I think wire guard is a good idea rather than open up the actual ports to your server to the internet, but even then I don't get why you mention aws. How come you can't just terminate wireguard on a pi or router at home and have that as the only port open on your fw?