Open ports for Passive FTPS on Amazon EC2?

I have installed ProFTPd on an Amazon EC2 running Amazon Linux.

I have enabled SSL (FTPS) on for ProFTPd and set passive ports in proftpd.conf:

port                         21

<IfModule mod_tls.c>
  TLSEngine                  on
  TLSLog                     /var/log/proftpd/tls.log
  TLSProtocol TLSv1.2
  TLSCipherSuite AES128+EECDH:AES128+EDH
  TLSOptions                 NoCertRequest AllowClientRenegotiations
  TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
  TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
  TLSVerifyClient            off
  TLSRequired                on
  RequireValidShell          no
</IfModule>

MasqueradeAddress            ip-of-my-server
PassivePorts                 60000 65535

Users can connect via port 21 if I open up TCP Ports 60000 through 65535 on the security group associated with this instance, but this doesn't feel secure to me (I'm not familiar with Passive FTP or opening up a range of ports like this). We whitelist the IPs of all our customers who will connect to this server on port 21.

Questions

1. Is there a way to open these passive ports without opening them in the security group opn AWS, perhaps using ip configurations on the EC2 server like in this article (http://www.proftpd.org/docs/howto/NAT.html)? I'm not familiar with these types of configurations and am not sure what to do here.

2. Since a user can't connect to the FTPS server without going through port 21 which is whitelisted to their IP, is it ok to have the TCP ports 60000-65535 open to all IPs within the AWS Security Group? What security concerns should I have here?

3. Is there some other "best practices" way to configure this?