In case anyone finds this thread with a similar question, I was able to access my controller remotely via unifi.ubnt.com after opening these ports on my router and windows firewall:
TCP: 8080 8081 8443 8880 8843 27117
You can configure your local DNS to resolve “unifi” to your controller's IP. That way all new APs that get connected to your different networks, will show up in your cloud (AWS) controller and can be assigned to sites by adopting them on the right one.
Additional note: UBNT's EdgeMax routers already offer that option on their web GUI. Just configure the “controller” address in settings
Unifi Cloud Key vs DHCP option 43? - other useful info here too, re-read this page