These steps are for a Linux instance. Similar operations can be peformed on Windows, but I haven't administered Windows machines for about 10 years. So, some research is required for that.
- Examine the processes running on the instance
ps aux
- Figure out what ports are open and listening
netstat -tulpn
- Anything in the home directories of users that can point to what's going on?
cd /home
ll -h
- Tail logs of running procesess to determine if anything is still "chatting". Do this for an extended period of time.
tail -f /var/log/httpd/*.log
tail -f /var/log/nginx/*.log
tail -f /var/log/syslog
- Anything helpful in the ec2-metadata?
ec2-metadata
In this case, you'll need to use a different approach to see what's on the instance. The easiest method is to take a snapshot of the EBS volume for the machine, create a new EBS volume from the snapshot, and then mount this new volume to an instance to which you do have access.
The solution shown in this Stackoverflow article gives good examples and info on attaching an EBS volume to an EC2 instance.
- Add an
Applications
tag to the resource and list all business-focused applications. For example, don’t use “nginx” but rather “Checkins”. - Update the
Name
and/orDescription
tag with a meaningful name
- Manually archive any potentially valuable data to long-term storage (NAS, S3, Dropbox, etc.)
- Snapshot the EBS volume
- Stop the instance and wait for someone to complain