For droplets and ec2, you 'own' the inside of the virtual machine and its your responsibility to install software that you need and patch it according to a routine schedule.
That said, both services have firewall rules you put in place that help manage this. IE - you may expose SSH to your local ip address, but only port 80/443 for the rest of the world.
You are right though - its another attack vector. If you don't want to muck with that, and you have a static site, you could put your static site into S3 and then host with cloudfront. With that, you have no risk.
That said, both services have firewall rules you put in place that help manage this. IE - you may expose SSH to your local ip address, but only port 80/443 for the rest of the world.
You are right though - its another attack vector. If you don't want to muck with that, and you have a static site, you could put your static site into S3 and then host with cloudfront. With that, you have no risk.