DSR-S: How to Deploy and Set Up DSR-S in AWS

What is Ethyca DSR-S? What are the steps to set up my own storage?

Ethyca's DSR-S application allows customers to securely store their Data Subject Request download files on their own managed infrastructure.

  1. Your customer (a "Data Subject") puts in a request to download or erase their data in your Privacy Center (privacy.<yourdomain>.com)
  2. Ethyca stores all the Data Subject Requests (DSRs) that come into your Privacy Center
  3. Ethyca's Atlas, deployed in your infrastructure, polls Ethyca's web services to retrieve the queue of DSRs for your organization.
  4. When complete, Ethyca's Atlas returns an object of aggregated responses from the databases to Ethyca's web services
  5. Ethyca fetches data for each DSR from each of your configured 3rd party SaaS Data Integrations
  6. Ethyca aggregates both the response from Atlas and each of your Data Integrations and sends the final package to Ethyca's DSR-S
  7. Ethyca's DSR-S then sends the final downloadable package to be stored in your desired cloud storage system (ie: AWS S3, GCP Cloud Storage, Azure Cloud Storage)
  8. At the same time, the Data Subject is notified that their DSR is ready via an email containing a URL with a downloadable ZIP file
  9. Using the URL provided, which Ethyca proxies to your storage system, the Data Subject downloads the data to retrieve the package and return it to the user to save locally on their desktop

This guide will outline the steps to deploy and configure DSR-S in 4 steps:

  1. Download the Ethyca DSR-S Docker Image
  2. Configure Authentication/Authorization for DSR-S
  3. Deploy DSR-S
  4. Validate your deployment

Deployment Prerequisites

  • A command-line environment (preferably Linux) to run CLI commands
  • Ability to securely receive API keys for AWS from Ethyca
  • Ability to run the docker commands/launch docker images
  • Access to a test subject's email for the purpose of requesting data from the Privacy Center, validating Multi-Factor Authentication (MFA), and verifying the final data"
  • Administrative access to customer's Control Panel to to approve the test subject's DSR request

Step 1: Download DSR-S from Docker

Ethyca's Atlas and the configuration tool are provided as Docker images. Your Ethyca Customer Success Manager will provide you the following information for your Environment Variable Properties file:

Pull down the latest image from the Ethyca DSR-S Docker Repo using the following command:

docker pull ethyca/dsrs

Step 2: Configuring Authentication/Authorization for DSR-S

There are a 2 of ways to give Ethyca's DSR-S access to your cloud storage service, select one of the authentication methods below:

Authenticate DSR-S using AWS IAM Credentials

  • Log into your AWS IAM console and access the Security Credentials page.
  • Under "Access keys for CLI, SDK, & API access", press "Create Access Key"
  • Your AWS Security Key is shown only once here, copy this value and save for step 3
  • Your AWS Access Key ID is shown here as well, copy this value and save for step 3

Authenticate and Authorize DSR-S Using Roles (AWS EC2 Policies)

  • Log into AWS as an administrator
  • Proceed to Identity and Access Management (IAM) tool
  • Click on "Roles" and "Create role"
843 843
  • Choose the EC2 use case and proceed to "Next: Permissions".
  • If you do not have an existing S3 specific policy, click "Create policy" to generate a new one.
  • Select S3 from the list of available services.
  • Under actions, for the access level, please ensure the policy provides for: List Bucket, Read:GetObject and Write:PutObject. You can optionally restrict the policy to the specific S3 resource by specifying the object resource ARN or set for all resources (not recommended).
843 843
  • Provide a name for the policy, for example, "DSRS-Restricted" and save.
  • Return to the "Create role" panel and check on the newly created policy "DSR-Restricted" to assign this to the role and click "Next: Review".
  • Finally provide a recognizable name for the Role, e.g. "DSR-Role", and click "Create Role".
  • You will use this in Step 3 from either the EC2 console or AWS CLI to set the instance profile of the DSR-S instance.

Step 3: Deploy DSR-S

Once you've downloaded the Docker file and provisioned auth credentials, you are ready to deploy your DSR-S. In order to deploy your DSR-S, simply follow the command below to set your environment variables, auth credentials and settings all in one.

docker run -it \  
        -e dsrs.organization=<ETHYCA-PROVIDED ORGANIZATION NAME> \  
        -e dsrs.api.key=<YOUR OWN API KEY> \  
        -e dsrs.url=https://<URL TO YOUR DSR-S INSTANCE> \  
        -e dsrs.ttl.hours=24 \  
        -e dsrs.ethyca.url=https://api.ethyca.com \  
        -e dsrs.ethyca.api.key=<ETHYCA-PROVIDED API KEY> \  
        -e dsrs.storage.type=aws \  
        -e dsrs.storage.path=<YOUR S3 FOLDER>/<PATH HERE> \  
        #-e dsrs.storage.aws.access.key.id=<YOUR AWS ACCESS KEY>  
        #-e dsrs.storage.aws.secret.access.key=<YOUR AWS SECRET KEY>  
        -p 8080:8080 \  
        --name dsrs-rest

The following settings can be modified to customize your deployment:

  • dsrs.ttl.hours=24 : this is the expiration time in hours that your DSR download package will be available to the user. The default is 24-hours.
  • dsrs.storage.path: this is the canonical path that your DSR zip files will be stored in.
  • dsrs.storage.aws.region: this is your preferred AWS region, such as us-east-1
  • if using AWS IAM secret and access key, you can remove the 2 commented-out lines from the above command

If you've provisioned an EC2 profile for your DSR-S user, attach the instance profile to the EC2 instance using AWS Console or CLI:

  • Open the Amazon EC2 console, and then choose Instances.
  • Choose the appropriate instance running DSR-S that you want to attach the IAM role to.
  • Choose Actions, choose Instance Settings, and then choose Attach/Replace IAM role.
  • On the Attach/Replace IAM role page, under IAM role, choose the instance profile that you want to attach from the drop-down list as created in Step 1, e.g "DSR-Role" (note new roles automatically generate new instance profiles)
  • Choose Apply.

The Finishing Touches

🚨 Do not forget to safe-list or open bidirectional communication to Ethyca hosted services at api.ethyca.com

Step 4: Validating your Deployment

Once DSR-S is up, the service can be validated using the following rest commands:

$ curl --header "Authorization: <ETHYCA-PROVIDED API KEY>" \  
     --header "Content-Type: application/json" \  
     --data '{"organizationName":"<ETHYCA-PROVIDED ORGANIZATION NAME>","apiKey":"<YOUR OWN API KEY>","url":"https://<YOUR DEPLOYED URL>,"ttl":24}' \  
     -X POST https://api.ethyca.com/dsrs


If you require any technical assistance for the installation or configuration of Ethyca Atlas, you can contact your appointed Privacy Success Manager directly via email or speak directly with support team via your private Ethyca Slack channel.