With your conditions defined, we now move on to the next important aspect of configuring WAF: rules. Rules basically allow you to combine one or more condition, into a logical statement, which can then be used to either allow, block, or count a particular incoming request:

1. In the Create rules page, you can now merge the conditions we created a while back and assign each rule a corresponding action, such as allow, block, or count. To get started, select the Create rule option.

2. In the Create rule popup, we will be creating two rules: one rule that will basically allow me to access the WordPress admin login page (wp-login.php) from my local laptop, and another rule that blocks traffic to the same login page. Let's first create the Allow traffic rule.
3. To do so, type in a suitable Name for your rule. You will notice the corresponding CloudWatch metric name field auto-populate itself with the same name as well. You can choose to change this name as per your requirements, or leave it to its default value.
4. Next, in the Rule type drop-down list, select whether you want this rule to be a Regular rule or a Rated rule. For this scenario, I've opted for the Regular rule, as shown in the following screenshot:

5. Once done, move on to the Add conditions section, where we can associate our rule with one or more conditions. Start by selecting the appropriate drop-down option to form the following rule:

When a request: "Does": "Originate from an IP Address in": "<SELECT_YOUR_IP_ADDRESS_MATCH_CONDITION_HERE>"

Here's what your new rule should look like once it is properly set up. Click on Create once completed:

6. With your Allow rule created, we use the same steps once again to create a Block rule as well. Select the Create rule option once again, and provide a suitable Name for your rule. Similar to the previous case, I've opted for a Regular rule here as well.
7. Next, in the Add conditions section, we first add a condition that matches the following statement:

When a request: "Does not": "Originate from an IP Address in": "<SELECT_YOUR_IP_ADDRESS_MATCH_CONDITION_HERE>"

8. Next, select the Add condition option to add the string match condition as well:

When a request: "Does": "Match at least one of the filters in the string match condition": "<SELECT_YOUR_STRING_MATCH_CONDITION_HERE>"

Here's what your rule should look like once both the conditions are added to it:

9. With the conditions in place, select the Create option to finally create your blocking rule.

10. Now that your two rules are created, you should see them both listed in the Add rules to a web ACL page, as shown in the following screenshot:

11. Here, make sure you order your rules correctly, based on their precedence, by selecting the Order option as required. You can additionally configure the Default action for your web ACL as well. This default action will only get triggered if the request does not match any of the conditions mentioned in either the allow or the blocking rules. Once you are confident with your configurations, select the Review and create option, as shown earlier. And voila! Your basic WAF is now up and running!