Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Iran strikes AWS infra: Why data centres have become a strategic war target

March 03, 2026 5 min read Science & Technology Internal Security GS3 (Cybersecurity Critical Infrastructure Technology) GS2 (Governance National Security)
On This Page

What Happened

  • Iranian drone strikes in early March 2026 damaged two Amazon Web Services (AWS) data centre facilities in the UAE and one in Bahrain — the first known military strikes against a hyperscale cloud provider's physical infrastructure.
  • AWS confirmed structural damage, disrupted power delivery, and water damage from fire suppression systems at the struck facilities.
  • Consumer and enterprise services across the Gulf region went down, including payments companies, banking applications (ADCB, Emirates NBD), delivery platforms (Careem), and enterprise software providers (Snowflake).
  • Iranian state media said the Bahrain facility was targeted because of Amazon's support for US military cloud contracts — specifically JEDI and other defence contracts.
  • The strikes revealed how cloud concentration and physical infrastructure vulnerability can be weaponised as leverage in modern warfare.

Static Topic Bridges

Critical Information Infrastructure (CII) refers to computer resources whose incapacitation or destruction would have a debilitating effect on national security, economy, public health, or safety. Under Section 70 of the IT Act 2000, the government can designate any computer resource as Protected System, making unauthorised access a criminal offence. Section 70B establishes CERT-In as the national agency for cybersecurity incident response.

  • Section 70 IT Act: Central Government can designate any computer resource as a "Protected System" — access without authorisation is punishable with imprisonment up to 10 years.
  • National Critical Information Infrastructure Protection Centre (NCIIPC): established under Section 70A of the IT Act (2014); operates under NTRO (National Technical Research Organisation) to protect India's CII.
  • NCIIPC has identified 6 sectors as CII: Power & Energy, Banking/Finance/Insurance, Telecom, Transport, Government, and Strategic & Public Enterprises.
  • Data centres are not yet explicitly designated CII in India — the Iran attack on AWS creates a policy precedent for such designation.

Connection to this news: The Iran strikes demonstrate that physical data centre infrastructure is now a legitimate target in interstate conflict — forcing India to reconsider whether its major data centres (increasingly hosting defence and financial data) should be formally designated CII under Section 70A.

Cloud Policy and Data Sovereignty

India's cloud policy framework — the MeitY Cloud Policy and National Cloud Computing Policy — governs which categories of government data can be stored on which types of cloud infrastructure. The Iran-AWS attack raises acute questions about data sovereignty: when a foreign cloud provider's physical infrastructure is struck, who bears responsibility for data loss, and how does a nation secure its sovereign data?

  • MeitY Cloud Policy 2023 (GovCloud framework): classifies government data into three tiers — public, confidential, and secret. Secret/confidential data must be on government-operated or government-approved clouds.
  • NIC Cloud (National Informatics Centre): India's primary government cloud for hosting e-governance applications — separate from commercial hyperscalers.
  • AWS, Microsoft Azure, and Google Cloud all operate data centres in India (Mumbai, Pune, Hyderabad, Chennai regions) — and are seeking to host defence-adjacent workloads.
  • Data Localisation: DPDP Act 2023 and RBI requirements mandate that certain categories of sensitive personal and financial data be stored within India.
  • India's Digital Public Infrastructure (DPI) — Aadhaar, UPI, DigiYatra — runs on government-managed cloud, reducing (but not eliminating) hyperscaler dependency.

Connection to this news: The AWS strike in Bahrain is a case study for why India's push for data localisation and tiered cloud sovereignty makes strategic sense — foreign data centre facilities are physically vulnerable to geopolitical blowback in ways that domestically sited, government-operated infrastructure is not.

Data Centres as Strategic Assets in Modern Warfare

The Iran-AWS attack represents a new strategic doctrine: "digital infrastructure targeting" — striking cloud and data facilities to impose economic and operational costs on adversaries or their allies without direct military confrontation. Commercial data centres now host military logistics, satellite communications, financial clearing, and supply chain management — making them high-value dual-use targets.

  • AWS JEDI/JWCC contracts: Amazon holds significant US Department of Defense cloud contracts — providing the strategic logic for Iranian targeting of AWS infrastructure.
  • Dual-use nature: the same data centres hosting consumer apps also host defence-adjacent workloads — making commercial cloud infrastructure a legitimate military target under some interpretations of international law.
  • Physical vulnerability: data centres require consistent power, cooling, and physical security — drone strikes can disable any of these without necessarily destroying servers (power disruption is often sufficient).
  • Dispersion vs. concentration: hyperscalers operate "availability zones" (multiple facilities in a region) for resilience — but concentrated geographic clusters (as in UAE) can be struck simultaneously.
  • India context: ISRO, DRDO, NIC, and NPCI are migrating increasingly to cloud infrastructure — the Iran precedent makes this migration's security architecture a strategic concern.

Connection to this news: The AWS strikes confirm that data centres are no longer neutral civilian infrastructure — they are strategic assets whose physical protection requires the same calculus as military installations, particularly when they host state-affiliated workloads.

Key Facts & Data

  • AWS facilities struck: 2 in UAE, 1 in Bahrain — first known military strikes against a hyperscale cloud provider.
  • Services disrupted: Careem, Alaan, Hubpay, ADCB, Emirates NBD, Snowflake — across the UAE and Gulf region.
  • Iranian state media justification: Bahrain data centre targeted for Amazon's support of US military cloud contracts.
  • IT Act Section 70A: establishes NCIIPC for protection of Critical Information Infrastructure.
  • IT Act Section 70: Protected System designation — unauthorised access punishable with up to 10 years imprisonment.
  • MeitY GovCloud Policy 2023: classifies government data into public/confidential/secret tiers; secret data restricted to government-operated infrastructure.
  • NCIIPC's 6 CII sectors: Power & Energy, Banking/Finance/Insurance, Telecom, Transport, Government, Strategic & Public Enterprises.
  • India's hyperscaler data centres: AWS (Mumbai, Hyderabad), Azure (Pune, Chennai), Google Cloud (Mumbai, Delhi) — all potential targets in a scenario involving India in conflict.