We’re a small shop so people have to wear many hats. I’m trying to institute better security through user privilege limitation in AWS. But when users go on call, they need to be able to respond to incidents where they may need to follow instructions or investigate things that require permissions that might be beyond the normal privileges of their role. I’d like to have a special IAM role that grants extended privileges to the on call engineer and I’d like to have membership in that role be controlled by pagerduty, where the user is placed in the role when they go on call and removed from the role when they are off on call.
How might one go about doing this? is there any combination of webhooks and lambda functions that could do this? any easier way?