Stricter cluster inbound security group rule from elb

When defining a LoadBalancer service in an eks cluster an elb load balancer is provisioned in aws with a security group.
That group is added to the cluster sg with all ports and protocols. Is there a way to create the rule with just the nodeport? I have looked into cloud-provider-aws/aws_loadbalancer.go at master · kubernetes/cloud-provider-aws · GitHub but there is a function for updating the rules only for NLB as lb type. Is the rule adding managed by the service controller or its done out of the k8s cluster?