If you have SSH access to an EC2 instance, the SecretAccessKey and Token can be retrieved by using this command.

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/[instance_name]

(The IP address is a default. Ref).

If session token in compromised, Revoke session instead of deleting IAM role.

'Revoke sessions' will generate a new session token (which the malicious user would not have unless he has access to EC2 via SSH).

Deleting the role will cause all other uncompromised instances with the same role will lose permissions.