If you find yourself in the, um, unfortunate position of having managed to lock yourself out of an Azure based management server (or gateway for that matter) by pushing an erroneous policy to a gateway, there is a little access tool to help you fudge a way to restoring comms;

I had a similar issue at a customer who was using an internal Cluster across an express route, so (not internet facing as such; and thankfully no NAT was involved as this was just a datacentre extension) but using the 'Serial console' from within Azure Portal I was able to 'fw unloadlocal' and also enable ip forwarding [echo 1 > /proc/sys/net/ipv4/ip_forward] (absolutely not recommended) to get access back to the management server through the gateway.

Just in case this helps anyone else out.

Edit: Just read the original question, it's about AWS, my response is purely for Azure, doh!