Iranian drone and missile strikes on Amazon Web Services data center infrastructure in Bahrain have now occurred on at least four separate occasions. A fourth strike hit an AWS facility in Bahrain on April 1, according to the Financial Times. Bahrain's Ministry of Interior confirmed a fire at the site without naming the operator. Amazon declined to comment on the specific strike, directing media to earlier statements.
These are the first instances in recorded history of a nation-state deliberately targeting commercial cloud data center infrastructure in an active military conflict. They will not be the last.
March 1, 2026: Two AWS data centers struck in UAE. March 1: A third commercial data center in Bahrain hit. March 31: Iran announces expanded target list. April 1: AWS Bahrain struck a fourth time. April 2: Iran claims strike on Oracle data center in Dubai. Iranian state media named Microsoft, Google, Apple, Meta, HP, Tesla, Nvidia, Oracle, Boeing, IBM, and Cisco as additional targets.
Iran's Islamic Revolutionary Guard Corps has framed the strikes as targeting infrastructure that supports US and Israeli military and intelligence operations. Researchers at Just Security noted in March that US law requires government and military cloud data to be stored within the US or on Department of Defense bases — meaning the Persian Gulf AWS and Oracle facilities are almost certainly running commercial workloads, not classified government systems.
That distinction may matter less than Iran's stated rationale. The IRGC has labeled major tech company data centers "enemy technology infrastructure." Whether or not the specific buildings hit contain US military data, the symbolism of disrupting American cloud infrastructure in the Gulf is the point. The UAE strikes caused significant disruption to local banking systems. That is not an accidental side effect — it is the mechanism.
Commercial data centers are large, relatively fragile structures with known locations. They have cooling towers, CDUs, and heat rejection equipment on the exterior of the building. They are not hardened facilities. They were designed for uptime against power outages and hardware failures, not against Shahed drone strikes.
The buildings that absorbed these strikes were not edge nodes or temporary deployments. They were production AWS regions — critical infrastructure with immense cooling loads and no redundancy path that can compensate for physical destruction of the facility itself. Failover to another region works for software. It does not rebuild a cooling plant.
Every hyperscaler and large colocation operator with Middle East presence is now running a different kind of risk analysis. Not just power availability. Not just water access. Physical security from nation-state military action is now a site selection variable.
The implications reach beyond the Gulf. Data centers are distributed but not evenly distributed. Northern Virginia, Phoenix, Dublin, Singapore — the concentration of compute in a small number of geographic markets creates the same targeting logic that Iran applied to Bahrain, just in different geopolitical contexts. Operators who assumed physical security was someone else's problem are reconsidering that assumption at the board level.
The cooling industry builds infrastructure for the sites operators choose. If site selection criteria now include hardening requirements, standoff distances, and redundancy against kinetic attack, the physical design of data centers — and the thermal management systems embedded in them — will reflect that. The conversation has started.