What happened to the AWS data centre in UAE in March 2026?

On March 1-3, 2026, Iranian drones struck two AWS data centres in the UAE (availability zones mec1-az2 and mec1-az3 in the me-central-1 region) and caused a power disruption at AWS's Bahrain facility (me-south-1). The strikes occurred as part of Iran's retaliation for US-Israel strikes on Iranian targets on February 28, 2026. Fires and subsequent water damage from fire suppression systems caused "prolonged" recovery. This is the first time a major US cloud provider's physical infrastructure was knocked offline by direct military action.

Which AWS services went down during the UAE data centre incident?

Over 60 AWS services reported errors or complete unavailability, including EC2 (virtual machines), S3 (object storage), DynamoDB, RDS (relational databases), Lambda (serverless compute), CloudFormation, Web Application Firewall, ElastiCache, and EKS (Kubernetes). The outage affected the UAE region (me-central-1) and partially the Bahrain region (me-south-1).

Which companies were affected by the AWS UAE outage?

Confirmed affected customers include: Emirates NBD, Emirates Islamic, First Abu Dhabi Bank, and Abu Dhabi Commercial Bank (all major UAE banks with disrupted online banking), Careem (UAE/Middle East's largest ride-hailing platform, owned by Uber), Snowflake, Alaan (corporate card platform), and Hubpay (cross-border payments). Numerous other companies running workloads on AWS UAE infrastructure also reported customer-facing outages.

Why did the multi-availability zone architecture not protect against this outage?

AWS's standard resilience model deploys across multiple availability zones (AZs) within a region so that one AZ failure is covered by others. The UAE drone strikes hit two of three AZs (mec1-az2 and mec1-az3) simultaneously. When two of three AZs fail in the same attack, multi-AZ protection provides no coverage. True protection requires multi-region architecture — deploying across geographically separate regions — but UAE data residency requirements for financial services may complicate routing workloads outside UAE borders.

Should I move workloads out of AWS UAE after the March 2026 incident?

Not necessarily move entirely, but architect for regional failure. Recommended steps: (1) Deploy active-active across both AWS UAE (me-central-1) and AWS Bahrain (me-south-1) at minimum; (2) Configure Route 53 health checks with automatic regional failover; (3) Enable DynamoDB Global Tables or Aurora Global Database for cross-region replication; (4) Review your UAE data residency requirements with legal counsel to identify which workloads can failover to non-UAE regions; (5) Audit which workloads are currently single-region and prioritise those for multi-region migration.

Security Tech Industry Web Development Career

Iranian Drones Set AWS Data Centres on Fire in UAE. 60 Cloud Services Went Down. Banks, Apps, and Payments Failed.

Abhishek Gautam·March 4, 2026·11 min read

Quick summary

On March 1-3, 2026, Iranian drones struck two AWS data centres in UAE and one in Bahrain during retaliation for US-Israel strikes. EC2, S3, DynamoDB, Lambda and 60+ services went offline. Emirates NBD, Careem, and Snowflake were among those affected. This is the first time a major cloud provider's physical infrastructure was knocked offline by military action.

At approximately 4:30 PM Dubai time on March 1, 2026, drones struck two Amazon Web Services data centres in the United Arab Emirates. A third AWS facility in Bahrain was hit shortly after. The strikes created fires intense enough that local fire departments had to shut off power to the buildings and activate fire suppression systems — causing secondary water damage that made recovery far longer than a typical hardware failure.

By the time AWS issued its first public statement, over 60 core cloud services were reporting errors or complete unavailability across the UAE and Bahrain regions. Emirates NBD, Emirates Islamic, First Abu Dhabi Bank, Abu Dhabi Commercial Bank, Careem, Snowflake, Alaan, and Hubpay were among the confirmed affected customers. Banks issued emergency notices telling customers they could not access online accounts. Ride-hailing stopped working. Payments failed.

This is the first time in history that a major cloud provider's physical data centre infrastructure has been knocked offline by direct military action.

What Happened: The Timeline

February 28, 2026: The United States and Israel launched coordinated strikes on Iranian IRGC leadership compounds and nuclear-related facilities. This was the triggering event.

March 1, 2026 (~4:30 PM Dubai time / 4:30 AM PST): Iranian retaliation began. Ballistic missiles and drone swarms targeted US military bases, US-allied infrastructure, and American commercial interests across Jordan, Syria, Kuwait, Bahrain, Qatar, Saudi Arabia, and the UAE. AWS data centres in the UAE were struck during this phase.

March 1-2, 2026: AWS issued its first public statement acknowledging that its UAE availability zones were affected. The statement used the phrase "objects struck the data center, creating sparks and fire." The company described the situation as requiring "prolonged" recovery "given the nature of the physical damage involved."

March 2, 2026: The Register, Bloomberg, and CNBC reported that AWS had confirmed the objects were drones. AWS's Bahrain region (me-south-1) also reported a localised power issue from a nearby strike. AWS advised customers to shift workloads to alternative regions while repairs were ongoing.

