at the National Security Council, told The Guardian: "If you're actually going to double down in the Middle East, maybe it means missile defense on data centers." Underground and bunker-based data facilities, already operating in the UK and Sweden inside Cold War-era nuclear shelters, are drawing renewed interest from cloud providers evaluating Gulf expansion.
• War risk insurance is now a cloud contract issue: Standard commercial property and business interruption insurance policies typically exclude acts of war. Legal analysts at TechPolicy.Press note that tech providers operating in the Gulf must now aggressively secure specialized war risk policies or face absorbing catastrophic losses with no insurance recourse against state attackers.
• Sovereign data localization creates a compliance trap in conflict zones: Governments that require sensitive data to be physically hosted within their borders have inadvertently created a situation where that data cannot be safely migrated away during conflict. The legal and technical frameworks for this scenario do not yet exist.
• The definition of critical infrastructure must expand: The Center for Strategic and International Studies noted that "in the compute era, regional adversaries could target data centers, energy infrastructure supporting compute, and fiber chokepoints" in the same way previous conflicts targeted oil fields and refineries. Data center security is no longer a cybersecurity problem. It is a physical security and geopolitical problem.

What AWS and Amazon Are Doing Next

As of early April 2026, AWS's Middle East infrastructure remains partially impaired. The company's service health dashboard continued to show disruption in affected regions through late March, and the April 1 follow-up strike on the Bahrain facility added additional damage before a full recovery from the initial March 1 attacks had been completed.

Amazon has not publicly announced a specific timeline for full restoration. The company's advisories to customers have recommended migrating critical workloads to unaffected AWS regions and maintaining backups outside the Middle East. Amazon instructed all Middle East corporate employees to work remotely indefinitely. The company has declined to comment on Iranian claims about the military purpose of the targeted facilities.

According to IDC's Ashish Nadkarni: "Now suddenly, protecting data centers is like protecting top-security government offices." That shift represents a fundamental change in how hyperscale cloud providers will need to think about physical security for any infrastructure operating in or near a conflict zone: not as an edge case, but as a standard operational requirement.

What Developers and Enterprises Should Do Right Now

If your organization runs workloads in AWS Middle East regions, or relies on services hosted there, several actions are relevant immediately and as longer-term architectural decisions:

• Audit which of your workloads run in ME-CENTRAL-1 (UAE) and ME-SOUTH-1 (Bahrain) and assess your current multi-region failover capability
• Review whether any of your SaaS vendors or third-party dependencies route through Middle East AWS regions: the outage affected companies with no direct Middle East presence whose cloud workloads happened to be region-routed there
• Review insurance policies for cloud infrastructure for war exclusion clauses, and assess whether your service contracts include force majeure or military disruption provisions
• For regulated industries in the Gulf, begin working with legal and compliance teams on emergency data migration protocols that address the sovereignty trap: what is the legally defensible path if your country's data residency law and your disaster recovery plan conflict during an active military strike
• For any organization with workloads in regions on or near the Iranian target list: which now includes Oracle, Microsoft, and Google Middle East facilities: multi-region architecture is no longer an optimization. It is a risk management requirement

A Permanent Shift in How We Think About the Cloud

The Iran-AWS attacks of March and April 2026 represent a before-and-after moment for the technology industry's understanding of cloud infrastructure risk. For two decades, the industry has treated cloud resilience as a purely technical problem: hardware failures, software bugs, network outages, natural disasters. The answer was always more redundancy, more geographic distribution, more automated failover.

What March 1, 2026 revealed is that redundancy architectures designed for natural disasters can be defeated by a coordinated military attack. That the largest commercial cloud infrastructure in the world has no dedicated physical defense against drone strikes. That the commercial and military uses of cloud infrastructure have become so deeply intertwined that adversary nations now treat hyperscale data centers as legitimate wartime targets. And that the submarine cables, the cloud regions, and the AI infrastructure built to power the next decade of global economic growth are sitting in some of the most geopolitically volatile geography on earth.

Sam Winter-Levy of the Carnegie Endowment for International Peace, who warned against building critical compute infrastructure in the Gulf back in July 2025, framed the conclusion bluntly: "As more and more parts of the economy rely on these data centers, they correspondingly become increasingly attractive targets."

The cloud has an address. That address can be hit. The industry has known this in theory for years. In March 2026, it became true in practice.

Frequently Asked Questions

What happened to Amazon AWS data centers in the Iran attack?

Before dawn on March 1, 2026, Iranian Shahed 136 drones struck two AWS data centers in the UAE and damaged a third in Bahrain. Fires broke out, power was cut to multiple server clusters, and suppression activities caused water damage to hardware. Two of three availability zones in the UAE region (ME-CENTRAL-1) were significantly impaired. Additional strikes followed through April 2, including a second hit on the Bahrain facility and a reported Oracle data center strike in Dubai.

Which services went down after Iran hit the AWS data centers?

Core AWS services impaired included EC2, S3, DynamoDB, Lambda, Kinesis, CloudWatch, RDS, the Management Console, and the CLI. Consumer services that crashed included Careem, payment platforms Alaan and Hubpay, Emirates NBD, Abu Dhabi Commercial Bank, First Abu Dhabi Bank, Snowflake, and Pakistan's SadaPay. Financial institutions and government entities across the UAE, Bahrain, and wider region experienced significant operational disruptions.

Why did Iran target Amazon AWS data centers?

Iran's IRGC claimed the strikes targeted infrastructure supporting US military and intelligence operations, specifically citing reports that the US military was using Anthropic's Claude AI model on AWS for intelligence analysis, target identification, and battle simulations during the joint US-Israel strikes on Iran. Analysts also suggest Iran may have been targeting the attacks to punish the UAE for its ties with the US and to signal that US commercial tech investment in the Gulf is now a military liability.

Did Amazon waive AWS charges after the Iran attacks?

Yes. Amazon sent emails confirming it was waiving all usage-related charges for the ME-CENTRAL-1 (UAE) region for the entire month of March 2026. The waiver applied automatically. This appears to be an unprecedented move: AWS has applied SLA credits for outages before, but waiving an entire month of regional charges for an entire customer base has no direct precedent.

Which tech companies has Iran threatened to attack next?

On March 31, 2026, Iran's IRGC officially named 18 American tech companies as valid military targets: Microsoft, Google, Apple, Meta, Oracle, Intel, HP, IBM, Cisco, Dell, Palantir, Nvidia, JPMorgan, Tesla, GE, Spire Solutions, G42, and Amazon. The IRGC simultaneously warned employees to evacuate Middle East workplaces. Iranian state media claimed an Oracle data center in Dubai was struck on April 2. Microsoft denied being hit or experiencing outages.

What does the Iran AWS attack mean for cloud infrastructure security?

It exposed that multi-AZ resilience models were designed for natural disasters, not military conflict. When drones simultaneously strike multiple availability zones across an entire geographic region, the redundancy architecture fails. Experts now recommend multi-region deployments as a baseline requirement, physical hardening including possible missile defense for Gulf data centers, specialized war risk insurance, and legal frameworks for emergency data migration that respect data sovereignty laws.