diff --git a/packages/@aws-cdk/aws-route53resolver/lib/firewall-domain-list.ts b/packages/@aws-cdk/aws-route53resolver/lib/firewall-domain-list.ts
index a6303b2c78114..80f211ab07f66 100644
--- a/packages/@aws-cdk/aws-route53resolver/lib/firewall-domain-list.ts
+++ b/packages/@aws-cdk/aws-route53resolver/lib/firewall-domain-list.ts
@@ -45,8 +45,8 @@ export abstract class FirewallDomains {
    */
   public static fromList(list: string[]): FirewallDomains {
     for (const domain of list) {
-      if (!/^[\w-.]+$/.test(domain)) {
-        throw new Error(`Invalid domain: ${domain}. Valid characters: A-Z, a-z, 0-9, _, -, .`);
+      if (!/^([\w-.]{1,255}|\*[\w-.]{1,254})$/.test(domain)) {
+        throw new Error(`Invalid domain: ${domain}. Domain can optionally start with *. Max length of 255. Valid characters: A-Z, a-z, 0-9, _, -, .`);
       }
     }
 
diff --git a/packages/@aws-cdk/aws-route53resolver/test/firewall-domain-list.test.ts b/packages/@aws-cdk/aws-route53resolver/test/firewall-domain-list.test.ts
index 3806a59c670ba..5eaef3352d702 100644
--- a/packages/@aws-cdk/aws-route53resolver/test/firewall-domain-list.test.ts
+++ b/packages/@aws-cdk/aws-route53resolver/test/firewall-domain-list.test.ts
@@ -12,7 +12,11 @@ beforeEach(() => {
 test('domain list from strings', () => {
   // WHEN
   new FirewallDomainList(stack, 'List', {
-    domains: FirewallDomains.fromList(['first-domain.com', 'second-domain.net']),
+    domains: FirewallDomains.fromList([
+      'first-domain.com',
+      'second-domain.net',
+      '*.wildcard.com',
+    ]),
   });
 
   // THEN
@@ -20,6 +24,7 @@ test('domain list from strings', () => {
     Domains: [
       'first-domain.com',
       'second-domain.net',
+      '*.wildcard.com',
     ],
   });
 });