March 3, 2026: Recovery continued. Water damage from fire suppression systems had complicated hardware restoration. Some services remained degraded.

The Three Facilities Affected

UAE Region (me-central-1):

mec1-az2 — Taken completely offline by drone strike
mec1-az3 — Also brought down by the impact
mec1-az1 — Experienced issues but remained partially operational

The UAE region (me-central-1) is Amazon's newer Gulf facility, having opened in 2022 to serve the rapidly expanding UAE cloud market. It was designed to meet UAE data residency requirements for government and financial services customers — customers who, by definition, could not simply route traffic elsewhere.

Bahrain Region (me-south-1):

mes1-az2 — Localised power issue caused by a nearby drone strike impacting the facility's power infrastructure

The Bahrain region (me-south-1) is Amazon's original Middle East availability zone, opened in 2019. It serves a broader regional footprint than the UAE region and houses infrastructure for customers across the Gulf, Egypt, and parts of South Asia. A power disruption at mes1-az2 took a third availability zone partially offline.

The Services That Went Down

AWS's incident tracker showed 60+ services in error state across the affected regions at peak impact. The list included:

EC2 (virtual machines) — compute unavailable for affected availability zones
S3 (object storage) — elevated error rates on PUT and GET operations
DynamoDB — database reads and writes failing
RDS (relational databases) — instance connectivity disrupted
Lambda (serverless compute) — function invocations failing
CloudFormation — stack operations failing
Web Application Firewall (WAF) — rule processing disrupted
ElastiCache — cluster connectivity issues
EKS (Kubernetes) — control plane disruption in affected AZs

The breadth reflects the dependency chain: when availability zones lose power and physical hardware is damaged, every service that runs on that hardware fails simultaneously. There is no software fix for a data centre with the power cut and fire suppression systems active.

Who Was Affected

Banking and financial services took the most visible hit:

Emirates NBD — UAE's largest bank by assets. Online banking, mobile app, and ATM network showed degraded availability. Emergency customer notices were issued.
Emirates Islamic — subsidiary of Emirates NBD, similar disruptions
First Abu Dhabi Bank — UAE's largest bank by total assets, reported API errors in digital banking stack
Abu Dhabi Commercial Bank — online banking disrupted
Alaan — UAE corporate card and spend management platform
Hubpay — cross-border payments platform serving migrant workers in the UAE

The banking impact is significant because UAE financial services have aggressively moved to cloud infrastructure. The UAE Central Bank's cloud adoption framework has been permissive compared to some regional counterparts, and major banks have migrated core digital banking workloads to AWS. A customer who could not access their account to transfer money for rent, or a migrant worker unable to send a remittance home, experienced the geopolitical conflict as a personal financial failure.

Technology and enterprise:

Careem — Middle East's largest ride-hailing and super-app platform (owned by Uber). Service degradation reported in UAE and Bahrain. Drivers and riders unable to connect.
Snowflake — Data cloud platform, elevated error rates for customers on AWS UAE infrastructure
Numerous smaller SaaS companies built on AWS UAE reported customer-facing outages during the incident window

The Fire and Water Damage Problem

The technical complexity of the recovery situation deserves specific attention. When fire departments respond to a data centre fire caused by physical impact, they have two options: contain the fire with chemical suppression (which preserves hardware) or cut power and activate water-based systems (which is more effective but destroys hardware). In a large-scale fire with multiple active ignition points from drone impacts, water suppression is the safer choice.

The consequence: hardware that survived the initial drone strikes was potentially damaged by water from fire suppression. Servers, networking equipment, and storage arrays that absorb water cannot be powered back on without assessment and likely replacement. This is why AWS described the recovery as "prolonged" — not because the software was complex to restore, but because the physical hardware had to be inspected, dried, or replaced before services could restart safely.

This is a fundamentally different recovery scenario from a software bug, a misconfiguration, or even a hardware failure. A typical availability zone failure recovers in minutes to hours through automated failover. A physically destroyed data centre with water damage recovers in days to weeks, depending on hardware supply chains and the extent of damage.

The Architectural Question It Raises

AWS's recommended architecture for resilience is: deploy across multiple availability zones within a region. If one AZ fails, traffic automatically routes to the remaining AZs. This is the standard approach and it works for the failure scenarios it was designed for.

The UAE incident revealed the limit of this model: when two of three availability zones in a region are taken offline simultaneously by the same attack, the multi-AZ architecture provides no protection. The attack hit mec1-az2 and mec1-az3 at the same time. Only mec1-az1 remained partially operational — and the disruption to the other two AZs cascaded into issues there as well.

The defence against this scenario is multi-region architecture: deploying workloads across AWS regions in geographically separate areas so that a single attack cannot take down both simultaneously. For UAE data residency requirements, this creates a compliance problem — data residency mandates may require data to remain within UAE borders, which means multi-region failover to a non-UAE region may violate the same regulations that drove the UAE cloud adoption.

