Barry Sheward
Once you’ve taken the EBS snapshot, create a volume and mount that as the second drive on a clean EC2 instance. That way, you’re not booting or running software from the compromised machine, but you have full access to the logs and other software. It makes is possible for example to compare checksums of the clean machine with the compromised machine.
Hope that helps!