The Cloud Is a Target

01 — ContextThe Building That Was Everything

On March 1, 2026, at 4:30 in the morning Pacific time, a Shahed-136 drone punched through the roof of an Amazon Web Services data center in the UAE — and knocked offline banking systems, payment platforms, and government services across the UAE.

The building it struck was not a military installation. It was the backbone of civilian life in the Gulf. Bahrain adopted a Cloud First Policy in 2017, becoming the first country in the Middle East and Africa to mandate cloud over on-premise infrastructure. By 2019, approximately 85% of Bahrain's government data had migrated to AWS — 72 government entities, over 1,385 government services, 570 e-services. When AWS launched its Bahrain region, ME-SOUTH-1, it inherited a country.

The same corporate infrastructure served the Pentagon. In December 2022, the Department of Defense awarded the $9 billion Joint Warfighting Cloud Capability contract to AWS, Google, Microsoft, and Oracle, providing military cloud services at all classification levels. Data localization mandates in Gulf states required sensitive government and defense contractor data to be physically hosted within national borders — concentrating civilian and military workloads in the same facilities by regulatory design. AWS's own architecture made geographic separation impossible at a different level: Availability Zones must sit within 100 kilometers of each other to meet latency requirements. Performance demanded proximity. Proximity created a target.

Each decision made sense in isolation. A cloud-first policy modernized government services. A defense contract leveraged commercial scale. A localization mandate protected data sovereignty. An architecture constraint optimized speed. Together, they produced a building that was simultaneously a bank vault, a government filing cabinet, and a military nerve center — and no wire could be cut to separate one from the other.

02 — What HappenedThree Buildings, Two Countries, Sixty Services

Iranian Revolutionary Guard Corps drones struck three AWS facilities on March 1. Two data centers in the UAE were hit directly. A third, in Bahrain, was damaged by debris from a nearby strike. These were the first known military strikes on a hyperscale cloud provider's infrastructure.

The damage was physical. AWS stated: "These strikes have caused structural damage, disrupted power delivery to our infrastructure, and in some cases required fire suppression activities that resulted in additional water damage." At the struck UAE facility, mec1-az2, fire crews shut off power and generators to contain the blaze. Two of three Availability Zones in ME-CENTRAL-1 went offline — mec1-az2 and mec1-az3. The remaining zone, mec1-az1, experienced elevated API errors and instance launch failures. One Availability Zone in ME-SOUTH-1 (Bahrain) was impacted.

Over 60 AWS services went down — EC2, S3, RDS, Lambda, DynamoDB, EKS, Redshift, CloudWatch. The civilian cascade was immediate. Abu Dhabi Commercial Bank, Emirates NBD, and First Abu Dhabi Bank experienced outages. Payments platforms Hubpay and Alaan went offline. Careem, the ride-hailing and delivery service, was disrupted. As of March 12, eleven days after the strikes, several services in the affected regions remained unavailable.

On March 4, Iran's IRGC claimed responsibility. Fars News Agency stated the operations aimed "to identify the role of these centres in supporting the enemy's military and intelligence activities." Iranian state media justified the targeting by asserting the US military uses AI systems hosted on AWS — including Anthropic's Claude — for intelligence analysis and war simulations. On March 11, Iran's Tasnim news agency published a list of 29 technology facilities across four countries designated as "legitimate targets."

On March 24, AWS Bahrain was disrupted a second time by drone activity. Amazon did not confirm whether the facility was directly hit. The campaign was not a one-off.

03 — The MechanismThe Distinction That Cannot Be Drawn

Iran's justification rests on a factual claim that no public evidence supports. The IRGC asserted that the struck data centers hosted US military and intelligence AI systems. According to a legal analysis published by Just Security on March 16 — authored by Klaudia Klonowska of Sciences Po Paris and Michael Schmitt of the University of Reading, a leading authority on international humanitarian law — "there is no publicly available information" confirming whether the struck facilities hosted US military workloads. The legality of the strikes, they concluded, "remains indeterminate."

According to The Intercept, Anthropic's Claude was used within Palantir's Maven system in connection with US military operations against Iran. This is a single-source claim from an investigative outlet and has not been independently confirmed. Whether any such workloads ran on the specific AWS facilities that were struck is unknown.

The legal framework that governs this situation offers two clear paths. Under US and Israeli doctrine, as characterized by the Just Security analysis, once any military use exists within a facility, the entire object becomes a lawful military target. Under the ICRC position, if military use is uncertain, "the object must be considered to be civilian." The law assumes that the question can be answered — that a given building is either military or civilian, or that the military component can be isolated for proportionality analysis.

Data localization mandates made this convergence worse by requiring civilian and military workloads to co-locate within national borders — the regulatory structure actively prevented the separation that IHL assumes is possible.

The retaliation confirms the symmetry. According to Holistic Resilience, a nonprofit mapping airstrikes on Iran, the US and Israel struck at least two data centers in Tehran, including one reportedly used by the IRGC. No official US or Israeli confirmation has been issued. Both sides now treat data centers as military targets. The doctrine is bidirectional.

04 — ConsequenceWhat Broke

Insurance will not cover the damage. Standard commercial property and business interruption policies explicitly exclude acts of war. Under the 1923 Cuba Submarine Telegraph Company arbitration precedent, private-sector claims against state belligerents for infrastructure damage during armed conflict are unlikely to succeed. According to legal analyst Mahmoud Abuwasel, cloud providers will likely be "legally required to absorb upstream sunk costs and refund their clients entirely."

The market reaction was brief. Amazon shares dropped 1.6% to $204.99 in early trading after the strikes were confirmed, then rallied approximately 3%. The stock recovered. The banking customers did not. According to Euronews, the UAE data center market had been projected to more than double from $3.29 billion to $7.7 billion by 2031. That growth trajectory is now in question.

The expert consensus on what comes next is uniform. Sam Winter-Levy of the Carnegie Endowment for International Peace called the AWS strikes "a harbinger of what's to come," stating that physical attacks on data centers "are only going to become more common." Vincent Boulanin of the Stockholm International Peace Research Institute agreed: "It's very likely that data centres will be targeted in the future." Zachary Kallenborn of King's College London described data centers as critical "choke points" for military information and warned that "basically no one is thinking about these risks in a systematic way."

The policy proposals that have followed reveal the scale of the problem. Emily Harding, CSIS Director of Intelligence, National Security, and Technology, recommended the US "declare attacks on critical U.S. company assets as attacks on the United States." Chris McGuire, a former NSC technology policy official, suggested data centers may need to "guard against aerial attacks" — potentially including missile defense. These are not metaphors. The cloud was designed so that no one could tell whose data was whose. The same architecture that made it fast, cheap, and reliable made it impossible to separate the civilian from the military at the physical layer. International humanitarian law requires a distinction that the technology has made structurally impossible to draw. No one — not AWS, not the Pentagon, not the IHL scholars, not the IRGC — can answer whether a single rack in a shared data center is civilian or military. The law demands the answer. The architecture refuses to provide one.