Key Takeaways
- Amazon Web Services (AWS) data centers were struck because of their perceived associations with the US military infrastructure. Iranian security forces most likely finalized the strike decision using information collected through open-source records.
- Every American data center carrying a similar association inherits the same targeting logic. Non-commercial entities with perceived associations will become legitimate targets in conflict. Azure's G42 joint venture and Saudi Arabia's concentrated investment corridor face the highest residual exposure.
- Regional clustering of data center infrastructure produces severe concentration risk. Drone swarms do not require precision. Shared power grids and cooling infrastructure extend the attack surface well beyond the facility perimeter.
- Almost no commercial data center in the Middle East carries independent C-UAS. A layered on-site architecture combining directed energy weapons, RF jamming, and autonomous interceptor systems is the optimal solution currently.
- In any future US-China conflict, particularly concerning Taiwan, commercial data centers will likely become legitimate targets. Physical security of digital infrastructure will take priority in national security strategies in the near term.
Drones are Redefining National Infrastructure Security
Iran's drone strikes on AWS data centers have exposed a dangerous gap in Critical National Infrastructure (CNI) protection. Commercial facilities can be targeted based on their perceived identity, rather than operational function, and almost none carry independent kinetic protection calibrated for unmanned threats.
Over the past 2 weeks, Iran launched swarms of Shahed-136 loitering munitions and Hadid-110 jet-powered drones targeting three AWS facilities across the UAE and Bahrain. Two out of three AWS availability zones in the UAE suffered direct structural damage from projectile strikes. The Bahrain facility avoided a direct hit, but a drone strike on a nearby power grid caused collateral disruption severe enough to suspend operations.
Secondary damage from fire suppression systems compounded material losses, underscoring the vulnerability of the AI physical stack against such kinetic threats.
Recovery efforts project a completion timeline of approximately four weeks from the strikes. Data loss at impacted sites has been limited, estimated between 0.3% and 0.5%, as AWS migrated workloads to substitute regional facilities to meet demand pressures. The immediate risk now sits with those substitute sites.
If they are struck before primary facilities recover, the impact calculus changes fundamentally. The recent Iranian military announcement designating all American and Israeli banks in the region as legitimate targets, many of which rely on these data centers for services, makes that scenario operationally plausible.
This was not a one-sided escalation. US and Israeli strikes destroyed at least two data centers in Tehran, one directly connected to the IRGC. Both sides have now struck each other's digital infrastructure. The mutual legitimization of data centers as wartime targets is an established bilateral precedent, with direct implications for future conflicts.
The New Targeting Logic: Identity-Based Hits
An emerging method of target selection governed the drone strikes on data centers. The perception of dual-identity entities, whose services cut across commercial and government sectors, determined their target value. Iran targeted AWS facilities based on their perceived use by the US military, not their confirmed operational function.
Iran targeted AWS facilities based on their perceived use by the US military, not their confirmed operational function.
AWS denied providing military and intelligence support in the current operations. That denial carried limited weight. Iranian state media pointed out the AWS data center’s proximity to the US Navy’s Fifth Fleet military base in Bahrain as evidence of their military role and justification for their targeting.
