It's all too common unfortunately with cloud systems. A scary amount of Cloud servers have any port used by a service open to the entire internet, assuming someone has even bothered to put specific ports and not just all ports.
Too much Kool-Aid and people without any background in Ops/Architect/Security believe they can do devops without an ops person because it's just a few clicks in a browser or a cli command to get a server running.
It's only going to get worse as the number of people with a cloud ops/architect/security experience decrease. Especially amongst dev driven teams and startups who believe ops/architects/security is a roadblock and they can do it themselves because they are 'devops' experts. Until they are shown all the issues and then suddenly it's the companies fault for not hiring an ops person for their 'devops' world.