Iran Struck AWS and Listed 29 Tech Targets Including Google and Nvidia

Iran's Islamic Revolutionary Guard Corps struck three AWS data centers in the UAE and Bahrain on March 1, 2026, using Shahed 136 drones. The strikes critically impaired two of three availability zones in AWS's Middle East (UAE) region. Because the outage hit multiple zones at once, standard multi-AZ failover did not work as designed — banking, payments, and enterprise services across the region went down.

Days later, the IRGC's semi-official Tasnim News Agency published a list of 29 tech company locations across Bahrain, Israel, Qatar, and the UAE, explicitly calling them "legitimate targets." The list named five Amazon facilities, five Microsoft, six IBM, four Google, three Nvidia, and three Oracle buildings, with the caption "Enemy's technological infrastructure: Iran's new goals in the region."

What Happened to the AWS Data Centers on March 1

Iran used Shahed 136 kamikaze drones to strike AWS facilities in UAE and Bahrain on March 1, 2026. AWS confirmed structural damage, power disruption, fire, and water damage from suppression systems at the affected sites.

The critical failure was architectural. Two of three AWS UAE availability zones went offline at the same time. Standard three-zone architecture is designed to survive one zone going down while the other two carry traffic. With two zones offline simultaneously, workloads that relied on cross-zone replication, distributed quorum operations, and stateful database setups experienced hard failures. AWS Bahrain (me-south-1) lost one availability zone, a less severe but still disruptive event for any workload without cross-region replication already configured.

The 29 Locations Iran Has Listed as Targets

The IRGC published specific physical addresses for 29 facilities across four countries. The breakdown by company:

The IRGC framed this as a formal escalation: "with the expansion of regional war dimensions into infrastructure, cyberwarfare, and scope, Iran's legitimate targets are gradually expanding." These are not vague threats. They are specific named buildings at known addresses.

Why Standard Multi-AZ Redundancy Failed

AWS multi-AZ architecture is built on a reasonable assumption: availability zones within a region are physically separated, independently powered, and fail independently. The design survives natural disasters, power grid failures, and localized physical incidents — one zone at a time.

Drone strikes targeting multiple facilities in the same coordinated attack break that assumption. When two zones lose power and sustain structural damage within the same attack window, workloads requiring cross-zone consistency cannot complete their operations. This includes primary-replica database setups, distributed consensus systems, multi-part uploads, and any architecture that requires acknowledgment from two or more zones before committing a write.

This is not a flaw in AWS. It is a limitation of any redundancy model: it protects against the failure modes it was designed around. Simultaneous coordinated physical attacks were not part of the commercial cloud threat model until now.

What Developers and Infrastructure Teams Must Do Now

The right response is not to abandon Middle East AWS regions. Hyperscalers have committed too much to the Gulf AI buildout to withdraw. The response is to update your threat model and configure accordingly.

Cross-region replication: If your application runs in me-central-1 (UAE) or me-south-1 (Bahrain), enable replication to a geographically distant region. S3 Cross-Region Replication, RDS cross-region read replicas, and DynamoDB Global Tables all support this with minimal configuration. ap-south-1 (Mumbai) or eu-west-1 (Ireland) are the natural fallback options depending on where your users are.

DNS failover: Route 53 health checks with failover routing can redirect traffic to a secondary region automatically when the primary becomes unreachable. Configure this now and test it before you need it.

Stateless sessions: Applications that store session state in a single-region cache or database are most vulnerable to multi-zone outages. Token-based authentication removes the dependency on region-specific session storage.

Data sovereignty review: Some clients in the Middle East require data to remain in-region for regulatory reasons. For those workloads, document the risk explicitly and review whether disaster recovery requirements could conflict with data residency contracts.

The honest reality: cross-region failover from me-central-1 to eu-west-3 (Paris) or ap-south-1 (Mumbai) takes hours to configure and costs near zero in standby mode. It is the most practical resilience upgrade available right now.

