For resources like databases, you don't need cross-account access if you're using internal DB authentication systems. For IAM-based DB authentication, you can simply write policies to trust the target accounts.
Occasionally, you'll need to create a cross-account trust (via AssumeRole), but it's not at all that frequent.
My personal wish is for AWS to allow account _names_ instead of ID numbers in policies.
Yeah, error messages start to become more opaque as well which makes debugging even tougher, which is kind of the opposite of the point of using multiple accounts. But really, AWS not having proper namespaces in its constructs that’s ubiquitously supported (IAM paths were attempted. Attempted) hampers a lot of things
