Steps to be taken incase of such activity:
- Isolate the Instance : so that it should not attack any other server in the network
- Perform an EBS snapshot
- Take a memory dump
- Perform forensics analysis
- Terminate the instance
Once the investigation is done, the instance can be terminated.