| Operator Origin | Active Locations (MENA) | US Gov / Military Exposure | Threat Exposure |
|---|---|---|---|
| AWS USA | UAE (struck), Bahrain (struck), Saudi Arabia (planned, $5.3bn) | High — NSA, CIA, DoD, JWCC contracts | Critical — confirmed targeted |
| Stargate UAE (G42 / Khazna / OpenAI / Oracle) | UAE — Abu Dhabi (1GW cluster; 200MW phase 1 due Q3 2026) under construction | Very High — explicit US-UAE state AI partnership, OpenAI and Oracle operated | Critical — highest symbolic value of any asset |
| Microsoft Azure USA | UAE — Abu Dhabi + Dubai (June 2019), Saudi Arabia (planned) | Medium-High — JWCC partner, G42 sovereign cloud, $15.2bn UAE investment | Elevated — highest residual risk among US hyperscalers |
| Google Cloud USA | Saudi Arabia — Dammam (Nov 2023), Qatar — Doha | Medium — JWCC partner, PIF AI hub partnership | Elevated — identity liability inherited |
| Oracle Cloud USA | UAE — Abu Dhabi + Dubai, Saudi Arabia — Jeddah + Riyadh, Neom (planned) | Medium — DoD contracts, Stargate UAE operator | Elevated — Stargate UAE association raises profile significantly |
| Equinix USA | UAE — Dubai (DX1, DX2, DX3) | Low-Medium — US-HQ colocation, internet exchange host | Moderate — US-origin identity, no confirmed military contracts |
| Alibaba Cloud China | UAE — Dubai (x2; first 2016, second Oct 2025) | None | Low-Moderate — collateral risk under saturation conditions |
| Huawei Cloud China | Saudi Arabia — Riyadh (1 region, 3 availability zones, STC/Center3) | None | Low — diplomatic protection, fragile under mosaic defense |
| Tencent Cloud China | Saudi Arabia — Riyadh (2 availability zones, launched early 2025) | None | Low — nascent presence, minimal profile |
AWS's established identity as America's foremost military cloud provider, built through publicly documented contracts with the NSA, CIA, and DoD, including Joint All-Domain Command and Control architecture, placed it on Iran's target list.
AWS’s target choice was likely assembled entirely from open-source intelligence, including visual corroboration using commercial satellite data from Chinese providers such as Beidou and Mizarvision. Similar use of open-source channels to fetch a target list for drone strikes has been observed in the Russia-Ukraine War since 2022.
This hypothesis also explains why Azure, Google Cloud, and Oracle sites were not struck first, despite all being Pentagon JWCC partners. We found that their Gulf footprint is younger and their military identity less prominent in the open-source record. A simple Google search on the identity of the largest cloud provider to the US military surfaces AWS’s name.
AWS’s target choice was likely assembled entirely from open-source intelligence, including visual corroboration using commercial satellite data from Chinese providers such as Beidou and Mizarvision.
It is plausible that Iranian combat units at lower ranks are using open-source intelligence to confirm the identity of their targets before making final strike decisions after their high command was killed in earlier joint strikes.
Based on this methodology, one asset specifically has a high risk of identity-based targeting. Microsoft Azure operates a sovereign cloud in the UAE through a partnership with G42, the anchor of the broader US-UAE AI infrastructure buildout, including the Stargate UAE campus. This infrastructure carries a dual identity: Emirati sovereign cloud on paper and US-affiliated AI infrastructure in practice.
Proximity-based risks have been exacerbated by identity-based targeting for the Gulf states. Drone strikes on data centers were a direct message about the cost of that proximity to drone launching points. Saudi Arabia, which holds the highest concentration of planned hyperscaler investment in the region, including an AWS expansion valued at $5.3 billion, sits geographically closest to Iran’s and its proxies' drone strike range.
While the data facilities in Saudi Arabia have not been struck yet, the country remains the most consequential next-target geography if the conflict persists. Drone strikes in Riyadh and adjacent areas have adequately demonstrated Iranian capabilities to execute more lethal data center attacks.
The Intentional and The Incidental
While data centers catering to military needs are generally smaller, hardened, and concealed from public view, commercially categorized facilities without formalized military affiliations rely primarily on civilian law enforcement for physical security. They are easily identifiable from commercial satellite imagery and aerial reconnaissance. They are not hardened against kinetic attack. They are soft targets in an active conflict environment.
A Chinese facility struck by an errant drone in a saturation campaign creates a diplomatic and strategic crisis of an entirely different order.
Iran's Foreign Minister stated that Iran was targeting "the presence of the US" in Gulf countries, not the countries themselves. That establishes declared intent. Iran pursued a mosaic defense doctrine, with decentralized launch cells operating autonomously across the country, designed for operational resilience against counter-strikes. This architecture prioritizes survivability over precision.
In a campaign where 400 ballistic missiles and nearly 1,000 drones were launched across all GCC states within 24 hours, individual targeting decisions were nodes within a broader saturation wave. Under these conditions, precision exclusions, such as that of Chinese assets, cannot be guaranteed.
Alibaba Cloud operates two data centers in Dubai. Huawei Cloud runs four facilities in Saudi Arabia. Neither was struck. Iran has clear diplomatic incentives to avoid hitting Chinese infrastructure, given Beijing's strategic importance to Tehran. Incentive, however, is not the same as operational guarantee.