Legal Status of Striking Cloud Data Centers

The IRGC argues that these facilities directly support US military and intelligence operations, making them military targets under international law. Analysts at Just Security and TechPolicy.Press have noted the legal analysis depends on the actual use of each specific facility. Commercial customers and military workloads frequently share physical infrastructure in hyperscaler data centers, creating genuine ambiguity about targeting status under international humanitarian law.

What is not ambiguous: the pattern. Iran struck AWS first, then published a list of 29 more. Google, Microsoft, and Nvidia have not been struck yet. The list implies they are next.

How to Test Whether Your Current Failover Actually Works

Most teams configure cross-region failover once and never verify it. The AWS UAE outage exposed a specific pattern: architectures that looked resilient on paper failed in practice because engineers had not tested the failover path under realistic conditions.

Here is a concrete verification checklist for teams running in me-central-1 or me-south-1:

RDS multi-AZ: Run a manual failover using the RDS console (Actions → Reboot with Failover) and measure the actual downtime. AWS advertises 60–120 seconds for a typical promotion. If your application takes 5 minutes to re-establish connections after failover, that gap is a problem your monitoring will not catch without a test.

Route 53 health checks: Disable your primary endpoint and confirm that Route 53 begins routing to your secondary region within the configured failover TTL. Many teams set TTL to 300 seconds but leave application-level DNS caching at the default, which can hold stale records for longer. Test end-to-end, not just at the Route 53 layer.

S3 Cross-Region Replication: Verify that objects written to your primary bucket appear in the destination bucket within the expected replication time. Check for any objects excluded from replication by prefix filters you may have set up and forgotten.

DynamoDB Global Tables: Read from the replica region directly in a test environment to confirm it serves current data. Global Tables uses eventual consistency across regions; for workloads requiring strong consistency, understand the implications before relying on replica reads during a primary region failure.

The underlying principle is simple: a failover path that has never been exercised is not a resilience measure. It is documentation.

The Insurance and Force Majeure Problem

The AWS UAE strikes introduced a question that hyperscaler contracts and enterprise cloud agreements have not previously needed to address directly: what happens when data center damage is caused by an act of war?

Most enterprise cloud service agreements contain force majeure clauses that exclude liability for events beyond the provider's reasonable control, which typically include war, acts of terrorism, and government actions. AWS's customer agreement includes standard force majeure language. The March 1 strikes are precisely the category of event these clauses were written to cover.

This matters for SLA credits and breach-of-contract claims. Enterprise customers expecting SLA credits for the UAE availability zone outages may find those claims contested under force majeure provisions. Legal analysts at TechPolicy.Press noted that the March 1 strikes created novel questions about how existing cloud contracts allocate risk for wartime infrastructure damage.

For developers and infrastructure architects advising on cloud procurement: any new contract covering Middle East cloud regions should explicitly address war risk allocation, including whether force majeure covers partial region failures and what the provider's obligations are for data recovery after physical infrastructure damage. Standard boilerplate written in 2019 was not designed with this scenario in mind.

Key Takeaways

• March 1, 2026: Iran struck 3 AWS data centers in UAE and Bahrain using Shahed 136 drones
• 2 of 3 AWS UAE availability zones knocked offline simultaneously, breaking standard multi-AZ redundancy
• 29 tech locations published as IRGC targets: 6 IBM, 5 Amazon, 5 Microsoft, 4 Google, 3 Nvidia, 3 Oracle, 3 Palantir
• Countries at risk: UAE, Bahrain, Israel, Qatar, where over $100 billion in AI data center investment is currently active
• For developers: Enable cross-region replication from me-central-1 or me-south-1 to eu-west-1 or ap-south-1 today. Configure Route 53 failover routing before you need it.
• What to watch: Whether Microsoft, Google, or Nvidia report incidents at their Gulf locations in the coming days, and whether hyperscalers pause their Gulf AI buildout plans.