You can't
The EKS master nodes are managed by AWS and are run in a different account. You need access to the internet in order to reach the endpoint, and security groups won't stop anyone else from hitting the public endpoint.
Run a Dig against the API server endpoint and you can see this:
{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN A xxx.xxx.xxx.xxx
{hash}.sk1.us-east-1.eks.amazonaws.com. 59 IN A xxx.xxx.xxx.xxx
This is just the API endpoint though, and I suspect that the master nodes are not actually publicly accessible, only the API endpoint, and I am certain that the API has the same AWS authentication measures as any other service's public API endpoint.
https://docs.aws.amazon.com/general/latest/gr/rande.html#eks_region
I would suggest going through the EKS VPC tutorial and the read the section in the docs on EKS Networking.