Choose your language:



Hong Kong




New Zealand




United Kingdom

United States


AWS Organizations, Security and Networking

A Story of Owning Change

About Knock CRM

Knock is an award-winning customer relationship management (CRM) and performance management SaaS platform for multifamily property managers. Hundreds of the leading apartment managers and owners across North America rely on Knock’s automation, integrations and data transparency tools to maximize occupancy, rent growth and customer satisfaction in every community. The company is based in Seattle and was founded in 2014.

knock logo

1Strategy is a great partner, time and time again.

—Paul Campbell, Senior Director of Security and Privacy at Knock

The Challenge

Knock launched their first product in 2016, hosted on Amazon Web Services (AWS). Since then, the company’s customer base has grown to include thousands of properties, and today, Knock is the multifamily industry’s leading CRM with multiple product offerings. However, with the growth of the company and products, the underlying AWS environment was still based around the idea of Knock being a single-product company. Knock needed a partner and plan for building a secure, performant and scalable AWS environment that matched their maturing product portfolio and operational goals. .

Why Amazon Web Services and 1Strategy

Knock has partnered with AWS since the beginning; there was never any question whether future workloads would also be built and would run on AWS. Running SaaS lean, though, meant that Knock didn’t staff the full-time AWS Solutions Architect that would be necessary to design and plan a project of this complexity.

“It was a very easy decision to go with 1Strategy,” said Paul Campbell, senior director of security and privacy at Knock. “1Strategy is well-known for delivering exceptional AWS design support, and they presented the most thorough and tailored statement of work.” .

Additionally, Knock’s DevOps team lead was familiar with multiple 1Strategy staff through CoffeeOps; a Seattle DevOps networking group founded by a 1Strategy team member.

The Benefits

Requirements and Design

“The best part of outsourcing architecture and planning for these large, complex, one-off projects is that you can benefit from a proven playbook,” said Matt Hillman, vice president of engineering at Knock.

Indeed, 1Strategy was able to bring a proven playbook for identifying requirements to transition from a single-account architecture to one based on multiple AWS accounts. It started with reviews of the existing environment and interviews of the engineering team leads and ended with a proposed architecture addressing all foreseeable requirements of the business.

Development and Implementation

By leveraging Terraform infrastructure as code and AWS Control Tower, 1Strategy was able to assist Knock in developing and implementing an AWS environment and architecture consistent with recognized best practices. This included aligning accounts with data sensitivity, implementing commensurate preventative and detective controls for organizational units (OU), and configuring AWS Single Sign-on (SSO) to provide for fast role selection and switching.

“Compared to traditional role switching, AWS SSO makes operating in a multi-account environment easy,” said Justin Martenstein, DevOps lead at Knock.

Secure by Design

Knock relied on 1Strategy’s extensive experience with securing AWS workloads as they collaborated on the preventative, detective and response-oriented control design and validation. 1Strategy was able to suggest controls, which scaled much more efficiently in a multi-account environment while still meeting the company’s security commitments. A great example can be found in using Control Tower to automatically centralize AWS CloudTrail event streams so that new accounts are monitored with no additional effort.


Much like the account structure, Knock’s networking layer wasn’t optimized for a multiproduct company.

“We’re excited to realize a number of network-level benefits such as centralized VPN and simplified DNS management,” said Martenstein. “As well as shifting all network infrastructure to code for modularization and version control.”

The icing on the cake for the project was a centralized ingress/egress networking architecture for sensitive workloads. By utilizing AWS Transit Gateway, Knock can control access to workloads through a single network entry point. Separate Transit Gateway route tables enable sensitive data networks to be isolated from regular networks and permit the efficient deployment of network traffic inspection, intrusion prevention and data-loss prevention systems.

knock control tower graphic

Having a centrally managed networking architecture, Knock will now be able to maintain a set of VPCs that can be shared to current and future workload accounts using AWS Resource Access Manager (RAM). Sharing the same network allows for lower operational overhead and still allows workloads to be logically isolated by AWS accounts with their associated service control policies (SCP).


On every project, 1Strategy strives to leave the customer with the knowledge and understanding needed to maintain their solution over time. Through several training sessions, 1Strategy helped Knock achieve greater autonomy and develop a vision for how to scale AWS resources over the next five years.

“From my perspective, this project would be between an A and A+,” said Campbell. “This experience was altogether very positive. From scoping discussions to project management to working directly with 1Strategy’s consultant on implementation, this project went as well as any project I’ve ever done. 1Strategy’s AWS-specific networking expertise was very valuable. The training sessions went great, and we appreciated 1Strategy’s ability to answer technical questions from various teams. We now have an architecture that will work well for us for many years.”

The work described in this engagement was originally completed by 1Strategy, a TEKsystems Global Services company acquired in 2019. As of June 2023, 1Strategy has fully integrated with TEKsystems Global Services to continue to deliver AWS expertise to customers. Learn more about our AWS solutions.

Discover The Power of Real Partnership

Let’s talk about the world of possibilities and how we can partner to make them a reality.

Start a conversation