Iran Actually Attacked AWS. Here's What Happened — and What It Means.

When I read about the undersea cable cuts in the Baltic Sea last year — ships dragging anchors, or so the official story goes — I started thinking about how fragile this whole thing actually is. The internet. The cloud. The infrastructure we just assume will always be there.

Then in March 2026, the question stopped being theoretical.

Before dawn on March 1, Iranian Shahed drones struck two AWS data centers in the UAE directly. A third facility in Bahrain was damaged. All three went offline. And then Iran struck Bahrain again on March 24, and then again on April 1. Four separate attacks in roughly three weeks, against the same cloud provider.

Nobody in the industry saw this coming — or at least nobody was talking about it seriously. Now we have to.

What actually happened

The first wave hit in the middle of the night on March 1. Iranian Shahed drones — the same low-cost loitering munitions used extensively in Ukraine — struck AWS-linked facilities in Abu Dhabi. Two direct hits. One nearby strike in Bahrain that caused structural damage, power disruption, and water damage from firefighting efforts.

Amazon confirmed the attacks publicly, which was itself notable. Companies don't usually announce that their data centers just got hit by drones. They did because the outages were visible — customers across the region started seeing failures immediately.

Careem, the UAE's dominant ride-hailing and delivery app, went down.

Alaan, a corporate payment platform used across the Gulf, experienced service disruptions.

Banking systems, enterprise software, and other digital services across the region were affected.

AWS told customers to migrate their workloads to alternate regions — and to keep them there.

Then it happened again. And again.

By April 1, Iranian state media was openly publishing threats against a list of American tech companies operating in the Middle East: Amazon, Microsoft, Google, Apple, Meta, Nvidia, Oracle, IBM, Cisco, Tesla, HP, Boeing. The message was explicit — these companies are legitimate targets because their infrastructure supports US and Israeli military operations.

This is the first time in history that a country has deliberately and repeatedly targeted commercial data centers during wartime. We are in genuinely new territory.

Why AWS? The military AI connection

Iran's justification, repeated across state media, was that AWS data centers were supporting US military and intelligence activities. That framing matters — and it's not entirely wrong, even if the specific claims can't be independently verified.

Here's the context that doesn't get discussed enough: the US military has been increasingly running AI systems on commercial cloud infrastructure. Specifically, the Pentagon has been using Anthropic's Claude — the same AI model I use to help write code and blog posts — for intelligence analysis and operational support. That compute runs on AWS.

So when Iran looks at an AWS data center in Bahrain and asks "is this military infrastructure?" — the answer is genuinely complicated. It's commercial infrastructure that also happens to underpin some military AI operations. That blurring of lines is new, and it's exactly what makes this situation so significant.

Researchers at Just Security pointed out that US regulations actually require cloud providers to store government and military data within the US or on DoD bases — moving it to Gulf-region data centers would need special authorization. Whether that happened is unclear. But Iran apparently decided not to wait for the answer.

The real-world damage so far

Let's be specific about what breaking meant in practice, because "elevated error rates" in an AWS health dashboard doesn't really capture it.

The affected AWS regions — Middle East (Bahrain) and parts of UAE — serve the Gulf's entire digital economy. Banking apps. Logistics platforms. Government digital services. SaaS tools used by thousands of businesses across Saudi Arabia, UAE, Kuwait, Qatar, Bahrain, and beyond.

The outages didn't bring the global internet down. But for businesses in the region that hadn't built multi-region redundancy — which is most of them — it was effectively a total blackout. Your app doesn't work. Your payments don't process. Your data is inaccessible until AWS gets the lights back on.

And "getting the lights back on" isn't trivial when your building has drone damage, fire suppression water soaking the hardware, and no clear timeline on when it's safe to bring systems back up.

The outage isn't just a technology problem. For every startup, every SMB, every business in the Gulf that was single-cloud on AWS — this was an existential event.

What the experts are saying

Sam Winter-Levy at the Carnegie Endowment for International Peace actually warned about this in a Washington Post opinion piece last July — months before the attacks. He wrote specifically about the risks of building critical compute infrastructure in the Gulf given rising US-Iran tensions.

