I’m using NICE DCV too! It works fine without a cloud formation template. You do need to “decrypt the administrator password” once using some process that the help files talk about if you google for it.
I believe running a Windows machine on the open internet with all ports open used to be a really bad idea. These days it’s no worse an idea than doing the same thing for a Linux box, but I wouldn’t do that for Linux, either 
I was mistaken in what ports you need in the comment above. Here’s my security group definition (with IDs masked for paranoia):
{
"SecurityGroups": [
{
"Description": "Windows RDP",
"GroupName": "ue-windows-rdp",
"IpPermissions": [
{
"FromPort": 8443,
"IpProtocol": "udp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 8443,
"UserIdGroupPairs": []
},
{
"FromPort": 3389,
"IpProtocol": "udp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 3389,
"UserIdGroupPairs": []
},
{
"FromPort": 8443,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 8443,
"UserIdGroupPairs": []
},
{
"FromPort": 3389,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 3389,
"UserIdGroupPairs": []
}
],
"OwnerId": "XXXX",
"GroupId": "sg-XXXX",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-XXXX"
}
]
}
It’s ports 8443 and 3389 on TCP and UDP.