Full Report
Amazon has confirmed that three Amazon Web Services (AWS) data centers in the United Arab Emirates (UAE) and one in Bahrain have been damaged by drone strikes, causing an extensive outage that is still affecting dozens of cloud computing services. [...]
Analysis Summary
# Incident Report: Physical Damage to AWS Data Centers via Drone Strikes
## Executive Summary
On or around March 3, 2026, Amazon Web Services (AWS) data centers in the UAE (three facilities) and Bahrain (one facility) sustained physical damage due to drone strikes, likely as an escalation related to regional conflict. This resulted in an extensive operational outage affecting dozens of cloud computing services across the AWS Middle East (UAE) Region (ME-CENTRAL-1) and the AWS Middle East (Bahrain) Region (ME-SOUTH-1). Response efforts focus on physical infrastructure restoration, software-based recovery paths, and guiding customers through disaster recovery and data migration.
## Incident Details
- **Discovery Date:** Monday via AWS status page update (Status update posted 4:19 PM PST).
- **Incident Date:** Occurred over the weekend prior to March 3, 2026.
- **Affected Organization:** Amazon Web Services (AWS)
- **Sector:** Cloud Computing / Technology
- **Geography:** United Arab Emirates (UAE) and Bahrain (Middle East)
## Timeline of Events
### Initial Access
- **Date/Time:** Over the weekend preceding March 3, 2026.
- **Vector:** Physical attack via Unmanned Aerial Vehicles (Drones).
- **Details:** Two facilities in the UAE were directly struck. In Bahrain, a drone strike occurred in close proximity to one facility.
### Lateral Movement
*Not Applicable. This was a kinetic, physical attack targeting infrastructure, not a cyber intrusion.*
### Data Exfiltration/Impact
- **Impact:** Structural damage, disruption of power delivery, and damage from fire suppression activities (water damage). Significant impairment of three Availability Zones (mec1-az2 and mec1-az3 in UAE; mes1-az2 in Bahrain).
### Detection & Response
- **Detection:** Amazon confirmed the physical impacts through internal monitoring and subsequent status updates.
- **Response Actions:** Working closely with local authorities, prioritizing personnel safety, restoring physical infrastructure, implementing software-based recovery paths, and assisting customers with data backup and migration plans.
## Attack Methodology
*Note: As this incident involved kinetic physical action rather than conventional cyber intrusion methods, the standard MITRE ATT&CK framework categories are evaluated based on the nature of the threat actor's physical objective.*
- **Initial Access:** Physical kinetic attack (Drone strikes).
- **Persistence:** Not applicable (Physical impact is instantaneous).
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Drones used to deliver impact payload. Context suggests potential geopolitical motivation (Iran's reported response to airstrikes).
- **Credential Access:** Not applicable.
- **Discovery:** Likely pre-attack physical reconnaissance or intelligence gathering on data center locations.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Physical destruction/damage to infrastructure leading to operational outage (T1486 Data Destruction/Service Denial).
## Impact Assessment
- **Financial:** Not explicitly disclosed, but expected to be significant due to physical damage and lengthy service disruption.
- **Data Breach:** No data exfiltration confirmed. Impact is on **service availability** and infrastructure integrity.
- **Operational:** Extensive outage affecting dozens of cloud computing services across two distinct AWS regions (ME-CENTRAL-1 and ME-SOUTH-1). Three key Availability Zones remain "significantly impaired."
- **Reputational:** Negative customer confidence regarding infrastructure resilience in the region, potentially worsened by geopolitical dynamics.
## Indicators of Compromise
- **Network Indicators:** Not applicable (Non-cyber event).
- **File Indicators:** Not applicable.
- **Behavioral Indicators:** Physical observation of drone impact/damage; fire alarms/suppression activation; power anomalies within affected AZs.
## Response Actions
- **Containment measures:** Securing the physical premises and ensuring personnel safety. (Specific infrastructure isolation details not disclosed).
- **Eradication steps:** Damage assessment and commencing physical infrastructure restoration.
- **Recovery actions:** Implementing "multiple software-based recovery paths," restoring physical hardware, and advising customers to execute disaster recovery plans, recover from remote backups (stored in unaffected regions), and reroute traffic.
## Lessons Learned
- Resilience against kinetic, state-level, or state-sponsored physical attacks against critical digital infrastructure needs continuous review, even for highly secure facilities.
- Reliance on geographically clustered cloud regions exposes customers to correlated regional instability (geopolitical/kinetic).
- The incident highlights the interdependency between cyber resilience and physical security in infrastructure protection.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Enhance layered physical security defenses around key data center infrastructure against low, slow, or aerial threats (drones).
2. Review disaster recovery strategies to ensure critical workloads are rapidly movable to geographically diverse regions (e.g., leveraging AWS Regions in US, EU, or APAC).
3. Implement robust, tested failover mechanisms that do not rely on immediate recovery of the compromised physical facility.
4. Maintain high redundancy in power delivery systems, mitigating chain reactions from localized damage/power loss.