Least privilege just means that you made an attempt to see whether all those ports need to be open, or the app needs all those permissions. It’s probably fine.
No one needs to know how a system was built (that'd be a potential security weakness cause an attacker could read it to understand it, right?) - so why bother documenting anything you've done?