A Chinese facility struck by an errant drone in a saturation campaign creates a diplomatic and strategic crisis of an entirely different order, forcing Beijing to publicly confront a dual-use infrastructure exposure it has not had to formally address before.
The Cost of Asymmetric Infrastructure Warfare
The economics of these strikes define the strategic logic Iran is actively operationalizing. A Shahed-136 costs between $20,000 and $50,000. The interceptors deployed against them cost between $3 million and $12 million per unit. The UAE intercepted 541 drones and 165 ballistic missiles across the wider campaign, with 35 drones and 5 projectiles still penetrating defenses, striking airports, Jebel Ali Port, and AWS facilities.
The arithmetic is strategically significant: Iran spent comparatively little to force interceptor expenditures in the billions, while still achieving infrastructure damage. Data centers representing billions in capital investment were damaged by weapons costing less than a mid-range commercial vehicle.
This asymmetry is not incidental to Iran's doctrine. It is the doctrine. The optics reinforced the strategic message to Gulf leaders: a small number of inexpensive drones can visibly damage the AI infrastructure underpinning their most consequential economic diversification programs.
The signal carried as much weight as the structural damage itself. Downstream impacts confirmed the point. Banking services and consumer digital applications were disrupted until AWS migrated workloads to substitute facilities. In terms of impact speed, depth, and breadth, the strikes demonstrated how physical security vulnerabilities in the AI compute stack can cascade across dependent service networks almost instantaneously.
Swarm Attacks Exploit Concentration Risk
The 2019 Aramco attack provided a clear signal of how unmanned systems would upend the infrastructure risk calculus in the region. That signal was noted and largely set aside in favor of scaling compute for the AI economy. Energy prices are low in the Middle East. Regulations are accommodating. Clustering data centers in the Gulf made economic sense. From a security standpoint, that clustering produces severe concentration risk.
Drone swarms do not optimize for precision. Their low-altitude flight trajectory evades traditional radars calibrated for missiles and conventional airborne threats. When swarms are detected, high-volume attacks deliberately split radar coverage, engineering interception gaps. Quantity maximizes hit probability across large surface areas.
Data center campuses clustered near shared power grids and cooling infrastructure create single-point failure conditions. The efficiency gains from proximity do not justify the risk concentration they generate in active conflict or intermittent hybrid attack scenarios. The Bahrain strike pattern illustrated this directly: the target was the power infrastructure feeding the facility, not the facility itself. The operational disruption was equivalent.
The striking party also learns. Iran likely assessed which drone combinations achieved the highest air defense penetration rates, how quickly response and recovery operations mobilized, and what scope of disruption each target type generated. Those data points are being incorporated into future planning by Iran and by others watching this conflict closely.
Physical Security Risks will Govern Future Decisions
When data becomes the primary resource of an AI-driven economy, the facilities that host and operate it become CNI by function, regardless of formal classification. The more an economy depends on its operation, the higher its value as an adversarial target. For Gulf states, these strikes will catalyze a formal reclassification of data centers as CNI, one that reflects AI economic priorities and the region's collective economic diversification agenda.
Most facilities currently rely on the host country's national air defense for airborne protection. When national systems are overwhelmed by a campaign involving 1,000 drones, that security cover fails at the facility level. The large surface area of data center campuses compounds this exposure, giving adversaries using non-precision saturation techniques a significant coverage advantage. Even successful interceptions carry secondary risk. Debris from destroyed drones poses direct damage and personnel safety hazards at the facility perimeter.
The large surface area of data center campuses compounds this exposure, giving adversaries using non-precision saturation techniques a significant coverage advantage.
A solution to these kinetic threats explored by a few is to build data centers underground in nuclear-hardened bunkers. This protection comes with a premium. Some estimates have reported that it costs more than $2,000 per square foot in the US to develop underground facilities. In the context of the Middle East, the prices may rise even further depending on the terrain.
It is not the money that prevents tech companies from building data centers underground. Operational concerns rule that decision. Cooling systems that reject massive amounts of heat, back-up generators requiring large ventilation shafts and essential network ingress points would still need a certain degree of above-ground exposure for optimal performance.
