You've installed DC/OS 1.6, some customers have been surprised to find that they can still access Mesos & Marathon directly.
Our AWS templates firewall ports 5050 and 8080 off in the security group. You should do the same by firewalling ports 5050 and 8080 on your master nodes. All authentication is handled by nginx on port 80 which proxies to DC/OS services.
Only ports 80, 443, and (possibly) 22 should be allowed to the master nodes.