In AWS EKS, what security group allows access to master node from kubernetes client?

When I create a EKS cluster, I can access the master node from anywhere. Even though, the control plane security group only allows the worker to control plane connectivity (default configuration).

How can the access to the control plane be limited to a security group?


You can't

The EKS master nodes are managed by AWS and are run in a different account. You need access to the internet in order to reach the endpoint, and security groups won't stop anyone else from hitting the public endpoint.

Run a Dig against the API server endpoint and you can see this:

{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN   A xxx.xxx.xxx.xxx
{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN   A xxx.xxx.xxx.xxx

This is just the API endpoint though, and I suspect that the master nodes are not actually publicly accessible, only the API endpoint, and I am certain that the API has the same AWS authentication measures as any other service's public API endpoint.
https://docs.aws.amazon.com/general/latest/gr/rande.html#eks_region

I would suggest going through the EKS VPC tutorial and the read the section in the docs on EKS Networking.