The New Front Line: Data Centres as Targets in Modern Conflict

Bree Stewart

As conflict escalates across the Middle East, a new category of strategic target has emerged: the commercial data centre. The Iranian drone strikes on Amazon Web Services (AWS) facilities in the UAE and Bahrain in March 2026 represent the first confirmed military strikes against a U.S. cloud provider’s physical infrastructure. Further strikes on comparable infrastructure cannot be ruled out. This snapshot assesses the three primary risk vectors, the downstream consequences for dependent industries, and the strategic implications for corporate and government actors with regional exposure.

A New Battlefield: Data Infrastructure Under Fire

The expanding conflict across the Middle East is already disrupting supply chains, business continuity, and corporate operations. Less anticipated, and far less prepared for, has been the deliberate targeting of data centres as instruments of warfare. On 2 March 2026, Iranian drone strikes physically struck two AWS facilities in the United Arab Emirates, while a third in Bahrain was damaged by a drone detonating near the site. The strikes represent the first confirmed instance of military action physically impacting a major cloud provider’s infrastructure anywhere in the world.

Iran's state-affiliated Fars News Agency confirmed Iran’s deliberate targeting of these centres. These strikes highlight how commercial cloud infrastructure has now entered the theatre of state conflict. Iran cited the joint U.S.-Israeli Operation Epic Fury as justification for the strikes, illustrating how data centres may increasingly be treated as legitimate targets.

This development is consistent with the Gulf's rapid data centre expansion in recent years. The Middle East’s AI market, currently valued at USD 6.6 billion, is projected to reach USD 168 billion by 2034. Trillions of dollars in investment commitments, including the January 2026 Pax Silica initiative linking the UAE and Qatar into a U.S. led AI infrastructure coalition, have positioned the Gulf as a global hub for large-scale cloud computing. The security frameworks behind this deal was designed to strengthen supply chains for technologies and AI, particularly silicon and critical materials without the dependence on China. Physical attack on data centre infrastructure does not appear to have been incorporated as a primary risk scenario within the Pax Silica security framework at the time of agreement.

The Three Risk Vectors:

There are three distinct and compounding risk channels through which escalating Middle East conflict threatens data centre operations. Each is accelerating in severity.

Physical risk: Visibility as vulnerability

Data centres are, by design, large and highly visible installations. Their sheer scale, the size of warehouses, with cooling towers and power substations, renders them readily identifiable to military intelligence and drone operators. AWS clusters its regional operations in groups of at least three availability zones, each physically separated but connected by ultra-low-latency networks within a 60-mile radius. This clustering designed for resilience against natural disasters becomes a liability in a military strike scenario: multiple zones in the same region can be taken offline in a single coordinated wave.

The existing physical security architecture at commercial data centres, security guards, fencing, CCTV, and alarm systems were designed to deter intrusion but not withstand drone warfare. The March 2026 attacks exposed this gap. Two of the three UAE availability zones were significantly affected in the ME-CENTRAL-1 region, with recovery initially estimated at over 24 hours and prolonged due to the nature of the physical damage. This instability was likely to continue, making regional operations unpredictable.

The first known military strikes on a major cloud hyperscaler’s infrastructure have demonstrated that commercial data centres are not protected by the implicit deterrence afforded to civilian targets. They are legitimate military objectives.

Energy risk: Power as a pressure point

Armed conflict consistently degrades the energy infrastructure on which data centres depend. Even where a facility escapes direct physical attack, power disruption remains a high-probability threat. In Bahrain, the strike near the AWS facility caused immediate power loss, not because the building itself was struck, but because local authorities cut supply to the entire site to suppress fires. This highlights how safety-driven infrastructure shutdowns can prove as disruptive as direct strikes.

Conflict in the Gulf threatens oil and gas production and transportation infrastructure, creating cascading pressure on electricity grids across the region. Data centres consume extraordinary quantities of power: data centres consumed 415 terawatt-hours globally in 2024. These consumption figures are projected to rise substantially in the coming years. In an energy-constrained environment, even facilities not directly targeted may face rationing, brownouts, or forced shutdowns as national grids triage supply toward essential civilian and military uses.

