Overview and Access Points

Overview

The Brain Data Science Platform (BDSP) organizes projects into three access levels, each backed by Amazon S3 Access Points in our AWS infrastructure.

  • Open Access: No special requirements - data is publicly available
  • Restricted Access: Requires AWS account registration + Data Use Agreement (DUA)
  • Credentialed Access: Requires AWS account + DUA + CITI training certification
Find your access points: Once your AWS account has been authorized for one or more access levels, the specific access-point aliases that apply to your account are shown on your Cloud Credentials dashboard, along with copy-pasteable AWS CLI examples. The examples on this page use placeholder names like [YOUR-ACCESS-POINT-ALIAS]; replace them with the actual alias from your dashboard.

Access levels

Access Level Contains How to get authorized
Open Publicly available datasets Add your AWS Account ID at Cloud Credentials; click "Request Access" on a project page
Restricted Restricted-access publication datasets Same as above, plus sign each project's Data Use Agreement
Credentialed Large research repositories (EEG, ECG, PSG, EHR, Imaging) and credentialed publication datasets Same as above, plus complete CITI Data or Specimens-Only Research training and submit your certificate

Scroll down to see the projects available at each access level.


Open Access Projects

Open Access Projects

Open-access publication datasets are available to anyone with an AWS account; no DUA or training is required. To get authorized, register your AWS Account ID at Cloud Credentials and click "Request Access" on the project page.

Projects at this level

  • Deep Hypothermia and EEG (folder: hypothermia/)
  • Other open-access publication datasets — see the project listings on Browse Projects

Example commands

Copy your access-point alias for open access projects from Cloud Credentials and use it in the examples below. Replace [FOLDER-NAME] with the project folder you want.

# List files in a project
aws s3 ls s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/

# Download a project
aws s3 cp s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/ ./[FOLDER-NAME]/ --recursive

Restricted Access Projects

Restricted Access Projects

Restricted-access publication datasets require a signed Data Use Agreement (DUA) per project, in addition to a registered AWS Account ID. Once approved, the project's data is reachable through the restricted access point.

Projects at this level

  • I-CARE (folder: i-care/)
  • Other restricted-access publication datasets — see the project listings on Browse Projects

Example commands

Copy your access-point alias for restricted access projects from Cloud Credentials and use it in the examples below. Replace [FOLDER-NAME] with the project folder you want.

# List files in a project
aws s3 ls s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/

# Download a project
aws s3 cp s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/ ./[FOLDER-NAME]/ --recursive

Credentialed Access - Large Repositories

Credentialed Access — Large Repositories

BDSP's large credentialed repositories cover hundreds of thousands of records of physiological signals and clinical data. Access requires a registered AWS Account ID, a signed credentialed Data Use Agreement, and proof of completion of CITI Data or Specimens-Only Research training.

Projects at this level

  • EEG/ — Electroencephalography
  • ECG/ — Electrocardiography
  • PSG/ — Polysomnography (sleep)
  • EHR/ — Electronic health records
  • Imaging/ — Imaging data

Example commands

Copy your access-point alias for credentialed access — large repositories from Cloud Credentials and use it in the examples below. Replace [FOLDER-NAME] with the project folder you want.

# List files in a project
aws s3 ls s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/

# Download a project
aws s3 cp s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/ ./[FOLDER-NAME]/ --recursive

Credentialed Access - Publication-Specific Projects

Credentialed Access — Publication-Specific Projects

Publication-specific credentialed datasets are tied to individual papers. Authorization requires the same prerequisites as the large repositories (registered AWS Account ID, signed DUA, CITI training), plus per-project DUA review where required.

Projects at this level

  • Philosopher's Stone (folder: philosoph/)
  • ICU SLEEP
  • Brain Age Index / Dementia
  • Other credentialed publication datasets — see the project listings on Browse Projects

Example commands

Copy your access-point alias for credentialed access — publication-specific projects from Cloud Credentials and use it in the examples below. Replace [FOLDER-NAME] with the project folder you want.

