AWS Data Centers Hit by Drone Strikes in UAE and Bahrain — March 2026
Iranian drone attacks directly struck two Amazon Web Services facilities in the UAE and damaged a third in Bahrain — exposing the physical vulnerability of cloud infrastructure in conflict zones
Damaged
Directly Struck
Damaged
Duration
Affected (UAE)
- What Happened: Timeline of Events
- Damage Assessment: What AWS Confirmed
- Cloud Services and Businesses Affected
- Geopolitical Context: Why the Data Centers Were Hit
- AWS Response and Customer Guidance
- The Middle East Cloud Boom — Now Under Threat
- Cloud Infrastructure as a Target in Modern Warfare
- Lessons for Cloud Architects and Enterprises
- Recovery Status and What Comes Next
- Frequently Asked Questions
What Happened: Timeline of Events
In one of the most significant incidents of physical infrastructure warfare against cloud computing, Amazon Web Services (AWS) confirmed on March 3, 2026, that two of its data center facilities in the United Arab Emirates were directly struck by drones, and a third facility in Bahrain was damaged by a nearby strike. The attacks caused structural damage, power outages, fires, and water damage from fire suppression activities — taking multiple AWS availability zones offline for more than 24 hours.
Chronological Timeline
- Feb 28–Mar 1, 2026 — US-Israeli Operation Epic FuryJoint US and Israeli forces launched strikes on Iran, reportedly killing Supreme Leader Ayatollah Ali Khamenei. Iran declared a state of war and began retaliatory operations across the Gulf.
- Mar 1–2, 2026 — Iranian Drone and Missile Barrage BeginsIran launched waves of drones and ballistic missiles targeting US military bases, airports, ports, and civilian infrastructure across the UAE, Bahrain, Saudi Arabia, Kuwait and Jordan. Dubai International Airport, Jebel Ali Port, and the Burj Al Arab were among civilian targets hit or grazed.
- Mar 2, 2026 — 12:51 UTC — AWS Begins Investigating UAE OutageAWS posted on its Health Dashboard that it had begun investigating a disruption to availability zone mec1-az2 in the ME-CENTRAL-1 (UAE) region.
- Mar 2, 2026 — ~17:51 UTC — AWS Confirms Physical StrikeAWS revealed that the UAE facility was impacted by objects that struck the data center, creating sparks and fire. Local authorities cut power to the facility to contain the blaze.
- Mar 3, 2026 — AWS Confirms Drone Strikes on 3 FacilitiesAWS officially acknowledged that drones had "directly struck" two UAE facilities and that a third in Bahrain was damaged by a nearby strike. Structural damage, power disruption, fires and water damage were all confirmed.
- Mar 3, 2026 — Banking, Payments and App Outages SpreadCareem, Alaan, Hubpay, ADCB, Emirates NBD, and Snowflake all reported service disruptions tied to the AWS outage. Financial sector impacts were reported across the Gulf.
- Mar 4, 2026 — Recovery Ongoing, Migration RecommendedAWS posted that recovery was progressing across multiple workstreams but strongly urged all customers with Middle East workloads to migrate to alternate regions immediately.
Damage Assessment: What AWS Confirmed
The physical damage to the three AWS facilities represents an unprecedented attack on hyperscale cloud infrastructure during active armed conflict. AWS's official statements and health dashboard updates confirmed the following damage categories across the UAE and Bahrain sites:
| Location | AWS Region | Strike Type | Confirmed Damage | Status |
|---|---|---|---|---|
| UAE — Facility 1 | ME-CENTRAL-1 (mec1-az2) | Direct drone strike | Structural damage, power loss, fire, water damage | Offline — recovery ongoing |
| UAE — Facility 2 | ME-CENTRAL-1 | Direct drone strike | Structural damage, power disruption, fire suppression | Offline — recovery ongoing |
| Bahrain — Facility | ME-SOUTH-1 | Nearby drone explosion | Physical infrastructure impacts, power issues | Degraded — partial recovery |
The UAE facilities were hit by what intelligence sources and media have described as Iran's Shahed-136 type loitering munitions — low-cost, GPS-guided one-way attack drones that fly to a predetermined target. The UAE military intercepted 541 drones and 165 ballistic missiles over the two-day campaign, but 35 drones and 5 projectiles still got through, striking airports, Jebel Ali Port, the Burj Al Arab hotel facade, and the AWS data centers.
