Serverless IAM policy for EC2 FTP in a VPC

I have a function, that is triggered on an S3 event, which takes the file and uploades it to a lagacy EC2 FTP server running on a VPC.

What is the correct way to add an IAM policy or group to give the lambda function to be able to access this specific machine without having to deploy the lambda function in the VPC or having to open port 21 globally?

Any advice is much appreciated