Amazon’s cloud infrastructure in the Middle East remains offline nearly two months after Iranian drone strikes damaged three AWS data centers—one in Bahrain and two in the United Arab Emirates. The company confirmed in an April 30 update that full restoration will take several more months, marking one of the longest known outages caused by physical conflict in cloud computing history. As of May 02, 2026, the ME-CENTRAL-1 (UAE) and ME-SOUTH-1 (Bahrain) regions are still non-operational, with no customer applications supported and no timeline for resumption of services.
Key Takeaways
- AWS suspended billing for affected regions in March 2026 and continues to waive charges through recovery.
- The April 30 dashboard update confirms damage from Middle East conflict impacted both UAE and Bahrain facilities.
- Amazon is forgoing an estimated $150 million in revenue to avoid charging during the outage.
- Repairs are expected to take several months, meaning full recovery could stretch into late 2026.
- This is the first major cloud disruption caused by direct military action on data centers.
War Comes to the Cloud
For years, cloud providers have treated physical infrastructure as untouchable—protected by redundancy, geopolitics, or sheer obscurity. That assumption shattered in early March 2026 when Iranian drones targeted Amazon’s data centers in Manama and Abu Dhabi. The attacks weren’t collateral damage. They were precise. They were public. And they exposed a fatal blind spot in how cloud companies plan for risk.
The ME-CENTRAL-1 and ME-SOUTH-1 regions weren’t just knocked offline. They were structurally compromised. Satellite imagery reviewed by original report analysts shows roof breaches, cratered substations, and fire damage near main server halls. Repair crews can’t just plug in new gear. They’re rebuilding from the ground up—reinforcing walls, replacing HVAC systems, and rewiring entire power grids before a single server rack goes back online.
Amazon didn’t choose these locations lightly. The UAE and Bahrain serve as strategic hubs for AWS across the Middle East, North Africa, and parts of South Asia. These regions handle everything from regional banking APIs to government health records to defense logistics platforms used by allied forces. Their prolonged absence isn’t just an inconvenience. It’s a systemic disruption.
Why This Isn’t Just a Redundancy Failure
Most cloud outages follow a familiar script: a software bug, a misconfigured firewall, a cascading network failure. Engineers troubleshoot. Failover systems kick in. Within hours or days, things stabilize. But this isn’t that kind of failure. This is war damage. And war doesn’t respect redundancy plans.
Amazon’s standard high-availability model relies on multiple availability zones within a region. But when the entire region is compromised—when bombs punch through steel and concrete—those zones go down together. There’s no failover path when the geography itself becomes the attack vector.
Physical Infrastructure Has Never Been This Vulnerable
Data centers are hardened facilities. They have backup generators, biometric locks, and fiber-optic isolation. But they weren’t built to withstand drone swarms armed with shaped charges. The strikes exploited a critical truth: no amount of encryption or distributed architecture can protect against a 50-pound warhead landing on your transformer yard.
And unlike cyberattacks, which can be mitigated remotely, physical destruction requires boots on the ground, replacement parts, and time—lots of it. Even if Amazon flew in modular server units tomorrow, they couldn’t power them without restoring primary electrical systems first. That’s not a technical delay. That’s a construction project.
- ME-CENTRAL-1 launched in 2022 as AWS’s first Middle East region.
- ME-SOUTH-1 followed in 2023, expanding capacity into the Persian Gulf.
- Both regions were designed to support 99.99% uptime SLAs.
- Outage now exceeds 60 days and counting.
- No other cloud provider has reported similar physical attacks in the region.
Amazon’s $150 Million Gamble
In the immediate aftermath, Amazon made a bold choice: suspend all billing. That wasn’t just goodwill. It was survival. Cloud customers don’t tolerate downtime, especially when they’re paying for SLA guarantees. By waiving charges for March and extending the freeze into April and possibly May, Amazon is trying to preserve trust.
But that comes at a steep cost. The $150 million revenue loss represents one of the largest single financial hits ever taken by AWS for a service disruption. For context, that’s more than the annual operating budget of some mid-sized SaaS startups. And it’s not just lost income. It’s lost momentum. Customers who relied on these regions are now migrating workloads to Europe, India, or North America—many permanently.
One fintech startup based in Dubai told Ars Technica they’ve already rerouted transaction processing through Mumbai. “We can’t wait six months for Amazon to rebuild,” the CTO said. “We moved. We’re not coming back.”
