For years, conversations about digital infrastructure security have focused primarily on cybersecurity that entails protecting systems from hackers, malware, and data breaches. However, recent events in the Middle East have highlighted a different and often underestimated risk: physical attacks on the infrastructure that powers the cloud.

In early March 2026, three Amazon Web Services (AWS) data centres in the Gulf region were damaged by drone strikes linked to regional military conflict. Two facilities in the United Arab Emirates were directly hit, while another in Bahrain suffered damage from a nearby strike. The incidents caused structural damage, power disruption, and fires triggered by debris impact on the facilities. In some cases, fire-suppression systems activated, leading to additional water damage to  IT infrastructure. 

As a result, multiple AWS services were either degraded or disrupted while two availability zones in their Bahrain region were impaired. Several online services witnessed outages including financial services of First Abu Dhabi Bank, payments providers like Hubpay and Alaan and app-based cab services provider Careem.   

While global services largely continued operating due to redundancy in the AWS architecture, the event marked one of the first publicly confirmed instances of large commercial data centres being physically hit during a geopolitical conflict. The incident has triggered an important discussion in the technology and security communities: are modern data centres physically secure enough for an era where digital infrastructure is part of geopolitical conflict?

The term “cloud” often creates the illusion that computing resources exist in an abstract digital space. In reality, cloud services rely on massive physical facilities filled with servers, storage systems, networking equipment, cooling systems, and power infrastructure. Companies like AWS operate global networks of data centres organized into regions and availability zones, which are clusters of facilities, physically isolated with redundant power and networking infrastructure yet in turn connected by high-capacity, low-latency networks. This architecture is designed to maintain service continuity even if a single facility fails. However, the AWS Middle East attack demonstrated that physical disruptions can occur simultaneously across multiple facilities in a region, especially during large-scale conflicts or disasters. In the UAE case, multiple availability zones were affected, disrupting services and forcing customers to shift workloads to other regions. 

Historically, data centre physical security has been designed primarily to prevent unauthorized access or sabotage. Standard protections include: perimeter fencing and guarded access points, biometric authentication and access control systems, CCTV surveillance and intrusion detection, locked server racks and equipment cages and environmental protection systems (fire suppression, cooling, power redundancy). For the sake of completeness, in tropical conditions, the data centres even deploy rodent repellent systems. 

These measures are highly effective against intruders, theft, and insider threats. However, they are not designed to defend against military-grade threats such as drones, missiles, or coordinated sabotage during armed conflict. Experts point out that traditional data centre security measures, viz. guards, fences, and surveillance, are intended to stop intruders, not missile strikes or military attacks. As digital infrastructure becomes strategically important, data centres themselves may increasingly become targets in modern warfare.

Cloud infrastructure now underpins a vast range of essential services: banking and financial transactions, government services, digital identity systems, telecommunications networks, healthcare platforms, e-commerce and logistics systems and last but not the least, artificial intelligence and data analytics. The AWS facilities affected in the Gulf region host services used by governments, universities, and businesses across multiple industries. This means that an attack on a data centre is no longer just an IT issue; it can potentially disrupt national economies, critical services, and digital governance systems.

The Middle East incident highlights several important lessons for the global technology industry. It is imperative that geopolitical risk must be part of digital infrastructure development and disaster recovery planning. Data centres are increasingly located in strategic digital hubs such as the Gulf states, Singapore, and India. Infrastructure decision makers must now evaluate geopolitical stability and regional conflict risks when selecting locations.

Cloud providers already replicate data across multiple availability zones. However, the AWS incident demonstrates the importance of cross-regional redundancy, ensuring critical systems can fail over to different countries if necessary. This is easier said than done due the data localisation legislations in many countries and technical limitations such as latency in data access and replication. Future data centre facilities may require stronger structural resilience, including blast-resistant designs, underground server halls, or protective shielding in high-risk regions. As data centres become critical infrastructure, governments may increasingly treat them similarly to energy plants, airports, and telecommunications hubs, integrating them into national security and disaster-response frameworks. The industry may shift toward more distributed computing architectures, reducing the concentration of critical workloads in a few large facilities.

The attack on AWS infrastructure in the Middle East has emphasised a fundamental truth: the cloud is still physical. Servers sit in buildings. Buildings sit in cities or near them. They exist within geopolitical realities. As digital services become essential to modern economies, protecting the physical infrastructure of the internet will become just as important as defending against cyberattacks.

For cloud providers, governments, and enterprises alike, the lesson is clear: the future of digital resilience depends not only on software and encryption but also on how well we secure the physical foundations of the cloud.