Cloud Services and Businesses Affected
The AWS outage in ME-CENTRAL-1 (UAE) and ME-SOUTH-1 (Bahrain) had immediate cascading impacts across multiple sectors of the Gulf economy. The following AWS services experienced elevated error rates and degraded availability:
| AWS Service | Impact |
|---|---|
| Amazon EC2 | Elevated error rates and degraded virtual server availability in mec1-az2 |
| Amazon S3 | Degraded object storage availability in ME-CENTRAL-1 |
| Amazon DynamoDB | Elevated error rates and connectivity issues |
| AWS RDS | Database service disruptions across the region |
| Amazon VPC / Networking | Connectivity issues affecting inter-region and internet routing |
Businesses and Services Reporting Outages
- Careem — UAE's dominant ride-hailing and delivery platform reported full outage of mobile and web apps
- Alaan — Corporate payments platform confirmed "critical AWS outage caused by the ongoing regional situation"
- Hubpay — Digital payments provider reported service disruptions
- ADCB (Abu Dhabi Commercial Bank) — Mobile banking app and Contact Centre services temporarily unavailable
- Emirates NBD — Phone banking services impacted; online services restored by Tuesday
- Snowflake — Enterprise data platform reported "elevated connectivity issues and error rates within the region"
- Multiple e-commerce platforms, logistics operators and government digital services also reported degraded connectivity
Geopolitical Context: Why the Data Centers Were Hit
The AWS data center strikes were not a deliberate cyber or infrastructure warfare operation specifically targeting Amazon — they were collateral damage from Iran's broad retaliatory campaign across the Gulf following Operation Epic Fury, the joint US-Israeli strike on Iran that killed Supreme Leader Ayatollah Ali Khamenei on February 28, 2026.
The Broader Regional Conflict
Iran's retaliatory campaign targeted US military assets, ports, airports and civilian infrastructure across six Gulf states: UAE, Bahrain, Saudi Arabia, Kuwait, Jordan and Israel. The UAE and Bahrain were primary targets due to hosting significant US military infrastructure and being part of the Abraham Accords coalition. Major physical impacts in the UAE included:
- Dubai International Airport (DXB) — concourse sustained minor damage, airspace closed
- Jebel Ali Port — fire at one berth from intercepted drone debris
- Burj Al Arab hotel — minor fire on outer facade from intercepted drone
- Etihad Towers, Abu Dhabi — debris from intercepted drone struck the building
- Zayed International Airport — drone interception caused one fatality
- AWS Data Centers (mec1-az2) — directly struck, causing fires and outages
The Pax Silica Dimension
The data center strikes exposed a critical strategic blind spot in the Gulf's AI infrastructure ambitions. The January 2026 Pax Silica initiative — under which the Trump administration approved up to 500,000 Nvidia processors annually for the UAE and Saudi Arabia in exchange for cutting ties with Huawei — was designed to keep advanced AI chips away from China. The entire security framework was built around supply chain control and political alignment, not around protecting physical buildings from missiles and drones.
As Ali Bakir, an assistant professor of international affairs at Qatar University, noted: the physical security of strategic digital infrastructure was assumed to fall under broader national defense, without ever being treated as a distinct vulnerability. That assumption has now been proven dangerously wrong.
AWS Response and Customer Guidance
AWS responded rapidly with Health Dashboard updates, customer communications and a public statement. The company's key actions and guidance included the following:
Official Guidance to AWS Customers
| Priority | Action | Detail |
|---|---|---|
| 🔴 Immediate | Back up all data | Use AWS Backup or S3 Cross-Region Replication to replicate data outside ME-CENTRAL-1 and ME-SOUTH-1 |
| 🔴 Immediate | Migrate critical workloads | Target regions: eu-west-1 (Ireland), eu-central-1 (Frankfurt), ap-southeast-1 (Singapore) or us-east-1 |
| 🟠 Short-term | Update DNS / traffic routing | Use Route 53 health checks and latency-based routing to redirect traffic away from affected AZs |
| 🟠 Short-term | Review disaster recovery plans | Ensure RPO/RTO targets account for multi-region scenarios, not just multi-AZ within a single region |
| 🟡 Planning | Consider multi-cloud or geo-redundant design | For conflict-zone deployments, design for full region loss, not just AZ failure |
Amazon also instructed all corporate employees in the Middle East to work remotely and closed its UAE offices temporarily. Nvidia similarly closed its Dubai offices, with CEO Jensen Huang sending an all-staff memo confirming the crisis management team was supporting affected employees.
