Site Reliability

Enable DynamoDB point-in-time recovery

A bad deploy or a fat-fingered delete can corrupt a DynamoDB table in seconds. PITR lets you rewind to any second in the last 35 days — but it's off by default on every table.

12 min·10 sections·AWS

Last reviewed 27 May 2026

DynamoDB point-in-time recovery: the basics

Why a fully-managed, multi-AZ table still needs a recovery story

DynamoDB replicates every write synchronously across three Availability Zones, so the data is exceptionally safe from hardware failure. But durability is not recoverability. If your application writes garbage, a migration script overwrites the wrong items, or someone calls DeleteItem in a loop against production, DynamoDB faithfully and durably stores the damage across all three AZs. The platform has no idea your data is now wrong — it just keeps it safe.

Point-in-Time Recovery (PITR) is the answer. When enabled, DynamoDB continuously captures incremental backups of the table, letting you restore it to any single second within a rolling 35-day window. It's the primary defense against the failures that actually happen in production: accidental writes and deletes, bad deploys that corrupt data, and logic bugs that quietly mangle items for hours before anyone notices. It is OFF by default, per table.

The check flags any table with PITR disabled. That's almost always an oversight — a table created by an early prototype, a CDK stack where the flag was never set, or a service that grew from "throwaway" to "load-bearing" without anyone revisiting its recovery posture. A table with PITR off has no rewind button at all; the only recovery is whatever on-demand backups happen to exist, which for most disabled tables is none.

In this lesson you'll learn how DynamoDB PITR works under the hood — continuous incremental backups, the rolling 35-day window, and the crucial detail that a restore always creates a brand-new table and never overwrites the source. You'll see why that means you have to repoint your application or swap table names after recovery, how PITR differs from on-demand backups and AWS Backup (recent-and-granular versus long-term-and-compliance, and why you usually want both), what it actually costs, and how to roll it out across every production table with tags and automation so coverage never drifts. You'll get the AWS CLI commands to find PITR-disabled tables, enable PITR, and perform a real point-in-time restore.

Fun fact

The migration that ran twice

A payments team shipped a data migration that normalised a currency field across a 90 GB DynamoDB table. A retry in their deploy pipeline ran the migration a second time against already-migrated rows, double-applying the transform and quietly corrupting roughly 2.1 million items. Nobody noticed for six hours, until reconciliation reports went sideways. Because PITR had been enabled on the table for years, the on-call engineer restored a copy to the exact second before the first migration job started, diffed it against production, and surgically repaired the affected items. Total recovery: about 90 minutes. The team later admitted the PITR flag had been set once, in the original CDK stack, by an engineer who had since left — and never thought about again until the night it saved them.

Enabling PITR in action

Priya owns the platform reliability cadence at a logistics company. A continuity scan flags 18 DynamoDB tables with PITR disabled. Most are obviously fine — dev-scratch, loadtest-temp, a couple of ephemeral session caches. But two stop her cold: orders-prod and customer-addresses-prod, both clearly load-bearing, both with no recovery path beyond "hope."

She pulls the continuous-backups status to confirm. orders-prod comes back PointInTimeRecoveryStatus: DISABLED — exactly as flagged. The table is 64 GB. At roughly $0.20 per GB-month that's about $13 a month to give a customer-facing orders table a 35-day rewind window. She doesn't even bother routing that through a cost conversation; the number is a rounding error against the exposure.

She enables PITR on both production tables in a single change, then notes the one thing the team needs to internalise: a PITR restore never overwrites the live table — it creates a new one. So the runbook isn't "restore the table," it's "restore to orders-prod-recovered, validate it, then either repoint the service or swap the names." She adds that step to the incident runbook before closing the finding, because the worst time to learn the restore-to-new-table mechanic is at 3am mid-incident.

First, check the continuous-backups status of a table to confirm whether PITR is actually on.

