Iranian Drone Strikes Hit Three AWS Data Centers in UAE and Bahrain — First Kinetic Attacks on Major Cloud Infrastructure

Iranian drone strikes have physically damaged three Amazon Web Services data centers across the Middle East — two in the United Arab Emirates that were "directly struck" and a third in Bahrain damaged when a drone landed nearby — marking the first time a major cloud infrastructure provider has suffered kinetic military attack.

The strikes caused structural damage, disrupted power delivery, and triggered fire suppression systems that resulted in additional water damage to equipment. AWS confirmed the incidents via its online service health dashboard and said by late Tuesday that recovery efforts at the UAE facilities were making progress.

Limited Disruption — By Design

Unlike previous AWS outages caused by software failures that cascaded globally, the physical attacks resulted in localized and limited disruption — a testament to AWS's distributed architecture. Amazon advised affected customers to migrate workloads to other regions and redirect traffic away from UAE and Bahrain.

AWS operates data centers clustered in 39 geographic regions worldwide, with three in the Middle East covering the UAE, Bahrain, and Israel. Each region contains at least three availability zones, physically separated but interconnected by ultra-low-latency networks within 100 kilometers of each other.

The redundancy held — other data centers within the same zones absorbed the workload. However, experts warned that the loss of multiple facilities within a single availability zone could overwhelm remaining capacity.

Cloud Infrastructure as a Physical Target

The attacks expose a fundamental reality that the cybersecurity industry has largely treated as theoretical: cloud computing depends on physical facilities that are massive, difficult to conceal, and impossible to armor against military-grade weaponry.

AWS data centers maintain physical security measures — guards, fences, surveillance, access controls — but these are designed to prevent unauthorized entry, not defend against drone or missile strikes.

"Cloud computing isn't magical," said Mike Chapple, IT professor at the University of Notre Dame's Mendoza College of Business. "It still requires physical facilities on the ground, which are vulnerable to all sorts of disaster scenarios."

Regional Cloud Concentration Risk

The Middle East has seen rapid data center expansion as hyperscalers competed for government and enterprise customers across the Gulf states. That growth has now created a concentrated target set in an active conflict zone.

AWS hosts critical infrastructure for government departments, universities, and businesses worldwide. Organizations that selected Middle Eastern regions for data sovereignty, latency, or regulatory compliance now face a scenario no cloud risk assessment anticipated — their availability zones being physically destroyed in a military campaign.

Defender Recommendations

• Reassess regional cloud deployments — organizations with workloads in AWS Middle East regions (UAE, Bahrain, Israel) should immediately evaluate multi-region failover strategies
• Implement cross-region replication — ensure critical data and services can fail over to regions outside active conflict zones
• Update disaster recovery plans — most DR scenarios account for software failures, power outages, and natural disasters, not kinetic military strikes; update threat models accordingly
• Review data sovereignty constraints — organizations locked to Middle Eastern regions by regulation should engage legal counsel on emergency exemptions for workload migration during armed conflict
• Monitor AWS service health dashboards — track recovery progress and plan for potential secondary strikes that could impact the same regions
• Diversify cloud providers — organizations with single-provider concentration in affected regions should evaluate multi-cloud strategies to distribute physical risk