My IaC is on public GitHub. They could do a network scan to find software then fingerprint to find version anyway.
Removing attack surface is better than trying to hide it.