Create a new key-pair in the AWS console and boot up a new instance (assuming the attacker is removed from IAM users). This requires configuring the instance, which can be time-consuming ...

Finally, you'll need to provide the Amazon EC2 key pair that you want to use, and you'll have to specify whether you want to use default or custom permissions within the cluster.

No go. I made an image (AMI) and used it to create a new instance, with the same key pair and security group. It won't even connect to port 22. Or port 80, for that matter.

Nick Hardiman shows you how to set up a secure connection to an Amazon EC2 machine using PuTTY and Pageant to handle your private key.