$ aws dynamodb describe-continuous-backups --table-name orders-prod --query 'ContinuousBackupsDescription.PointInTimeRecoveryDescription'

{

"PointInTimeRecoveryStatus": "DISABLED"

}

# No EarliestRestorableDateTime, no LatestRestorableDateTime — there is no rewind window at all.

# A 64 GB customer-facing table with zero recovery path beyond on-demand backups (of which there are none).

PITR status for the table — DISABLED means there is no point-in-time recovery window whatsoever.

Enable PITR. It takes effect immediately and the 35-day window starts accumulating from this moment forward.

$ aws dynamodb update-continuous-backups --table-name orders-prod --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

{

"ContinuousBackupsDescription": {

"ContinuousBackupsStatus": "ENABLED",

"PointInTimeRecoveryDescription": {

"PointInTimeRecoveryStatus": "ENABLED",

"EarliestRestorableDateTime": "2026-05-26T14:02:11+00:00",

"LatestRestorableDateTime": "2026-05-26T14:02:11+00:00"

}

# Earliest == Latest right now; the window grows to a rolling 35 days from here. No backfill of the past.

PITR enabled. The rewind window starts now and rolls forward to 35 days — it does not retroactively cover yesterday.

DynamoDB PITR under the hooddeep dive

When PITR is enabled, DynamoDB continuously captures incremental backups of the table behind the scenes — there's no schedule to manage and no performance impact on your reads or writes, because the work happens in the storage layer, not on your provisioned or on-demand throughput. The result is a rolling window: at any moment you can restore to any single second between EarliestRestorableDateTime (up to 35 days ago) and LatestRestorableDateTime (about five minutes ago). The window is not configurable — it's always 35 days — and it starts accumulating only from the moment you enable PITR. Enabling it today does nothing for a deletion that happened yesterday.

The single most important operational fact is that a restore never touches the source table. restore-table-to-point-in-time creates a brand-new table with the data as it existed at the target timestamp; your live table is left exactly as it is. This is a deliberate safety property — recovery can't make a bad situation worse — but it means recovery is a two-step process. You restore to a new table (e.g. orders-prod-recovered), validate it, and then either repoint the application at the new table or delete the corrupted original and restore again under the original name. There is no in-place rewind.

PITR is distinct from on-demand backups and from AWS Backup. PITR is for recent, granular, second-level recovery within 35 days — the everyday "oops" defense. On-demand backups (and AWS Backup, which orchestrates them with retention policies, cross-Region copies, and vault locking) are for long-term retention and compliance — keeping a quarter-end snapshot for seven years, or a copy in another Region for DR. They're complementary: PITR handles the bad deploy you catch this week; AWS Backup handles the auditor who asks for last year's data. Most production tables should have both.

# Restore a corrupted table to the exact second before a bad migration started.
# This creates a NEW table; the live (corrupted) table is untouched.
aws dynamodb restore-table-to-point-in-time \
  --source-table-name orders-prod \
  --target-table-name orders-prod-recovered \
  --restore-date-time 2026-05-26T02:14:00+00:00

# Validate the restored copy, then cut over. Two common patterns:
#   1. Repoint the service's table name at orders-prod-recovered, or
#   2. Delete the corrupted original and restore again under the original name.
aws dynamodb describe-table --table-name orders-prod-recovered \
  --query 'Table.{Items:ItemCount,Status:TableStatus}'

What is the impact of a table without PITR?

The direct impact is unrecoverable data loss from the failures that actually happen. A migration script that runs twice, a deploy that rolls back and replays writes, a fat-fingered DeleteItem loop against the wrong table, a logic bug that quietly corrupts items for hours — every one of these is recoverable in 90 minutes with PITR and potentially unrecoverable without it. The recovery cost without PITR is hours to weeks of engineering reconstructing data from upstream sources, logs, or event streams, assuming those even exist and are complete.

The second-order impact is incident behaviour under pressure. The team with PITR runs one restore-table-to-point-in-time call, validates the new table, and cuts over — a contained, rehearsed procedure. The team without it improvises a recovery at 3am from whatever fragments they can find, in exactly the state where mistakes are most expensive and most likely. The presence of PITR changes a panic into a runbook.