This is the dilemma that several UAE financial services customers discovered on March 1: the regulatory requirement that drove them to AWS UAE created a single geographic concentration that the attack exploited.

What AWS Should Have Known

It is worth examining whether this was a foreseeable risk that AWS should have mitigated before March 2026.

What was known:

Iran had explicitly threatened retaliation against US commercial interests in the Gulf if struck
AWS UAE data centres are physically located near US military installations and US-aligned government facilities that are known Iranian target categories
Iran has demonstrated drone warfare capability at scale (the 2019 Aramco attack destroyed Saudi oil processing facilities with drone swarms)
CISA had issued warnings about elevated physical security risk for US-aligned critical infrastructure in the Gulf in the weeks before the strikes

What was not done:

AWS did not pre-emptively advise Gulf customers to activate multi-region failover before strikes
No public preparation guidance was issued to customers about elevated physical risk to Middle East regions
The data centre physical security architecture (which is not public) was evidently not sufficient to prevent penetration by drone strikes

AWS is not uniquely culpable here — Google, Microsoft, Oracle, and other cloud providers with UAE/Bahrain infrastructure faced the same environment and made similar risk assessments. But the first data centre to be physically struck is the one that sets the precedent, and AWS is now that precedent.

What This Means for Multi-Region Architecture

Before March 2026, the argument for multi-region architecture in the Middle East was about latency optimisation and disaster recovery. After March 2026, it is a risk mitigation requirement.

Immediate architectural changes organisations should assess:

1. Active-active multi-region for UAE workloads:

Deploy in both AWS UAE (me-central-1) and AWS Bahrain (me-south-1) at minimum. Given that both regions were affected, consider adding a non-Gulf region (EU or AP) as a tertiary failover for non-residency-bound workloads.

2. Data residency review:

UAE data residency requirements vary by sector and by specific regulation. Some regulations require data to be stored in UAE, but the compute processing the data does not need to be in UAE. Legal counsel should review whether read replicas or processing workloads can be relocated to geographically separated regions while keeping primary data storage in UAE-compliant infrastructure.

3. Health check and traffic steering:

AWS Route 53 health checks with regional failover should be configured to automatically redirect traffic when a region shows degraded availability. If you were not using this before March 1, you should be using it now.

4. Database replication across regions:

DynamoDB Global Tables, Aurora Global Database, and RDS cross-region read replicas should be configured for production databases serving critical workloads. A primary instance in UAE with a cross-region read replica means read queries can serve during a UAE outage. Write operations require more complex handling but are achievable with careful architecture.

5. Stateless application layers:

Applications built on stateless microservices with data in replicated storage are inherently more resilient to region failures than applications with state tied to a specific instance. The March 2026 incident is an argument for stateless architecture that is agnostic to which specific instance handles a request.

The Geopolitical Risk Model for Cloud Infrastructure

What the AWS UAE incident establishes — more clearly than any previous event — is that cloud infrastructure in conflict-adjacent regions is a legitimate target category in modern warfare.

The logic is straightforward from an adversary's perspective: knocking out cloud infrastructure serving banks, payments, logistics, and communications imposes economic and operational costs on the adversary without killing civilians directly. It is a non-kinetic (or semi-kinetic) attack that degrades the adversary's economic functioning.

For US cloud providers specifically, operating infrastructure in US-allied Gulf states carries an inherent association with the US military presence in those states. Iran does not distinguish between AWS's commercial operations and US government strategic interests when selecting targets — the servers that run Emirates NBD's mobile banking app and the servers that might process US intelligence are, from an Iranian military planner's perspective, located in the same category of "American infrastructure in a country hosting US military bases."

Cloud architects did not need to model this scenario two years ago. They need to model it now.

The First, Not the Last

The AWS UAE incident is likely to be the first of multiple events in this category over the coming years, not an isolated anomaly. Several factors make repetition probable:

More cloud infrastructure in conflict-adjacent regions: AWS, Google, Microsoft, Oracle, and domestic providers have all significantly expanded Middle East infrastructure. The surface area of potential targets is larger than it was in 2022.
Drone warfare is accessible: The technology that struck AWS UAE is not exotic. Drone swarms capable of this attack are within the reach of multiple non-state and state actors.
The precedent is now set: Iran struck US cloud infrastructure and demonstrated that the attack vector works. That knowledge is now part of how other state actors will think about target selection.

For developers and cloud architects building systems in 2026 and beyond, the lesson is not to avoid the Middle East. The Gulf tech ecosystem is large, growing, and economically important. The lesson is that physical geographic concentration in a conflict zone is a risk factor that requires the same architectural attention as software reliability and hardware failure modes. The tools to address it — multi-region architecture, active-active failover, data replication, stateless application design — all exist. They just need to be used.

---

The fire is out. The hardware is being replaced. AWS will restore full service to the UAE and Bahrain regions. But the assumption that cloud data centres are insulated from the kinetic events of geopolitics is over. March 1, 2026 ended it.