Instead of directly opening up the instance to the world, my suggestion is to keep it in a Private subnet. Use an ELB to direct the traffic to the instance, this will be a bit costlier, but will add a layer of security to your instance in the long run.
I have not added a certificate to an SFTP instance through an ELB, however I have created isolated SFTP instances earlier. Getting this suggested setup to work would only need some time and tinkering.
For SSL cert we can use Let's Encryprt which is a free yet safe service to generate and renew certificates.