Supporting infrastructure, such as telecom towers and power grids channelling electricity and connectivity to these data centers are usually stationed above-ground. The Bahrain strike demonstrated precisely how adversaries can achieve equivalent operational disruption by targeting the supply chain of a facility rather than the structure itself.
The most important problem to solve for operators, owners, and local authorities functioning as first responders is the structural disconnect between legacy physical security strategies built for traditional threat profiles and the actual techniques threat actors are deploying in current and future kinetic operations.
Integrated and Independent C-UAS Is the Solution
The large footprint of data centers renders purely human-led protection architectures exploitable at scale. Unmanned threats require unmanned solutions to match their pace and impact. For data centers in the Middle East, that means either dedicated integration with state-level air defense systems, as implemented for Intel facilities in Israel, or independent on-site Counter-Unmanned Aerial Systems operating on top of national coverage.
Harden + geo-redundancy
The cost asymmetry argument makes independent C-UAS economically necessary. Intercepting $30,000 drones with $2-5 million PAC-3 or THAAD missiles is not a sustainable operational model. The cost-exchange ratio aggravates when adjusted for a couple of $150-$400 small tactical drones retrofitted with heavy explosives. Countering these threats demands a different air defense approach.
Layered C-UAS architectures built around Directed Energy Weapons (DEW), Radio Frequency (RF) and Electro-Optical (EO) jammers, physical netting, and autonomous interceptor drones will bridge these cost differentials. These measures are further calibrated for specific unmanned threat profiles that national air defense systems were not designed to address.
As demonstrated by Ukraine’s 2025 Spiderweb Operation, the threat of small tactical drones launched from within host country territory merits on-site detection and response capability independent of national systems. No single C-UAS technology makes a facility drone-proof. A layered approach combining active interception with passive detection and physical hardening is the solution in the near term.
South Korea has already mandated phased C-UAS installation across CNI sites, including data facilities and power grids, in direct response to evolving North Korean drone capabilities. While these measures will increase near-term costs of establishing and operating data centers, they will cost significantly less than the recovery, reputational, and cascading service disruption costs of the next strike.
What to Watch Next
Gulf states and Western partners will funnel significant resources into securing existing and future digital infrastructure. Unmanned components, including Unmanned Aerial Vehicles (UAVs) and Unmanned Ground Vehicles (UGVs) perimeter systems, autonomous detection networks, and on-site C-UAS, will transition from premium additions to baseline requirements for CNI-designated assets.
Political risk insurance for regional data center investment will rise. Unmanned threat exposure will be priced into major AI infrastructure deals well beyond the Middle East. Business exposure from cloud workloads routing through zones with credible unmanned threats will likely amplify data redundancy efforts.
Three forward-looking analytical threads define the broader horizon. Iran's identity-based targeting playbook is now an exportable doctrine with a live proof of concept. In any future conflict involving US-allied digital infrastructure, across the Indo-Pacific, the Baltics, or back in the Gulf, adversaries will apply the same targeting framework.
Operators managing critical data sites across the world should revise their risk models to account for unmanned threats that currently have no single solution and can only be countered through layered defense.
China's dual-use infrastructure exposure has been involuntarily surfaced by this conflict. Alibaba and Huawei avoided strikes this time, shielded by diplomatic logic rather than air defense capability. In a future scenario where swarm saturation renders precision exclusions operationally unguaranteed, Beijing must confront a version of the same vulnerability it would seek to exploit against US assets in a Taiwan contingency.
Chinese strategic planners watching Iran's operations are simultaneously watching their own Gulf facilities sit within the operational radius of a conflict they did not initiate.
Sources & References
[1] Al Jazeera. "Mapping US and Israeli attacks on Iran and Tehran's retaliatory strikes."
[2] CNBC. "Iran war: UAE drone strikes on AWS data centers."
[3] Semafor. "Data centers are caught in the crossfire of the Iran war."
[4] Arizton. "GCC Data Center Market - Investment Analysis & Growth Opportunities 2025-2030."
[5] TIME. "Trump is Rewriting How the U.S. Treats AI Chip Exports—and the Stakes Are Enormous."
[6] Jesse Marks. "What the Iran War Means for Gulf AI Ambitions."
[8] Financial Times. "Drone strike on Amazon data centres shows war is now fought in the cloud."
