Iran Drones Hit 3 AWS Data Centers in UAE and Bahrain: Cloud Infrastructure Goes to War

On March 1, 2026, three Amazon Web Services data centers were struck by Iranian drones — one in Bahrain and two in the UAE. It was the first known military attack on a major American hyperscaler's physical infrastructure in history. Banks went offline. Payments failed. Enterprise SaaS platforms dropped. And every assumption the cloud industry had made about geographic redundancy inside a single region was stress-tested in real time.

Iran's Islamic Revolutionary Guard Corps claimed responsibility explicitly. Their stated justification: AWS was hosting Anthropic's Claude and other AI systems being used by the US military for intelligence analysis and war simulations. The data centers were not collateral damage. They were the target.

What Actually Happened on March 1

The strikes hit two AWS facilities in the UAE and one in Bahrain. In the UAE, both facilities sustained direct hits — structural damage, disrupted power delivery, and fire suppression activity that caused additional water damage to hardware. In Bahrain, a drone strike in close proximity to the facility caused infrastructure impact without a direct hit on the building itself.

AWS confirmed the incidents publicly. The Register reported the story first, citing AWS status page entries that initially described "connectivity issues" before the company acknowledged physical damage from external events.

The IRGC statement was unusually specific. Iranian state media named AWS by name, cited its role as cloud provider for US defence and intelligence workloads, and framed the data centers as legitimate military targets under the laws of armed conflict — an argument that international lawyers and cloud policy experts immediately disputed, but that established a precedent no one wanted to see established.

Services That Went Down

The downstream impact was immediate and visible:

Banking: Abu Dhabi Commercial Bank, Emirates NBD, and First Abu Dhabi Bank all reported service disruptions. Online banking portals and mobile apps running on AWS infrastructure in the region became intermittently unavailable. ATM networks dependent on real-time transaction processing experienced delays.

Payments: Alaan (corporate card platform) and Hubpay (cross-border payments) both reported outages. For businesses processing payroll and supplier payments that week, the timing was damaging.

Enterprise software: Snowflake's Middle East customers reported degraded query performance and connectivity issues. The Snowflake data platform runs on cloud provider infrastructure — AWS in this region — making it directly exposed to the facility damage.

Consumer apps: Careem, the ride-hailing and delivery platform operating across the UAE and broader Gulf, reported service disruptions affecting drivers and customers simultaneously.

The pattern across all of these: services that had designed for software failures — code bugs, network misconfigurations, overload — were not designed for the physical destruction of the facilities their workloads ran in.

The Multi-AZ Assumption Just Failed

AWS divides its infrastructure into Availability Zones (AZs) — physically separate facilities within a region, connected by high-speed private networking. The standard AWS best practice for resilience is multi-AZ deployment: run workloads across at least two AZs so that a single facility failure does not take down the application.

The March 1 strikes broke that assumption in a specific way: multiple AZs in the same region were struck simultaneously.

AWS Middle East (UAE) region has three Availability Zones. Two of the three were struck in the same attack. Applications designed for single-AZ failure — the standard resilience design — failed. Applications designed for multi-AZ failure — the more expensive, less common design — survived if their third AZ remained operational. Applications designed for full regional failure — multi-region active-active deployment — were largely unaffected.

InfoQ documented this extensively: the strikes forced a real-world test of multi-AZ assumptions that no cloud architect had previously stress-tested against physical military attack. The conclusion from the incident: in conflict zones, multi-region is not optional redundancy. It is the minimum viable resilience design.

Iran's Strategic Logic: Why Target Cloud Data Centers

The IRGC's targeting logic is worth understanding on its own terms, because it signals how adversaries think about cloud infrastructure in modern conflict.

AWS has publicly confirmed it provides cloud services to the US Department of Defence through the JEDI and JWCC contracts. Anthropic's Claude is used by US intelligence and military organisations — this is documented. The reasoning Iran applied: if the US military uses AWS-hosted AI for intelligence analysis and targeting, then the AWS facilities hosting those workloads are military infrastructure, not civilian infrastructure.

This argument has no support in international humanitarian law as currently interpreted. The laws of armed conflict protect civilian infrastructure, and a general-purpose cloud platform serving thousands of civilian customers does not become a military target because some of its customers are government entities.

But Iran was not making a legal argument. It was making a strategic one: attacking cloud infrastructure imposes economic costs on the adversary, disrupts civilian systems that create political pressure, and demonstrates the ability to reach targets that were previously assumed safe. The data centers were chosen because they are high-value, difficult to defend, and their disruption is immediately visible.

What This Means for Every Developer Building on Cloud

The attack has concrete implications for how developers and architects should think about cloud deployment in geopolitically exposed regions.

Multi-region is now a risk requirement, not a cost decision. For any application serving customers in the Middle East, single-region deployment — even multi-AZ — is no longer adequate risk management. The attack demonstrated that multiple AZs in the same region can be struck simultaneously. Multi-region active-active deployment is the only architecture that survived intact.

War risk is a new category in cloud risk modelling. Standard cloud risk models account for hardware failure, software bugs, network partitions, and natural disasters. They do not account for military strikes. Every organisation running workloads in the Middle East now needs to add conflict risk to its business continuity planning — including evacuation procedures for data to geographically distant regions before conflict escalates.

Cloud SLAs do not cover acts of war. AWS, Azure, and Google Cloud all include force majeure clauses that exclude acts of war from SLA obligations. The organisations that experienced outages from the March 1 strikes cannot claim SLA credits for the downtime. Their contracts explicitly exclude this scenario.

The targeting of AI infrastructure is now a stated adversary doctrine. Iran explicitly cited AI workloads as the justification for targeting AWS. This will not be the last time an adversary uses this framing. Developers building AI applications for government or defence customers need to factor in that their infrastructure may be considered a legitimate target by adversaries who adopt Iran's reasoning.

The Legal and Policy Fallout

TechPolicy.Press documented the legal questions the strikes immediately raised: does a cloud provider become a combatant by hosting military AI workloads? What obligations does a hyperscaler have to disclose when it becomes a military target? Does attacking a cloud data center constitute an attack on civilian infrastructure under international law?

None of these questions have settled answers. What the March 1 strikes did was force them into active policy discussion at the UN, in the EU's AI Act framework discussions, and inside the US Department of Defence's cloud contracting structures.

The practical immediate response from AWS: the company accelerated existing plans to deploy dedicated GovCloud-equivalent infrastructure in the Middle East that is physically separated from commercial workloads. The argument is that co-locating military AI workloads with civilian banking and payments infrastructure creates targeting risk for the civilian systems.

Key Takeaways

• March 1, 2026: Iranian drones struck 3 AWS facilities in UAE (2 direct hits) and Bahrain — the first military attack on an American hyperscaler in history
• IRGC claimed responsibility explicitly, citing AWS hosting US military AI systems including Anthropic's Claude as justification for treating data centers as military targets
• Banks, payments, SaaS platforms went down: Abu Dhabi Commercial Bank, Emirates NBD, First Abu Dhabi Bank, Alaan, Hubpay, Snowflake, Careem all reported outages
• Multi-AZ redundancy failed: Two of three UAE AZs were struck simultaneously — only multi-region deployments survived fully intact
• AWS SLAs exclude acts of war — affected customers have no contractual recourse for the downtime caused by the strikes
• Iran's doctrine is now documented: cloud infrastructure hosting military AI is a legitimate target in their strategic framework — every developer building defence-adjacent AI should factor this into architecture decisions
• The policy fallout is still unresolved: whether a general-purpose cloud becomes a military target by hosting some government workloads is now an active question in international law, UN policy, and AWS's own contracting structure