diff --git a/packages/aws-rfdk/lib/core/lib/x509-certificate.ts b/packages/aws-rfdk/lib/core/lib/x509-certificate.ts
index 42102f618..73b8534d1 100644
--- a/packages/aws-rfdk/lib/core/lib/x509-certificate.ts
+++ b/packages/aws-rfdk/lib/core/lib/x509-certificate.ts
@@ -167,6 +167,7 @@ abstract class X509CertificateBase extends Construct {
       removalPolicy: RemovalPolicy.DESTROY,
       encryption: TableEncryption.AWS_MANAGED,
       billingMode: BillingMode.PAY_PER_REQUEST,
+      pointInTimeRecovery: true,
     });
 
     this.passphrase = new Secret(this, 'Passphrase', {
diff --git a/packages/aws-rfdk/lib/core/test/x509-certificate.test.ts b/packages/aws-rfdk/lib/core/test/x509-certificate.test.ts
index 8e29e1df0..68b621533 100644
--- a/packages/aws-rfdk/lib/core/test/x509-certificate.test.ts
+++ b/packages/aws-rfdk/lib/core/test/x509-certificate.test.ts
@@ -117,6 +117,12 @@ test('Generate cert', () => {
       },
     },
   });
+  // Expect Table to have point in time recovery set to true
+  Template.fromStack(stack).hasResourceProperties('AWS::DynamoDB::Table', {
+    PointInTimeRecoverySpecification: {
+      PointInTimeRecoveryEnabled: true,
+    },
+  });
 
   // Should not be any errors.
   Annotations.fromStack(stack).hasNoInfo(`/${cert.node.path}`, Match.anyValue());