The New Geography of Risk
Cloud providers have long marketed geographic diversity as a safety feature. Store your data in multiple regions, they said. Spread your risk. But what happens when entire regions become war zones?
The drone attacks force a reckoning: physical location matters more than we admitted. A server in Bahrain isn’t just another node on a map. It’s sitting in one of the most volatile geopolitical flashpoints on Earth. And now, developers and CIOs have to treat data center placement like a security decision—not just a latency or compliance one.
What This Means For You
If you’re building on AWS and using ME-CENTRAL-1 or ME-SOUTH-1, assume those regions are gone for good. Even when they come back online, they’ll face months of instability. Migrate now. Use this outage as a stress test for your disaster recovery plan. If you can’t fail over cleanly to EU-WEST-1 or AP-SOUTH-1, you’re not ready.
And if you’re designing new systems, stop treating cloud regions as interchangeable. Ask: what’s the political stability of the host country? Does it have active military tensions? Is it a known target for state-sponsored attacks? The answers should shape your architecture as much as performance or cost.
We used to worry about hackers and ransomware. Now we have to worry about drones and ballistic trajectories. That’s not paranoia. That’s just the new ops checklist.
What happens when the next strike hits a Google Cloud zone in Tel Aviv—or a Microsoft Azure facility near the Taiwan Strait? We’re not ready. Not even close.
Industry Response and Preparation
Other cloud providers, like Google Cloud and Microsoft Azure, are taking notice of the situation. They’re reevaluating their own risk assessments and disaster recovery plans. Google Cloud, for instance, has announced plans to expand its presence in the Asia-Pacific region, with new data centers in Singapore and Tokyo. Microsoft Azure, on the other hand, is focusing on enhancing its security features, including advanced threat protection and encryption.
Meanwhile, companies like IBM and Oracle are highlighting their own cloud offerings as more secure alternatives. IBM, in particular, is touting its private cloud solutions as a more reliable option for businesses that require high levels of security and uptime. Oracle, on the other hand, is emphasizing its cloud infrastructure’s ability to withstand physical attacks, thanks to its strong design and multiple redundancies.
As the cloud industry continues to evolve, it’s clear that physical security will become an increasingly important consideration. Cloud providers will need to invest in more strong infrastructure, including reinforced data centers and advanced security systems. They’ll also need to develop more comprehensive disaster recovery plans, taking into account the potential for physical attacks.
Technical Dimensions of the Outage
From a technical perspective, the outage highlights the importance of designing cloud infrastructure with physical security in mind. This includes using reinforced materials, implementing advanced access controls, and ensuring that data centers are located in safe and secure areas. It also requires cloud providers to have strong backup and disaster recovery systems in place, including redundant power supplies, cooling systems, and network connections.
In the case of Amazon’s ME-CENTRAL-1 and ME-SOUTH-1 regions, the damage was extensive. The drone strikes caused significant damage to the data centers’ physical infrastructure, including the roof, walls, and electrical systems. The repairs will require a significant investment of time, money, and resources, and will likely involve rebuilding or replacing entire sections of the data centers.
As cloud providers move forward, they’ll need to prioritize physical security in their design and operations. This will require significant investments in infrastructure, personnel, and training. It will also require cloud providers to work closely with governments, law enforcement, and other stakeholders to stay ahead of emerging threats and ensure the security and resilience of their cloud infrastructure.
The Bigger Picture
The outage of Amazon’s ME-CENTRAL-1 and ME-SOUTH-1 regions is a wake-up call for the cloud industry. It highlights the importance of physical security and the need for cloud providers to prioritize this aspect of their operations. As the cloud continues to grow and evolve, it’s clear that physical security will become an increasingly important consideration.
The implications of this outage go beyond the cloud industry, however. They highlight the growing threat of physical attacks on critical infrastructure, including data centers, power plants, and transportation systems. As the world becomes increasingly dependent on digital technologies, the risk of physical attacks on these systems will only continue to grow.
It’s essential, therefore, that governments, industries, and individuals work together to address this threat. This will require significant investments in security infrastructure, personnel, and training, as well as the development of more comprehensive disaster recovery plans and emergency response systems. It will also require a greater awareness of the risks and consequences of physical attacks on critical infrastructure, and a commitment to prioritizing security and resilience in the design and operation of these systems.
Sources: Ars Technica, Bloomberg Technology