Cyber risk: The parallel battlefield

Physical strikes are just one dimension of the threat landscape. Iran's offensive cyber capabilities have developed considerably in recent years, as documented by multiple Western intelligence assessments. Microsoft’s 2025 Digital Defence Report noted that the volume of Iranian state-linked cyber activity “remains consistently high.” Data centres are high-value targets  because they support commercial, governmental, and military data flows.

The combination of physical disruption and concurrent cyberattack means security teams are stretched when recovery processes are most vulnerable. Infrastructure operating in partial recovery mode means defence teams working to restore power and connectivity are more vulnerable to defend against sophisticated intrusion attempts. This combination of physical and cyber threat vectors is a defining characteristic of modern state-on-state conflict.

AWS and the Corporate Response: The Limits of Commercial Risk Mitigation

Amazon's operational response was swift. AWS advised all customers operating workloads in the Middle East to immediately back up data and migrate to alternate regions. A dozen core AWS services experienced elevated error rates and degraded availability across Bahrain and the UAE.

The downstream impact was immediate. In the UAE, the delivery platform Careem went offline. Payment services Alaan and Hubpay reported critical outages. Major UAE banks, Emirates NBD, Abu Dhabi Commercial Bank, First Abu Dhabi Bank, and Emirates Islamic all experienced disruptions to mobile banking applications and phone services. The enterprise data platform Snowflake reported connectivity failures. 

AWS has indicated it is expanding its geopolitical intelligence capabilities and physical security operations. While the company recognises the risks it faces, there are clear limits to what it can realistically do to prevent increasingly precise, state-sponsored attacks. The security frameworks surrounding Gulf data centre investments were designed around supply chain control and political alignment. Physical hardening against military-grade drone attacks is neither architecturally nor commercially straightforward.

The gap between risk awareness and risk mitigation capability represents a significant and under addressed challenge for the sector.

Downstream Industry Exposure

The consequences of data centre disruption is likely to extend beyond the Gulf. As cloud infrastructure has become the backbone of global commerce, the vulnerability of regional facilities is a global corporate risk. The industries most directly exposed include:

• Financial Services: Institutions dependent on cloud-hosted core banking systems, payment processing, and trading infrastructure face the most immediate and quantifiable exposure. The banking outages seen during the March 2026 attacks demonstrated that transient disruption carries reputational and operational cost.

• Logistics and Supply Chain: Operators using cloud-based tracking, routing, and inventory management systems are exposed to cascading delays when regional data infrastructure fails, exacerbating existing strain on physical supply chains caused by other ongoing conflicts in the region.

• Government and Public Sector: Government clients with workloads in commercial cloud infrastructure notably Bahrain, which had moved approximately 85 percent of government data to AWS face sovereign data security questions.

• AI and Technology: Companies using Gulf-based centres for model training, and data processing will face longer-term questions about the viability of the Gulf as a trusted AI infrastructure hub.

• Critical Infrastructure: Healthcare, energy, and critical national infrastructure operators increasingly dependent on cloud infrastructure for operational technology face the highest-severity scenarios if disruption extends beyond consumer services to operational systems.

Strategic Implications

What was previously a theoretical risk to commercial digital infrastructure has become a reality. Several strategic conclusions follow.

Multi-region replication will likely become a baseline operational requirement for any entity with meaningful Middle East cloud exposure. Cloud providers are likely to accelerate the implementation of multi-region redundancy and failover systems, with global companies and governments requiring in-depth risk and recovery plans. 

Physical security frameworks for data centres should also be revisited. Current security designed to deter individuals offers little protection against state-sponsored drone attacks. It's unclear who holds responsibility for protecting commercial infrastructure against military action in existing legal or contractual frameworks, and that ambiguity is itself a risk.

The Gulf's positioning as a global AI infrastructure hub has been materially undermined. The Pax Silica framework and associated commitments will likely be renegotiated to incorporate physical security considerations that were absent at the time of establishment.

More broadly, this conflict emphasises that civilian and commercial infrastructure have become targets in modern warfare because they encompass economic pressure, political signalling, and military strategy. For corporations with exposure to conflict-adjacent regions, the question should no longer be whether data centres are targets. The question is what that means for investment decisions, operational resilience, and long-term responsibility.