czhang,
Thanks for your reply.
The count now is 569 with one error. It looks like the KMS STS token assume role actions being counted as "users". I have provided a link to the screenshot - all of those STS entries are from the KMS service and the content of those are like what is pasted below:
{"eventName": "GenerateDataKey", "sourceIPAddress": "internal.amazonaws.com", "eventTime": "2016-04-21T21:08:51Z", "requestID": "3f520fc0-0805-11e6-9208-7f0131d283de", "resources": [{"accountId": "XXXXXXXXXXX", "ARN": "arn:aws:kms:eu-west-1:XXXXXXXXXXX:key/58860848-99ce-4248-b974-c18e3ad8a48e"}], "userAgent": "internal.amazonaws.com", "eventVersion": "1.04", "userIdentity": {"invokedBy": "internal.amazonaws.com", "type": "AssumedRole", "accountId": "035351147821", "sessionContext": {"attributes": {"creationDate": "2016-04-21T20:40:31Z", "mfaAuthenticated": "false"}, "sessionIssuer": {"userName": "AWSCloudTrail", "arn": "arn:aws:iam::035351147821:role/AWSCloudTrail", "type": "Role", "accountId": "035351147821", "principalId": "AROAIMYTXX4VMR4TEHMIU"}}, "principalId": "AROAIMYTXX4VMR4TEHMIU:i-00283eca92f510992", "accessKeyId": "XXXXXXXXXXX", "arn": "arn:aws:sts::035351147821:assumed-role/AWSCloudTrail/i-00283eca92f510992"}, "sharedEventID": "e9174339-8a97-4742-ab32-1f4c282042f0", "readOnly": true, "awsRegion": "eu-west-1", "eventType": "AwsApiCall", "responseElements": null, "recipientAccountId": "XXXXXXXXXXX", "eventID": "d532a32d-992b-4345-8ff6-f5d502d526d0", "eventSource": "kms.amazonaws.com", "requestParameters": {"encryptionContext": {"aws:s3:arn": "arn:aws:s3:::dev-m1-cloudtrail-logs/AWSLogs/XXXXXXXXXXX/CloudTrail/eu-central-1/2016/04/21/XXXXXXXXXXX_CloudTrail_eu-central-1_20160421T2110Z_dmfwwDvr7DETuCkR.json.gz", "aws:cloudtrail:arn": "arn:aws:cloudtrail:eu-west-1:XXXXXXXXXXX:trail/dev-m1-cloudtrail"}, "keyId": "arn:aws:kms:eu-west-1:XXXXXXXXXXX:key/58860848-99ce-4248-b974-c18e3ad8a48e", "keySpec": "AES_256"}}
... View more