The third impact is regulatory and contractual. SOC 2, PCI DSS, and most enterprise SLAs require demonstrable backup and recovery for systems of record. A customer-facing database with no point-in-time recovery is an audit finding the moment someone asks the question, and it undercuts uptime and data-integrity commitments you've made to customers. The audit and breach-disclosure costs dwarf the cost of the feature.

On the cost side, PITR is roughly $0.20 per GB-month of table size — note that it scales with how much data the table holds, not how many reads and writes it serves. A 64 GB table is about $13 a month; a 500 GB table about $100. Restores incur a separate one-time charge based on the size of the restored data. None of these numbers move a budget. The asymmetry is the whole point: a small, predictable, data-proportional cost caps an open-ended exposure.

How do you roll out PITR safely across the estate?

PITR rollout is a four-step loop that runs at every reliability cadence: inventory what's unprotected, enable it on everything that matters, prove the recovery path actually works, and make it the default so coverage never drifts.

1. Inventory every table by PITR status and data class

Pull every DynamoDB table across every Region and account and record its PITR status, size in GB, and a data classification — production, business-critical, ephemeral. Scratch, load-test, and session-cache tables genuinely don't need it; tables behind customer-facing services do. Without this step you'll either over-protect throwaway tables or, far worse, miss a load-bearing one hiding behind an innocuous name.

2. Enable PITR on every production and business-critical table

Turn it on with a single update-continuous-backups call per table — it's instant, has no throughput impact, and the 35-day window starts accumulating immediately. Remember it is not retroactive: enabling it today protects you going forward, not against yesterday's mistake. There's no reason to stage this slowly; the cost is data-proportional and small, and there's no downside to having a rewind window you never use.

3. Verify recovery, not just that PITR is enabled

An enabled flag is a hypothesis, not a tested recovery. At least quarterly, run restore-table-to-point-in-time against a production table into a scratch table and validate the data. This is where teams learn the restore-creates-a-new-table mechanic, find the IAM and KMS permissions they're missing on the restore path, and rehearse the cut-over (repoint the app, or delete-and-restore under the original name) somewhere other than a live incident.

4. Make PITR the default so new tables arrive protected

Bake PointInTimeRecoveryEnabled: true into the table module in your IaC (CDK/Terraform) so every new production table ships with it on. Add an AWS Config rule (dynamodb-pitr-enabled) to flag any table that slips through within minutes, and pair PITR with AWS Backup for long-term and cross-Region retention where compliance requires it. The inventory only stays short if new tables stop arriving unprotected.

# Find every table with PITR disabled across the account, then enable it on the ones that matter.
for t in $(aws dynamodb list-tables --query 'TableNames[]' --output text); do
  STATUS=$(aws dynamodb describe-continuous-backups --table-name "$t" \
    --query 'ContinuousBackupsDescription.PointInTimeRecoveryDescription.PointInTimeRecoveryStatus' \
    --output text)
  echo "$t  pitr=$STATUS"
done

# Enable PITR on a production table (instant, no throughput impact).
aws dynamodb update-continuous-backups \
  --table-name orders-prod \
  --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

# Quarterly: prove the recovery path by restoring to a scratch table and validating.
aws dynamodb restore-table-to-point-in-time \
  --source-table-name orders-prod \
  --target-table-name orders-prod-restore-test \
  --use-latest-restorable-time

Quick quiz

Question 1 of 5

A migration ran twice and corrupted millions of items in orders-prod three hours ago. PITR has been enabled on the table for months. What's the right recovery move?

Keep learning

Dig deeper into DynamoDB recovery, backup options, and the pricing behind the coverage math.

