Iranian Attacks on the Amazon Data Centers: A Legal Analysis

•March 12, 2026

Just Security•Mar 12, 2026

Key Takeaways

•Iran used Shahed drones against UAE and Bahrain AWS sites.
•Data centers may qualify as military objectives under LOAC.
•Redundancy limits military advantage but still impacts operations.
•US defense contracts tie AWS to joint warfighting cloud capability.
•Uncertainty over civilian status triggers proportionality and precaution obligations.

Summary

Iran launched Shahed‑136 drone strikes on Amazon Web Services data centers in the UAE on March 1 and a third site in Bahrain shortly after, causing fires, power outages and prolonged service disruption. The attacks occurred amid an international armed conflict triggered by Iran’s retaliation to U.S. and Israeli strikes on February 28. While Iran claims the facilities support enemy military intelligence, public evidence of direct military use remains limited. The incident raises complex questions under the law of armed conflict about whether civilian‑owned data centers can be deemed legitimate military objectives.

Pulse Analysis

The March drone strikes on Amazon’s Gulf data centers underscore a new frontier in modern warfare: the weaponisation of digital infrastructure. As nations increasingly rely on cloud services for everything from banking to emergency response, the physical destruction of these nodes can cripple civilian economies and military logistics alike. Iran’s justification—that the facilities support adversary intelligence—highlights the blurred line between commercial cloud platforms and strategic assets, especially when they host AI workloads that accelerate decision‑making on the battlefield. This convergence forces policymakers to consider whether existing targeting doctrines adequately protect civilian‑owned yet militarily useful infrastructure.

Under international humanitarian law, an object becomes a legitimate target only if it makes an effective contribution to military action and its neutralisation offers a definite military advantage. Data centers that store or process classified intelligence, support AI‑driven command systems, or host joint warfighting cloud contracts meet this threshold, even when owned by private firms. However, the law also imposes proportionality and precaution obligations; attackers must assess expected civilian harm against the concrete advantage gained. The Gulf attacks illustrate the difficulty of gathering reliable intelligence on a facility’s use before striking, raising the risk that presumed military benefits are outweighed by collateral damage to essential civilian services.

For cloud providers and their government clients, the incident signals an urgent need to diversify geographic redundancy, harden physical security, and clarify data‑hosting policies under conflict scenarios. Contracts like the U.S. Joint Warfighting Cloud Capability already bind Amazon to defense missions, but they also expose the company to heightened targeting risk. Enterprises should evaluate sovereign data‑localisation requirements, implement rapid fail‑over mechanisms, and engage with legal counsel on LOAC compliance. By proactively addressing these vulnerabilities, the industry can mitigate operational disruption while respecting the evolving legal landscape governing cyber‑physical targets.