Security group inbound rules wiped out and added 0.0.0.0/0 by eksclusterrole automatically

Question

I have deployed AWS EKS 2 node cluster(Version 1.18). It contains some ELBs, microservices and a UI hosted on Kubernetes. ELB's have their own security group. I modify primary replica's security group's inbound rules manually to enable access to db for specific IP's(ex:117.123.111.99/32) on port 27017. However, I have noticed that after couple of days an inbound rule automatically gets added for port 27017 - 0.0.0.0/0 and custom ICMP-IPv4 0.0.0.0/0 for all 3 mongo replica LoadBalancer security groups.

when i see the logs in 'CloudTrail' it is saying that eksclusterrole

                "type": "Role",
                "principalId": “blablabla”,
                "arn": "arn:aws:iam::MyAccountId:role/eksclusterrole",
                "accountId": "MyAccountId",
                "userName": "eksclusterrole"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": “date”
            }
        },
        "invokedBy": "eks.amazonaws.com"
    },
    "eventTime": "date",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-2”,
    "sourceIPAddress": "eks.amazonaws.com",
    "userAgent": "eks.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-mysecurityid,
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "icmp",
                    "fromPort": 3,
                    "toPort": 4,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "0.0.0.0/0"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                },
                {
                    "ipProtocol": "tcp",
                    "fromPort": 27017,
                    "toPort": 27017,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "0.0.0.0/0"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    }

Answer 1

From de Docs

Amazon EKS adds one inbound rule to the node's security group for client traffic and one rule for each load balancer subnet in the VPC for health checks for each Network Load Balancer that you create

Can be disable Docs

service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules specifies whether the controller should automatically add the ingress rules to the instance/ENI security group.