What I ended up doing was the following:
- Generated a new user on the EC2 instance via this tutorial: http://aws.amazon.com/articles/1233
- Didn't give the user sudo access
- Generated a new MySQL user on the RDS instance
GRANT SELECT PRIVILEGES ON TABLE TO user
- Gave the client the private key, RDS connection details, SSH host
Boom. He's in and has a locked down user account on the EC2 instance, and can now use the SSH details to access the RDS instance with SELECT privileges.
Unfortunately, he also has access to his own home directory on the EC2 instance.