You've completed Enable DynamoDB point-in-time recovery. You now know why a multi-AZ, highly-durable table still needs a rewind button, how PITR's continuous backups and rolling 35-day window work, the crucial restore-to-a-new-table mechanic that shapes your recovery runbook, how PITR complements on-demand backups and AWS Backup, and the four-step inventory-enable-verify-default loop that keeps coverage at 100%. The next time a continuity scan flags a table with PITR disabled, you'll have a defensible path from "flagged" to "protected" in minutes.

Back to the library

DynamoDB point-in-time recovery: what it means for risk

A small, predictable cost that caps a very large, unpredictable exposure

DynamoDB is the database behind many of the application features customers touch every day. When engineers say the data is "highly durable," that's true — it's copied across three data centers automatically. But durable is not the same as recoverable. If a software bug or a mistaken command corrupts or deletes the data, the platform dutifully preserves the corrupted version. Without a recovery feature turned on, there is simply no way to go back to how the data looked before the mistake.

Point-in-Time Recovery is that feature. Turned on, it keeps a rolling 35-day rewind capability so the team can restore the table to any second before an incident. The cost is modest and predictable — it scales with how much data the table holds, not with how busy it is, at roughly twenty cents per gigabyte per month. For most tables that is single-digit to low-double-digit dollars a month. The thing it protects against — losing or corrupting the live data behind a customer-facing service — is open-ended: lost revenue, breached SLAs, regulatory exposure, and engineering time spent reconstructing data by hand.

This finding is therefore best read as a risk-and-coverage signal, not a cost line. The dollar amount of enabling PITR is trivial; the dollar amount of not having it during an incident is not. A table without PITR is an uninsured asset. The right framing at a review is not "what does this cost" but "what is our recovery coverage across the production tables, and which ones are exposed."

This lesson is for the finance partner who sees a DynamoDB line on the cloud bill and wants to know which spend is protecting the business and which is just running it. It explains what PITR costs and why that cost is predictable and small, how the cost of protection compares to the exposure of unprotected data, what compliance and audit frameworks expect for recoverable databases, and the three things you can actually do at the operational review — track coverage as a percentage, treat 100% on production as the bar, and watch for new tables landing without it. By the end you'll know the one number to ask for and what a gap in it really signals.

Fun fact

The migration that ran twice

How a finance partner reads this finding

Dana is the finance partner embedded with the platform team. At the monthly operational review the reliability lead is walking through continuity findings, and Dana asks the question that's now standard on her agenda: "What's our PITR coverage on production DynamoDB tables, and which ones are exposed?" The answer is 16 of 18 production tables covered — two gaps, both customer-facing.

The conversation isn't technical. Dana doesn't ask about restore mechanics or backup internals. She asks three things: what would it cost to close the two gaps, what's the exposure if one of those tables is corrupted, and why they weren't covered already. The cost answer is about $25 a month for both; the exposure answer is "the live orders data behind the checkout flow, unrecoverable." That asymmetry makes the decision instantly — close the gap this week, and add PITR-on-create to the table-provisioning standard so new tables arrive covered.

The number Dana tracks from then on isn't a dollar figure — it's coverage as a percentage of production tables. She wants to see 100%, and she wants to know the moment a new table lands without it, because that's the leading indicator that the provisioning standard is slipping. The cost of PITR never comes up again; it was never the point.

Why this matters to risk, not just the bill

The cost of PITR is small, predictable, and proportional to data size rather than activity — roughly $0.20 per GB-month. For a typical production table that's single to low-double-digit dollars a month, and across a whole estate it's a minor, stable line you can forecast precisely. It will never be the reason a cloud budget misses. So the interesting question this finding raises is not about cost at all.

The interesting question is exposure. An unprotected table behind a customer-facing service is an uninsured asset: the moment its data is corrupted or deleted, the loss is open-ended — lost revenue while the service is down, SLA penalties, breach-disclosure and legal costs if it's regulated data, and the engineering hours spent reconstructing records by hand. Set the certain, trivial cost of protection next to the uncertain, potentially severe cost of an incident and the decision makes itself. This is insurance, and the premium is negligible.

