The FTP service is running in the Amazon Web Services (AWS) cloud. Every FTP server (AWS EC2 instances) is protected by a VPC Security Group which acts as a virtual, stateful firewall for your Amazon Elastic Compute Cloud (Amazon EC2) instance to control inbound and outbound traffic.
Port 22 is intentionally opened in the VPC Security Group to allow customers to connect to the servers via the SFTP protocol. SFTP runs on top of SSH, and therefore users do make SSH connections to the server as part of the SFTP connection negotiation, however after connecting users only have access to SFTP commands. All FTP server images have changed the Linux SSH Port to a non-standard port number (not port 22) that is NOT open in the firewall.
The FTP software also allows admins to enable IP whitelists for all, or a subset, of FTP users in their account. The IP whitelist is used to set a list of authorized IP addresses and/or ranges that a given user can login from.