# List files in a project
aws s3 ls s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/

# Download a project
aws s3 cp s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/ ./[FOLDER-NAME]/ --recursive

General Usage Instructions

General Usage Instructions

Prerequisites

  1. AWS Account: Create an AWS account at https://aws.amazon.com/
  2. Add AWS Account ID: Log into BDSP and add your 12-digit AWS Account ID at Cloud Credentials
  3. Request Dataset Access: Navigate to each dataset's project page and click "Request Access"
    • For restricted access: Sign the Data Use Agreement (DUA)
    • For credentialed access: Sign DUA AND upload CITI training certificate
  4. Find your access-point alias: After your access has been approved, return to your Cloud Credentials dashboard. The "Your S3 Access Points" section shows you the access-point alias for each level you're authorized to use, along with the bucket name and ARN.
  5. Install AWS CLI: Download from https://aws.amazon.com/cli/
  6. Configure AWS Credentials: Run aws configure and enter your AWS access key and secret key

Verify your AWS identity

Before accessing data, verify your AWS credentials are configured correctly:

aws sts get-caller-identity

The Account field should match the 12-digit AWS Account ID you registered with BDSP.

Common commands

The examples below use [YOUR-ACCESS-POINT-ALIAS] as a placeholder. Copy your actual alias from Cloud Credentials; aliases look like bdsp-credentialed-ac-azoj8m45e3tggdoiobxwom8trs59euse1b-s3alias. Replace [FOLDER-NAME] with the project or dataset folder you want.

List files in a dataset

aws s3 ls s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/

Download an entire dataset

aws s3 cp s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/ /your_local_path/ --recursive

Download a specific file

aws s3 cp s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/[FILE-PATH] /your_local_path/

Sync a dataset (only download new/changed files)

aws s3 sync s3://[YOUR-ACCESS-POINT-ALIAS]/[FOLDER-NAME]/ /your_local_path/

About access-point aliases vs ARNs

You can pass either form to the AWS CLI:

  • Alias (recommended; shorter and easier to read): s3://bdsp-credentialed-ac-…-s3alias/path/to/file
  • ARN (works the same): s3://arn:aws:s3:us-east-1:184438910517:accesspoint/bdsp-credentialed-access-point/object/path/to/file

Both are shown on your dashboard. Older documentation and tooling sometimes references specific access-point names directly (for example, bdsp-credentialed-access-point); those still work as long as your AWS account is authorized in that specific access point. If a command references an access-point name and returns "Access Denied," check your dashboard — your account may have been authorized in a sibling shard with a different name.

Troubleshooting "Access Denied" errors

Getting "Access Denied" errors? Try these steps:
  1. Verify your AWS Account ID: Make sure the AWS Account ID in your BDSP profile (Cloud Credentials) matches your actual AWS account.
  2. Use the alias from your dashboard: The "Your S3 Access Points" section shows the exact alias your account is authorized for. Don't guess at access-point names from older documentation.
  3. Check S3 permissions on your IAM user/role: Your IAM user/role needs S3 permissions (see the section below for the minimum policy).
  4. Wait for access propagation: After approval, AWS permissions may take 5–10 minutes to propagate.
  5. Retry "Request Access": On the project page, try clicking "Request Access" again (up to 3 times, waiting a few minutes between attempts).
  6. Enterprise / SSO users: If your organization uses AWS SSO, you may need IT assistance to add S3 permissions outside the standard SSO configuration.

AWS S3 Permissions Setup (keep existing)

Important: If you receive an "Access Denied" error when accessing S3 data, you need to add S3 permissions to your AWS account.

Step 1: Sign in to AWS

  1. Go to the AWS Management Console: https://console.aws.amazon.com/
  2. Log in with your AWS account.

Step 2: Open IAM

  1. In the search bar at the top of the AWS console, type IAM.
  2. Click IAM (Identity and Access Management).

Step 3: Select Your User or Role

  1. If you are using an IAM User: click Users from the left menu, then select your username.
  2. If you are using an IAM Role: click Roles from the left menu, then select the role you use.

Step 4: Attach S3 Permissions

  1. Go to the Permissions tab.
  2. Click Add permissionsAttach policies directly.
  3. Search for and select AmazonS3FullAccess.
  4. If your organization requires limited access, create a custom policy with at least the following permissions: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "*"
    }
  ]
}
  5. Click Add permissions.
✓ Done! After adding these permissions, you should be able to access the S3 data without "Access Denied" errors.