Joseph Jarnecki and Noah Sylvia, analysts at the renowned British military research institute RUSI, examine the role of Iranian attacks on data centres in the Gulf.
Iranian Shahed drones struck two Amazon Web Services data centres in the United Arab Emirates before sunrise on 1 March. Debris from a related strike damaged a third AWS facility in Bahrain. The attacks produced disruptions to financial, enterprise and consumer digital services in the UAE and across the wider region. The incidents have prompted discussions on whether data centres should be classified as strategic assets and critical infrastructure.
Data centres support economic activity, societal functions and defence operations. Public cloud platforms host systems such as Ukraine’s Delta battlefield management platform, the US Maven Smart System developed by Palantir and hosted on AWS, and cloud-based AI tools used by Israel in Gaza operations. The 1 March attacks mark the first recorded use of kinetic weapons against public cloud infrastructure operated by a commercial provider. This development indicates that other actors may adopt similar tactics, requiring closer scrutiny of Iran’s objectives and the broader strategic effects.
Iran is assessed to have deliberately selected the targets. Its recent strikes in the Gulf have shown precision, and data centres represent large, identifiable objectives for the drones deployed. An Iranian news agency later published a list of legitimate targets approved by the Revolutionary Guard. The list included offices and infrastructure belonging to US technology companies such as AWS, Google, Microsoft, IBM, Oracle and Nvidia. The Guard stated that the purpose was to examine the facilities’ role in supporting adversary military and intelligence activities. Whether the order originated from senior leadership or a lower-level commander does not change the strategic significance of attacking infrastructure linked to US firms.
Three rationales explain the targeting. First, the strikes impose costs. Gulf states have allocated resources to attract American technology companies as part of economic diversification beyond petrochemicals. Favourable conditions, including inexpensive land and energy, have drawn operators such as AWS, Google, Microsoft, Nvidia and Oracle. The attacks undermine the Gulf’s image as a stable investment destination and may reduce future commitments valued in billions of dollars. Targeting US companies also affects stock-market performance and related economic priorities. Such actions align with Iran’s asymmetric deterrence approach, which applies pressure on US allies, consumes air-defence resources and creates economic strain.
Second, the strikes can affect or generate information on critical capabilities. Cloud providers deliver services to governments and armed forces. AWS and Google maintain contracts with the Israeli Defence Force, while the US Department of Defense operates a large Joint Warfighting Cloud Capability contract that includes AWS, Google, Microsoft and Oracle. Iran could not have held high confidence that the specific sites hosted military workloads. The primary effect was therefore signalling, with any degradation of capabilities as a secondary outcome.
Third, the strikes created direct disruption. Payment systems, banking services and consumer applications became unavailable, interrupting normal operations for individuals and businesses. This produced a psychological impact by bringing the realities of conflict into everyday life and demonstrating Iran’s reach. The rationales are not mutually exclusive and may combine to generate multiple effects.
Legal analysis highlights complexities. A data centre owned or operated exclusively for military purposes constitutes a lawful target. Facilities run by private hyperscale providers for civilian purposes are normally protected civilian infrastructure under the principle of distinction. The dual-use character of many installations complicates application of the rule. Militaries cannot reliably establish the extent of adversary use because providers do not disclose client lists or precise hosting locations, and workloads migrate across regions.
Any strike on dual-use infrastructure must also satisfy proportionality: the anticipated military advantage must outweigh expected civilian harm. Outages can extend beyond the immediate site to affect other critical systems through data loss and service interruptions. While the targeted facilities may have supported US or Israeli military workloads, the potential civilian consequences remain relevant. Previous US and Israeli actions against Iranian civilian infrastructure, including digital assets, provide context but do not alter the legal assessment of the 1 March strikes.
The events also test arguments for cloud sovereignty achieved through localisation. AWS advised customers to relocate workloads to data-centre regions outside the conflict zone. This approach underscores the resilience offered by global hyperscale networks, consistent with Ukraine’s maintenance of digital public services during kinetic attacks and Estonia’s data-embassy model. At the same time, deliberate targeting of US technology companies alters the risk profile of relying on such infrastructure for national resilience. It raises questions about the flexibility of legal regimes to accommodate global workload migration and about governments’ preparedness to host foreign-operated data centres that serve other nations’ critical needs.
Many governments lack granular visibility into which critical services depend on specific hyperscale providers and where the physical infrastructure is located. This shortfall constitutes a governance issue as much as a technical one. Closing the gap requires treating detailed mapping as a strategic priority. Policymakers must also consider whether to require physical protection for foreign-owned data centres on national territory and what obligations the operating companies should assume.
The strikes warrant careful assessment rather than rushed conclusions. The underlying factors driving data-centre expansion in the Gulf—low energy costs, sovereign investment and geographic positioning between major markets—have not changed. Regulations in the European Union, the United Kingdom and the United States already designate data centres as critical or essential infrastructure, and comparable measures are likely to spread. The 1 March events have added weight to an established debate on whether cloud infrastructure can continue to function solely as a commercial utility or must be governed as a strategic asset situated at the intersection of economic power and armed conflict.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de