AWS Suspends Middle East Billing as Drone Strikes Redefine Cloud Warfare
March attacks on UAE and Bahrain facilities expose hyperscale infrastructure as military targets, freezing $300 billion in regional investments.
Amazon Web Services suspended billing operations in the UAE and Bahrain on April 30 after drone strikes on March 1 caused structural damage to three data centers that will take months to repair, marking the first large-scale kinetic attack on hyperscale cloud infrastructure.
The strikes, claimed by Iran’s Islamic Revolutionary Guard Corps, critically impaired two of three availability zones in AWS’s ME-CENTRAL-1 region (UAE) and one zone in ME-SOUTH-1 (Bahrain), according to TechPolicy.Press. AWS confirmed structural damage, power disruption, fire, and water damage from suppression systems. Outages hit Abu Dhabi Commercial Bank, Emirates NBD, Snowflake, and ride-hailing platform Careem within 48 hours of the attacks.
The incident exposes a fundamental miscalculation in cloud architecture: facilities designed to survive weather events, not missiles. “Cloud architecture is built to survive bad weather, not war,” a Flashpoint analyst told Dark Reading. “A blackout is an easy fix, but a missile strike causes fires, collapsed roofs, and water damage from emergency sprinklers that permanently destroy the hardware.”
The Dual-Use Infrastructure Problem
The IRGC justified the strikes by citing the Data Centers’ role in supporting US military and intelligence networks. That assessment reflects operational reality: the US military used Anthropic’s Claude AI model—which runs on AWS—for intelligence assessments and target identification during Iran operations. When commercial platforms host defense workloads, they become legitimate military targets under emerging doctrine.
“If data centers become critical hubs for transiting military information, we can expect them to be increasingly targeted by both cyber and physical attacks,” Zachary Kallenborn, a researcher at King’s College London, told Fortune.
AWS CEO Matt Garman acknowledged the challenge in an April 7 statement. “It’s a really difficult situation, and we’re working incredibly hard,” he said, per CNBC. “We have teams, 24/7, working to make sure that we can keep our infrastructure up for our customers in that region.” No updated recovery timeline has been published since the April 30 billing suspension announcement.
“Physical attacks are only going to become more common moving forward as AI becomes more and more significant. Now suddenly, protecting data centers is like protecting top-security government offices.”
— Sam Winter-Levy, Fellow at the Carnegie Endowment for International Peace
Insurance Markets Reprice War Risk
The strikes introduced geopolitical exclusion review as a real underwriting concern for Gulf operators. War exclusion clauses—standard in cyber insurance policies—have never been invoked on a reported claim, but insurance industry observers told Hotaling Insurance Services that the AWS strikes may become the test case that changes precedent.
The Gulf market saw $21 billion in data center investment pledges in early 2025. The risk calculus for those facilities changed materially in March. If a cloud facility is disabled by a strike, regional courts are likely to view the event as foreseeable risk of operating in a conflict zone, according to legal analysis published by TechPolicy.Press. Without explicitly drafted military disruption clauses that shift financial risk onto clients, tech providers will be legally required to absorb upstream costs and refund customers entirely.
Regional Buildout Faces Reassessment
The conflict has jeopardized over $300 billion in planned Gulf spending on data centers and AI infrastructure, according to EnkiAI. The physical attacks have stalled the region’s positioning as a tech hub, forcing investors and operators including Microsoft and Blackstone to re-evaluate project viability.
AWS announced plans in 2024 to build a Saudi Arabia cloud region scheduled to launch in 2026. Microsoft constructed three data centers, also set to open this year, for availability zones in Saudi Arabia’s Eastern Province, per S&P Global. The UAE unveiled a 5-gigawatt AI campus that will become the largest outside the United States. These investments reflect energy reserves that fund infrastructure at scales other nations cannot match.
Despite the strikes, the UAE data center colocation market is forecast to reach $1.77 billion in 2026, growing at 27.5% annually, with expansion to $3.90 billion by 2030, according to market data released April 30 by Research and Markets. Whether those projections hold depends on how operators and insurers price the newly visible risk of weaponized infrastructure.
Hyperscalers expanded into the Middle East driven by sovereign data localization mandates, cheap energy, and strategic capital from Gulf wealth funds. The region’s importance grew as governments required domestic cloud storage for citizen data and positioned themselves as AI development hubs. The March strikes demonstrated that geographic diversification alone does not eliminate risk when facilities serve dual commercial and defense purposes.
What to Watch
AWS has not published updated recovery timelines since the April 30 billing suspension. Whether the company delivers zones back online in Q3 2026 or faces extended outages into 2027 will determine whether customers treat the incident as an anomaly or a structural shift requiring permanent workload migration.
Insurance markets have not yet adjudicated claims from the March strikes. The first settlement—or denial based on war exclusion clauses—will establish precedent for how conflict-zone infrastructure risk is priced across the hyperscale industry. Operators watching that outcome include Microsoft and Google, both with Gulf expansion plans.
Enterprise continuity planning now requires explicit threat modeling for kinetic attacks on Cloud Infrastructure. Companies hosting regulated workloads in regions with elevated geopolitical risk face board-level questions about whether sovereign data requirements justify exposure to facilities that state actors have demonstrated willingness to strike. The shift from cyber to kinetic warfare is forcing a fundamental rearchitecting of geographic deployment strategies that assumed no facility location was immune.