There's a compliance dimension too. SOC 2, PCI DSS, and most enterprise customer contracts require demonstrable backup and recovery for systems of record. A production database with no recovery path is a finding waiting to be raised — by an auditor, or worse, by a customer's security review during a deal. The cost of that finding, in remediation scramble and deal friction, far exceeds the cost of simply having had the feature on.

The metric to carry into the operational review is coverage, expressed as a percentage of production tables with PITR enabled. The target is 100%. Watch the trend: a coverage number that slips after being at 100% means new tables are arriving without the protection standard applied, which is exactly the kind of drift that's cheap to fix now and expensive to discover during an incident.

What finance can actually do about this

Finance can't enable PITR on a table, but it can make full coverage the condition under which production runs. Three levers, used together at the operational cadence.

1. Put coverage on the operational review as a standing line

Add "PITR coverage on production DynamoDB tables" as a recurring metric on the review pack, expressed as a percentage with the count of any gaps. The number to want is 100%. Unlike most findings, the dollar amount here is not the headline — the coverage percentage is. Any gap is the prompt to act, regardless of how small the table is.

2. Frame it as exposure, not cost

When a gap surfaces, the right question is never "what does it cost to fix" — it's a rounding error and everyone knows it. The right question is "what data is exposed and what's the loss if it's corrupted." Pricing the exposure (downtime, SLA penalties, reconstruction effort, audit risk) makes the trivially-cheap fix self-evidently worth doing, every time.

3. Make protection a precondition in the provisioning standard

Agree with engineering that no production table goes live without PITR, baked into the infrastructure templates so it's automatic rather than remembered. That single rule converts "chase coverage gaps" from an ongoing finance nag into a one-time standard that holds itself, and it's the only thing that keeps the coverage number at 100% without continual effort.

4. Treat slippage from 100% as the signal

Coverage that was at 100% and then drops means a new table arrived without the standard applied — a leading indicator that provisioning discipline is slipping, and that the same gap likely exists in other reliability controls. A single uncovered table is cheap to fix today and expensive to discover during an incident. Watch the trend, not the dollar.

Quick quiz

Question 1 of 5

A continuity scan shows PITR coverage on production DynamoDB tables has dropped from 100% to 94% over two months, with three new customer-facing tables uncovered. The cost to fix is about $40/month. As the finance partner, what's the right move?

Keep learning

Dig deeper into DynamoDB recovery, backup options, and the pricing behind the coverage math.

You've finished the finance partner's view of DynamoDB PITR. You know why this is a risk-and-coverage signal rather than a cost line, how a trivial, data-proportional premium caps an open-ended exposure, why compliance frameworks expect recoverable systems of record, and the three finance levers — coverage as the standing metric, exposure-not-cost framing, and protection-as-a-provisioning-precondition. Next time the line shows up at the review, you'll ask for the coverage percentage and treat any slip from 100% as the prompt to act.

Back to the library

DynamoDB point-in-time recovery: the headline

Whether the business can undo a data-destroying mistake

DynamoDB is a core database behind many products. It keeps the data extremely safe from hardware failure — but "safe" is not the same as "recoverable." If a bad deploy or a human error corrupts or deletes the live data, the only thing that brings it back is a recovery feature that has to be switched on in advance. It is off by default, and switching it on costs almost nothing.

This is a business-continuity control, not a cost item. Every table without it is a production system with no undo button — one mistake away from data loss the business cannot reverse. Full coverage on production tables is cheap insurance; a gap in coverage is the kind of single point of failure that turns a routine engineering mistake into a customer-facing incident.

A short read for the executive who wants the continuity headline and the one question to ask. You'll get the plain-English framing of what PITR protects against, why a gap in coverage is a single point of failure rather than a cost overrun, and what "good" looks like at an org level — 100% coverage on production tables, verified — with no commands and no internals.

