I am looking for the official method and documentation on how to deal with a compromised EC2 instance ?
I thought I had found something from AWS for this in the past, but now I can’t seem to find it. There is their Digital Forensics page, which has a PDF for how to respond to Incidence Response.
One way to isolate an affected EC2 instance for investigation is to place it in a Security Group that only the forensic investigators can access. Close all ports except to receive inbound SSH or RDP traffic from one single IP address from which the investigators can safely examine the instance.
There are a few hints here as well: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2