The Middle East Cloud Boom — Now Under Threat
Over the past decade, the Middle East — particularly the UAE and Saudi Arabia — had emerged as one of the fastest-growing cloud and AI infrastructure markets in the world. The region had sold itself as a stable, politically neutral gateway for global data, offering a combination of sovereign cloud commitments, massive capital investment and strategic geography between Europe, Asia and Africa.
The Scale of Cloud Investment in the Region
- AWS operates three Middle East regions: ME-CENTRAL-1 (UAE), ME-SOUTH-1 (Bahrain), and an Israel region
- Microsoft Azure, Google Cloud, and Oracle all operate facilities in nations now under bombardment
- According to DataCenterMap, there are approximately 326 data centers across the Middle East, concentrated in Israel, Saudi Arabia and the UAE
- Bahrain had migrated around 85% of government data to AWS Bahrain Region since 2019
- AWS UAE data centers hosted workloads for government, financial and logistics sectors
- The UAE's G42 — Abu Dhabi's AI holding company — had partnered with Microsoft and cut ties with Huawei as part of US-aligned AI deals
The strikes have fundamentally changed the risk calculus for cloud deployments in the region. As Rest of World's analysis noted: the region sold itself as a safe harbor for the world's data — that pitch has now been severely undermined.
Cloud Infrastructure as a Target in Modern Warfare
The AWS data center strikes mark a historic inflection point: for the first time, hyperscale commercial cloud infrastructure has been physically destroyed during an active armed conflict. This has profound implications for how enterprises, governments and cloud providers think about infrastructure resilience in geopolitically unstable regions.
The Asymmetry Problem
The fundamental challenge is economic asymmetry: it is cheaper to attack than to defend. Iran's Shahed-136 drones cost approximately $20,000–$50,000 each. Intercepting one with a THAAD or Patriot PAC-3 missile costs $2–$4 million per shot. A data center representing hundreds of millions of dollars of investment can be disabled with a single $20,000 drone that slips through an interception net.
Multi-AZ Redundancy Is Not Enough
AWS's architecture is designed around multi-Availability Zone redundancy — losing one AZ should be absorbed seamlessly. However, as Mike Chapple of Notre Dame's Mendoza College of Business noted, the loss of multiple data centers within an availability zone removes the capacity buffer that makes automatic failover work. When two AZs in the same region are struck simultaneously, the remaining capacity may simply be insufficient to absorb all regional workloads.
| Scenario | AWS Design Assumption | Conflict Zone Reality |
|---|---|---|
| Single AZ failure | Absorbed by other AZs in region ✅ | Works — if only one AZ is struck |
| Multiple AZ failure | Not expected from single event ⚠️ | Both UAE AZs struck simultaneously |
| Power cut by authorities | Generators maintain operations ✅ | Authority-imposed cutoff overrides generators |
| Full region outage | Customers migrate to other regions ✅ | Migration takes hours/days — data at risk |
| Physical structural damage | Hardware replacement, rebuild | Weeks/months for full structural repair |
Strategic Vulnerabilities
Sean Gorman, CEO of Zephr.xyz and US Air Force contractor, highlighted a deeper strategic risk: the Middle East hosts critical undersea cable landing stations and fiber interconnects. Accidental transoceanic fiber cuts in the region have historically been highly disruptive, cutting off entire countries from the internet. A deliberate, sustained infrastructure attack — targeting both data centers and fiber infrastructure simultaneously — could seriously impair digital capacity across the entire region.
