'how to only allow select queries when someone connects to rds through a specific bastion

I have a postgres rds instance that I (and other team members) can connect to via a bastion (EC2 instance) via an ssh tunnel. However, I want to configure things so that if someone connects to the RDS via this specific bastion, they will only be able to run select queries and not change any tables/data inside the database? Is this possible to do in such a way that connecting through the bastion will enforce some restriction, or will I have to enforce this restriction another way?