To store contract documents for a 5-year period ensuring they cannot be overwritten or deleted, Amazon S3 with S3 Object Lock in compliance mode (Option B) should be used. Compliance mode ensures that the data cannot be altered or deleted by any user, including the root user. For encryption at rest with automatic annual key rotation, server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys (Option D) is recommended. AWS KMS allows for automatic key rotation which reduces operational overhead. Hence, the correct answers are B and D.