Lessons for Cloud Architects and Enterprises
The AWS Middle East outage provides a stark real-world lesson in the limits of conventional cloud disaster recovery planning. For organisations operating in or dependent on cloud services in geopolitically volatile regions, the following architectural and operational principles have become more urgent than ever.
Architecture Recommendations
- Design for full region loss, not just AZ failure — use active-active multi-region architecture for critical workloads, with health checks and automated DNS failover
- Continuous cross-region data replication — S3 Cross-Region Replication, DynamoDB Global Tables, and RDS read replicas in a non-Middle East region should be the baseline for any Gulf deployment
- RPO/RTO assumptions must account for region-level events — if your DR plan assumes multi-AZ recovery within a region, it will fail when the entire region goes dark
- Multi-cloud for geopolitical risk — consider distributing critical workloads across AWS, Azure and GCP so that a single-provider region failure does not take down your entire service
- Avoid single-region government data lock-in — Bahrain's 85% government data migration to a single AWS region proved extremely risky
Operational Recommendations
- Subscribe to and monitor the AWS Health Dashboard and Personal Health Dashboard for real-time region status
- Maintain pre-approved runbooks for emergency region migration that can be executed within hours, not days
- Conduct regular DR drills that simulate full region unavailability — not just AZ failover
- Engage your cloud provider's Enterprise Support for guidance on conflict-zone resilience architecture
- Consider sovereign cloud or on-premises backup for the most sensitive government and financial data
Recovery Status and What Comes Next
As of March 4, 2026, AWS was reporting progress across multiple recovery workstreams but had not announced a full restoration timeline. Key updates:
- AWS posted at 8:14 a.m. PST on March 3: "We continue to make progress on recovery efforts across multiple workstreams."
- Data access and service availability can be partially restored without the physical facilities being fully rebuilt
- AWS was routing traffic to surviving UAE AZs and leveraging its global backbone to reduce impact
- Full structural repair of the physically damaged buildings is expected to take weeks to months
- AWS strongly reiterated its recommendation for all Middle East customers to migrate workloads to alternate regions now
- Nvidia and Amazon closed their UAE offices; Google asked staff to follow local authority guidance
- UAE stock markets reopened on March 4 after a two-day closure, with the Dubai benchmark index falling 4.7% — its worst day since May 2022
Frequently Asked Questions
Yes. AWS confirmed that two of its data center facilities in the UAE (ME-CENTRAL-1, mec1-az2) were directly struck by drones on March 2, 2026, and a third facility in Bahrain (ME-SOUTH-1) was damaged by a nearby drone strike. Structural damage, power disruption, fires and water damage from fire suppression were all confirmed.
Amazon EC2, S3, DynamoDB, RDS and VPC networking in ME-CENTRAL-1 all experienced elevated error rates and degraded availability. Consumer apps (Careem, Alaan, Hubpay), banking providers (ADCB, Emirates NBD) and enterprise platforms (Snowflake) reported outages.
AWS strongly recommends: (1) immediately back up all data using cross-region replication, (2) migrate critical workloads to alternate AWS regions such as eu-west-1, eu-central-1 or ap-southeast-1, (3) update DNS and traffic routing to bypass ME-CENTRAL-1 and ME-SOUTH-1, and (4) review DR runbooks to ensure they cover full-region unavailability.
The AWS data centers appear to have been collateral damage from Iran's broad retaliatory drone and missile campaign against UAE infrastructure following the joint US-Israeli Operation Epic Fury, which killed Supreme Leader Khamenei on February 28, 2026. The data centers were not a deliberate specific target — they were caught in the crossfire of widespread strikes on the UAE.
Partially. Single-AZ loss is designed to be absorbed seamlessly. However, two UAE AZs were struck simultaneously and local authorities imposed a power cut across the broader facility cluster, removing the capacity buffer needed for automatic failover. Multi-region architecture — not just multi-AZ within a single region — is required to survive a conflict-zone scenario like this one.
Yes. Microsoft Azure, Google Cloud and Oracle all operate data center facilities in the UAE, Bahrain and Israel — all nations that have been targeted in the current conflict. DataCenterMap lists approximately 326 data centers across the Middle East. AWS was the first hyperscaler confirmed to be directly struck, but the broader cloud infrastructure footprint in the region faces the same physical risk.