His assessment after the attacks: physical strikes on data centers are only going to become more common as AI becomes more strategically significant. The more the world's critical decisions — financial, military, logistical — depend on compute, the more that compute becomes a target.

IDC, the intelligence firm, released a report saying the attacks will drive companies and cloud providers toward mandatory multi-AZ deployments in the Middle East — saving replicas of data in physically separate locations. Globally, they expect governments to start requiring data center providers to have formal recovery plans and multiple in-country facilities.

That's the industry quietly acknowledging it hadn't taken physical threat modeling seriously enough.

What this changes — and what it doesn't

What changes

The assumption that data centers are off-limits in conflict is gone. For years, there was an informal understanding — never written down, never enforced — that commercial digital infrastructure sat outside the scope of military targeting. That assumption is now dead.

Iran didn't just hit a data center. It hit the idea that the cloud is neutral. Every cloud provider with infrastructure in a geopolitically contested region now has to think about physical security in a way they simply didn't before.

The insurance and liability questions alone are going to reshape how cloud contracts are written. "Acts of war" exclusions exist in most enterprise agreements for a reason. But customers who lost days of access — and in some cases lost data — are going to push back hard.

What doesn't change

The fundamental architecture of how the internet works didn't break. AWS us-east-1 kept running. European regions kept running. The global internet didn't go dark. The attacks were regionally devastating but globally contained.

That's actually the design working. Geographic distribution of cloud infrastructure exists precisely for scenarios like this. The companies that had multi-region setups — replicating data and workloads across multiple AWS regions or across multiple cloud providers — came through this largely intact.

The ones who got hurt were the ones who hadn't done that. Which, honestly, is most of them.

What you should actually do about this

This isn't abstract anymore. If you're building on cloud infrastructure — any cloud — these are the questions you need to answer this week, not eventually.

Are you in a single region? If your entire stack lives in one AWS region, you have a single point of failure. Period. This is now a business continuity risk, not just an ops consideration.

Do you have automated failover? Not a DR plan in a Google Doc. Actual tested, automated failover that can move workloads to another region without someone having to manually do it at 3am while panicking.

Is your data replicated across regions? Backups in the same region as your primary data don't help if that region is offline. Cross-region replication needs to be real and verified.

Have you looked at multi-cloud? It adds complexity. It also means an attack on AWS doesn't take your business offline. That tradeoff looks different now than it did in February.

What's your communication plan? When your app is down and customers are asking what's happening, do you have a way to reach them that doesn't depend on the same infrastructure that just failed?

None of this is new advice. Engineers have been saying this for years. The difference is that now there's a very concrete, very recent example of what happens when you ignore it.

The bigger picture

Something shifted on March 1, 2026. Not just for AWS, and not just for the Middle East.

For the first time, a state actor deliberately targeted commercial data centers as part of a military campaign. Iran framed it as legitimate because the infrastructure was supporting military AI. Whether or not that specific claim is accurate, the framing itself is significant — it establishes a rationale that any state actor can now use.

The cloud has been militarized. Not in the sense that it's now military-run. In the sense that it is now considered a legitimate military target.

That changes the calculus for every company with cloud infrastructure in any region that sits adjacent to geopolitical tension. Which, when you look at the map of where AI and cloud investment is actually going — Southeast Asia, the Middle East, Eastern Europe — is a lot of regions.

I'm not saying don't build in these places. The economic opportunity is real and the infrastructure investment is necessary. I'm saying: build like the infrastructure can get hit. Because now we know it can.

The cloud isn't a magic abstraction. It's buildings, cables, power grids, and cooling systems — sitting in the middle of a world that occasionally decides to have wars.

I've been thinking a lot about how fast things can shift. The risks that look theoretical usually aren't — they're just risks that haven't materialized yet. Cloud infrastructure getting physically attacked in a war felt like a far-fetched scenario right up until it wasn't.

The lesson isn't "we should have seen this coming." It's that the gap between "sounds hypothetical" and "is actually happening" is a lot smaller than most of us assume. Always has been.

Build accordingly.

Co-founder, Manas AI — we build AI agents and automation for startups and SMBs.

manas-ai.com  ·  @hey.manasai

Sources: CNBC, Financial Times, Al Jazeera, Rest of World, The Conversation, Gizmodo, Arabian Business — April 2026