diff --git a/.changes/next-release/enhancement-urllib3-72501.json b/.changes/next-release/enhancement-urllib3-72501.json
new file mode 100644
index 0000000000..bd76986460
--- /dev/null
+++ b/.changes/next-release/enhancement-urllib3-72501.json
@@ -0,0 +1,5 @@
+{
+  "type": "enhancement",
+  "category": "``urllib3``",
+  "description": "Added support for urllib3 2.2.1+ in Python 3.10+"
+}
diff --git a/setup.cfg b/setup.cfg
index d660076be5..e02f848897 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -6,7 +6,7 @@ requires_dist =
     jmespath>=0.7.1,<2.0.0
     python-dateutil>=2.1,<3.0.0
     urllib3>=1.25.4,<1.27; python_version<"3.10"
-    urllib3>=1.25.4,<2.1; python_version>="3.10"
+    urllib3>=1.25.4,!=2.2.0,<3; python_version>="3.10"
 
 [options.extras_require]
 crt = awscrt==0.19.19
diff --git a/setup.py b/setup.py
index 82cc63ed36..a9ca6130f5 100644
--- a/setup.py
+++ b/setup.py
@@ -25,8 +25,11 @@ def find_version(*file_paths):
 requires = [
     'jmespath>=0.7.1,<2.0.0',
     'python-dateutil>=2.1,<3.0.0',
+    # Prior to Python 3.10, Python doesn't require openssl 1.1.1
+    # but urllib3 2.0+ does. This means all botocore users will be
+    # broken by default on Amazon Linux 2 and AWS Lambda without this pin.
     'urllib3>=1.25.4,<1.27 ; python_version < "3.10"',
-    'urllib3>=1.25.4,<2.1 ; python_version >= "3.10"',
+    'urllib3>=1.25.4,!=2.2.0,<3 ; python_version >= "3.10"',
 ]
 
 extras_require = {