Why does your CentOS image start with Security Enhanced Linux turned on and in Enforcing mode, but doesn't start a bloody firewall by default?
I know you mean well and you exist to eat the lunches of Linode/Rackspace/DigitalOcean et. al but I can't recommend you if you're gonna be so half-arsed.
Whoever within Amazon is building these things please for the love of PaaS Jebus get your shit together, take a leaf out of the EC2 security group playbook and only allow ssh in by default.
If the customer wants to blow his/her own genitals off with a shotty afterwards by stopping the firewall it's on them.
Or just avoid the whole palaver and Terraform/Ansible/Puppet your instances with proper security (Security Groups / ACLs / host firewall) in EC2 and leave Lightsail to the lightweights :P
A still slightly bemused AWS professional.