Fun fact

The migration that ran twice

What it looks like when the org gets this right

At one company the quarterly continuity review used to surface a recurring item: "N production databases with no point-in-time recovery." The number bounced around — sometimes two, sometimes five — because new tables kept arriving without it. The exec sponsor stopped asking how many and started asking why any: "Why would we ever stand up a customer-facing database with no way to undo a mistake?"

Within a quarter the answer changed. PITR became a non-negotiable default in the provisioning standard, the gap closed to zero on production, and a quarterly restore test proved the recovery actually worked. The continuity slide stopped being a list of exposures and became a single green line: "100% PITR coverage on production, recovery verified." The exec hadn't asked anyone to chase a cost — she'd asked them to close a single point of failure, and the cost turned out to be immaterial.

Why this is on the continuity report

This isn't a cost item; it's a single-point-of-failure item. Every production database without point-in-time recovery is a system where one mistake — a bad deploy, a human error — can destroy live customer data with no way to undo it. The cost to remove that failure mode is immaterial. The cost of hitting it is an outage, lost or corrupted customer data, and the reputational and contractual fallout that follows.

So the size of this finding isn't measured in dollars; it's measured in exposure. A clean report means every customer-facing database can be rewound to before a mistake. A gap means at least one cannot. This sits squarely at the intersection of reliability, customer trust, and audit posture — and the fix is one of the cheapest insurance policies in the entire cloud estate.

The leadership move on this control

The actionable handle for an executive isn't to manage backups — it's to set the norm that makes a recovery gap impossible to ship.

1. Make recoverability a non-negotiable default for production data

Every production database should ship with a recovery path on by default — not added later, not remembered, not optional. Most data-loss incidents trace back to a control that was off because no one decided to turn it on. Making it the default removes the decision entirely.

2. Require that recovery be tested, not just enabled

An untested backup is a hope. Ask that the team prove recovery on a real production table at least quarterly, so the procedure is rehearsed before the night it's needed. The difference between a tested and an untested recovery path is the difference between a contained incident and a crisis.

3. Track coverage as a confidence signal, not a cost

Ask one question at the continuity review: "Is PITR coverage on production at 100%, and has recovery been verified?" A steady yes means a whole class of data-loss incidents simply can't happen to you. It's a one-minute item that tells you the underlying discipline is healthy without any technical depth.

Quick quiz

Question 1 of 5

At the continuity review you're told PITR coverage on production databases is 100% and recovery was successfully tested last quarter. What's the right read?

Keep learning

Dig deeper into DynamoDB recovery, backup options, and the pricing behind the coverage math.

That's the lesson. Two takeaways worth holding onto: a highly durable database is not the same as a recoverable one, and a table without point-in-time recovery is a single point of failure, not a cost line. The leadership question is simply whether production coverage is at 100% and whether recovery has been verified — cheap insurance against an expensive class of incident.

Back to the library

Part of the learning path Build in resilience

Enable DynamoDB point-in-time recovery

DynamoDB point-in-time recovery: the basics

The migration that ran twice

Enabling PITR in action

DynamoDB PITR under the hooddeep dive

What is the impact of a table without PITR?

How do you roll out PITR safely across the estate?

1. Inventory every table by PITR status and data class

2. Enable PITR on every production and business-critical table

3. Verify recovery, not just that PITR is enabled

4. Make PITR the default so new tables arrive protected

Quick quiz

Keep learning

DynamoDB point-in-time recovery: what it means for risk

The migration that ran twice

How a finance partner reads this finding

Why this matters to risk, not just the bill

What finance can actually do about this

1. Put coverage on the operational review as a standing line

2. Frame it as exposure, not cost

3. Make protection a precondition in the provisioning standard

4. Treat slippage from 100% as the signal

Quick quiz

Keep learning

DynamoDB point-in-time recovery: the headline

The migration that ran twice

What it looks like when the org gets this right

Why this is on the continuity report

The leadership move on this control

1. Make recoverability a non-negotiable default for production data

2. Require that recovery be tested, not just enabled

3. Track coverage as a confidence signal, not a cost

Quick quiz

Keep learning

Related site reliability lessons