Oh Amazon Lightsail...

Why does your CentOS image start with Security Enhanced Linux turned on and in Enforcing mode, but doesn't start a bloody firewall by default?

I know you mean well and you exist to eat the lunches of Linode/Rackspace/DigitalOcean et. al but I can't recommend you if you're gonna be so half-arsed.

Whoever within Amazon is building these things please for the love of  PaaS Jebus get your shit together, take a leaf out of the EC2 security group playbook and only allow ssh in by default.

If the customer wants to blow his/her own genitals off with a shotty afterwards by stopping the firewall it's on them.

Or just avoid the whole palaver and Terraform/Ansible/Puppet your instances with proper security (Security Groups / ACLs / host firewall) in EC2 and leave Lightsail to the lightweights :P

Cheers

A still slightly bemused AWS professional.