How to use CDK to build a Network Firewall Rule Group

I kept getting syntax error when i want to build a rule group. My goal is to ALLOW only aws service, and DENY all other TCP Traffic. Following is the example, I can build and deploy the CDK. but cloudformation cannot build with syntax error about the RuleGroup. so my question is:

1. can I use CDK to build a "Suricata compatible rule string" type of Rule Group?
2. if not, my goal was only allow some domain and deny all explicitly, what else can i try? Thank you very much

        reject_all_rule_group = firewall.CfnRuleGroup(
            self,
            "RejectAllRuleGroup",
            capacity=100,
            rule_group_name="RejectAllRuleGroup",
            type="STATEFUL",
            description="Reject all other traffic",
            rule_group=firewall.CfnRuleGroup.RuleGroupProperty(
                rules_source=firewall.CfnRuleGroup.RulesSourceProperty(
                    rules_string='pass http any any -> any any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"Permit HTTP access to the web server"; sid:1000001; rev:1;)\npass tls any any -> any any (tls.sni; content:"aws.amazon.com"; startswith; nocase; endswith; msg:"Permit HTTPS access to aws.amazon.com"; sid:1000002; rev:1;)\n"'
                )
            ),
        )

        firewall_policy = firewall.CfnFirewallPolicy(
            self,
            "AaronTestFirewallPolicy",
            firewall_policy=firewall.CfnFirewallPolicy.FirewallPolicyProperty(
                stateless_default_actions=["aws:pass"],
                stateless_fragment_default_actions=["aws:pass"],
                stateful_rule_group_references=[
                    firewall.CfnFirewallPolicy.StatefulRuleGroupReferenceProperty(
                        resource_arn=reject_all_rule_group.attr_rule_group_arn
                    ),
                ],
            ),
            firewall_policy_name="AaronTestFirewallPolicy",
        )