AES alone would get you confidentiality, but not authentication.
If it was normal hardware I’d say TLS (SSL) by default unless you had a strong reason to need something else. There is this project that looks like it tries to keep it pretty small, but you’d have to see if it’s fast enough for your use-case. Going outside standard TLS is risky as it’s easy to mess things up (even in TLS), and this will be the most standard for connecting to a backend server.
If this didn’t work you could look at using DTLS and CoAP, like the devices are already using to talk to the cloud. This might require more work on both sides of the channel though.
If you’re not necessarily talking to a webserver, or you’re processing so much data that the above just doesn’t work, then you could look at using another algorithm. I would avoid ECB though. You want one that’s AEAD (authenticated encryption with associated data). I’d probably land on Acorn128 (also in the above library). Something using speck in a non-ECB mode is also probably fine, but the algorithm is controversial.