CDK Fargate deploy adds unwanted SG rules

I'm setting up a Fargate cluster with AWS CDK v2. On deploy, CDK is adding a "0.0.0.0/0 Allow from anyone on port 80" rule to a pre-made security group. Any idea how to stop this behavior? Here is my service stanza:

const service = new ecs.FargateService(this, "SBfargate", {
  cluster,
  desiredCount: 1,
  taskDefinition: fargateTaskDefinition,
  assignPublicIp: true,
  securityGroups: [sbsg],
  serviceName: 'SB-Fargate_service',
});