The character of warfare has evolved in tandem with the changing nature of military targets. In early March 2026, Iran bypassed traditional military targets and struck the physical part of the digital infrastructure at Amazon Web Services (AWS) data centres in the UAE and Bahrain. Until now data centres had been considered an unassuming target, as they did not house any military equipment or hardware. However, the US-Israel war on Iran, has transformed these billion dollar sites into high-value targets because of their ability to act as server farms on which adversaries’ websites, apps, AI systems and the entire digital infrastructure run.
Data centres are digital ecosystems where the delivery of cloud services depends on the integrity of physical infrastructure. Disruption in any one part of the shared infrastructure does not remain isolated and risks triggering widespread systemic failure. In the case at hand, Amazon operated multiple availability zones within each region in the United Arab Emirates and Bahrain. Iran struck two of the three availability zones in the UAE, while in Bahrain, a zone was damaged by drone debris causing an extended power outage and connectivity problems that further disrupted service across the Gulf. As a result of the damage to the data centres, thousands of critical platforms, such as banking and business systems, government tools, portals, intelligence platforms and AI workloads also got disrupted simultaneously and the outage continued to propagate because of the layered nature of the cloud architecture.
Iran’s strike on AWS has marked the onset of the weaponisation of the global internet architecture, following which any major cloud facility could now become a military target in the future. However, this is not going to be the sole challenge in the future of the evolving operational environment. When it comes to the targeting of data centres, there also remains a legal grey zone. International law and the Geneva conventions were written for a world of front lines and munition factories; data centre’s servers hosting defence contractors’ algorithms were not factored into the making of these laws and regulations. Moreover, the dual nature of the computing infrastructure also underscores the legal ambiguity surrounding the targeting of the data centres.
Although civilian infrastructure is protected under the Principle of Distinction in International Law, the military use of public cloud facilities muddies the water, making the data centres a legitimate target. In the same vein, the Principle of Proportionality prohibits attacks in which the anticipated secondary harm to citizens could be excessive relative to the military advantage expected. Given that targeting a data centre does not cause any direct damage to the lives of non-combatants, this principle does not account for the civilian harm that may still arise due to the potential outages and loss of data.
After the disruption in services, AWS customers were recommended by the company to transfer their workload outside of the conflict area to the region’s other data centres. This instance raised questions on the conflicting priorities of cloud resilience and localised cloud sovereignty. In this case, relocating workloads and creating global backups may ensure cloud resilience, but on the other hand, less control over the data makes it susceptible to breach, compromising cloud sovereignty.
Iran’s drone strike has also damaged the carefully cultivated reputation of the Gulf countries as a safe and neutral place for investment for US firms to meet their aim of economic diversification. In future, this could lead to the disincentivisation of global companies from investing and operating in the region, undercutting investment of billions. Since these tech companies drive the overall growth in the US stock market, targeting their data centres imposes costs not only on the host country but also on the US itself, denting President Trump’s economic agenda.
With data centres becoming military targets, states must come to terms with the grim reality that their national resilience planning has not kept pace with the speed of cloud adoption. There is limited understanding about which critical service depends on which part of the data centres’ hyper-scale infrastructure and where does that infrastructure reside physically. Since governments rely heavily on cloud systems, the lack of visibility and control over them will make it hard to manage risks in future. With cloud facilities evolving into new battlefields, governance and policy making must also evolve to attend to harder questions about whether and how governments should mandate physical protection for data centres on their territory.
Saba Abbasi is a Research Assistant at the Centre for Aerospace and Security Studies (CASS), Islamabad, Pakistan. The Aritcle was first published by The Friday Times. She can be reached at [email protected]

