March 2026 | Greymantle Risk Advisory
Key Takeaways#
- Iran’s IRGC struck AWS data centers in the UAE and Bahrain this month — the first confirmed kinetic attack on commercial cloud infrastructure; Amazon confirmed structural damage, disrupted power delivery, and fire suppression damage
- Iran’s stated rationale is that these facilities support U.S. and Israeli military operations; commercial cloud data centers explicitly host both civilian and military workloads in the same buildings
- 17 submarine cables run through the Red Sea; Iran has simultaneously closed the Strait of Hormuz — both global data corridors are active conflict zones at the same time
- Standard business interruption insurance excludes acts of war; most organizations haven’t checked whether cloud outages caused by military action are covered
- AWS has already told regional customers to migrate to alternate regions; IDC now recommends maintaining multiple facilities within a country at minimum
What Happened#
Earlier this month, Iran’s Islamic Revolutionary Guard Corps launched drone strikes against Amazon Web Services data centers in the United Arab Emirates and Bahrain. Amazon confirmed two facilities in the UAE took direct hits and a third in Bahrain was damaged by a nearby strike. The attacks caused, in Amazon’s own words, “structural damage, disrupted power delivery to our infrastructure, and in some cases required fire suppression activities that resulted in additional water damage.” Banking apps, enterprise platforms, and everyday cloud services across the region went dark.
Iran’s stated rationale: these facilities support U.S. and Israeli military operations. That framing matters. It signals a new doctrine in modern conflict: commercial cloud infrastructure is now a legitimate military target.
The implications extend well beyond the Middle East.
Why You Should Care#
You probably don’t have servers in Dubai. That’s not the point.
The data centers that power your cloud services, your SaaS applications, and your backups host commercial workloads and government or defense workloads in the same buildings. That dual-use reality is exactly what makes them targets. And the attacks in the UAE are, by expert consensus, the first of many. Sam Winter-Levy of the Carnegie Endowment for International Peace called the strikes “a harbinger of what’s to come” in the Financial Times, warning that similar attacks will not be limited to the Middle East.
There’s a second issue worth watching. Seventeen submarine cables run through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. Iran has closed the Strait of Hormuz. Houthi activity in the Red Sea is ongoing. Both corridors are now active conflict zones simultaneously. Doug Madory, director of internet analysis at Kentik, has said that closing both choke points at once “would be a globally disruptive event.”
What You Should Do#
1. Find out where your data actually lives. Ask your cloud provider which regions your workloads run in. If anything is sitting in a Middle East region, start a migration conversation now. AWS has already told its own customers in the region to move to alternate regions.
2. Check your redundancy. Is your critical data replicated across multiple geographic regions? A single-region deployment is a single point of failure in a way it simply wasn’t 30 days ago. IDC is now recommending that companies maintain multiple facilities within a country at minimum.
3. Test your business continuity plan, don’t just review it. When did you last actually restore from a backup? When did you last run a drill? More importantly: what happens if an entire cloud region goes offline? A large number of cloud services run exclusively out of AWS’s us-east-1 region in Virginia. Simulate that region going dark and see what breaks. Most organizations find out what they missed when a real incident hits. That’s the wrong time to find out.
4. Look at your insurance. Standard business interruption policies exclude acts of war. If your operations depend on cloud services, talk to your broker about whether you have a gap and ask specifically about war risk coverage.
5. Keep watching this. The legal and regulatory frameworks around cloud infrastructure in conflict zones are being written right now. This situation is moving fast.
Based on publicly available reporting as of March 21, 2026. For questions about your organization’s exposure, contact Greymantle Risk Advisory.
