First - you need to create an ACL that allows the required ports/protocols for management (http, https, tcp/4343, SSH, SNMP, etc) from the management IPs. Once you have the ACL defined, add it to the physical (gig 1/0, for instance) port on the controller that attaches to your network. This won't help AMP, though. You will have to add ACLs to some other device to protect it.
Second, do you need the ports up? Can you just shut them down in the config? If not, you will have to create an ACL that denies DHCP and then permits everything else and apply it to those ports.